From: rfkrocktk@gmail.com (Naftuli Tzvi Kay) Date: Wed, 26 Oct 2016 11:03:32 -0700 Subject: [refpolicy] Allow HTTPD to connect to SQL via UNIX socket In-Reply-To: References: Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Craig, please see below: $ sudo sesearch --allow -s httpd_t -t mysqld_var_run_t | head Found 7 semantic av rules: allow httpd_t mysqld_var_run_t : dir { getattr search open } ; allow httpd_t mysqld_var_run_t : sock_file { write getattr append open } ; allow httpd_t file_type : filesystem getattr ; allow httpd_t file_type : dir { getattr search open } ; allow nsswitch_domain pidfile : dir { getattr search open } ; allow nsswitch_domain pidfile : dir { getattr search open } ; allow nsswitch_domain pidfile : dir { getattr search open } ; This was run on RHEL 7.2. I'm not sure if refpolicy has this, but I believe it does. Thanks, - Naftuli Kay On Wed, Oct 26, 2016 at 9:41 AM, Craig Finch via refpolicy wrote: > I haven't found any existing SELinux configuration that would allow HTTPD to > connect to MySQL via a UNIX socket. We have created a custom policy that > allows this connection, but I want to make sure that we aren't "reinventing > the wheel." > > 1. Is there an existing combination of booleans and/or contexts that would > allow HTTPD to connect to a local UNIX socket? > 2. If not, do you have any feedback on our custom policy (included at the > end of this message)? > > To be specific, I have a CentOS 7 instance that is running Apache and Cloud > SQL Proxy on Google Compute Engine. Apache connects to the proxy via a UNIX > socket on localhost, and the proxy connects to Google Cloud SQL. I know that > the proxy is able to connect to Cloud SQL, but Apache is denied from > connecting to the proxy on the UNIX socket. The error message is: > > type=SYSCALL msg=audit(1477499164.189:16817): arch=c000003e syscall=42 > success=no exit=-13 a0=b a1=7ffdb42bef20 a2=32 a3=4 items=0 ppid=6868 > pid=7394 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 > sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" > exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) > type=AVC msg=audit(1477499164.189:16817): avc: denied { write } for > pid=7394 comm="httpd" name="REDACTED" dev="sda1" ino=17918851 > scontext=system_u:system_r:httpd_t:s0 > tcontext=system_u:object_r:default_t:s0 tclass=sock_file > > > The custom policy: > > ## Start httpdsockpolicy.te > > module httpdsockpolicy 1.0; > > require { > type httpd_t; > type default_t; > class sock_file write; > } > > #============= httpd_t ============== > allow httpd_t default_t:sock_file write; > > # End httpdsockpolicy.te > > -- > Craig Finch > Principal Consultant > Rootwork InfoTech LLC > Direct Phone: 321.209.8088 > Rootwork Phone: 321.209.2447 > www.rootwork.it > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy >