[gentoo-hardened] mysql-apache-php

[gentoo-hardened] mysql-apache-php

[James Smith]

I'm having difficulty allowing Apache to talk with MySQL. The logs show my 
policy denying access. Can a policy guru help me with this issue?

Thanks.

James Smith
CT Networks
ctnetworks.ca
-- 
gentoo-hardened@gentoo.org mailing list

Re: [gentoo-hardened] mysql-apache-php

[Rumen Yotov]

[-- Attachment #1: Type: text/plain, Size: 428 bytes --]

On (26/01/06 17:30), James Smith wrote:
> I'm having difficulty allowing Apache to talk with MySQL. The logs show my 
> policy denying access. Can a policy guru help me with this issue?
> 
> Thanks.
> 
> James Smith
> CT Networks
> ctnetworks.ca
> -- 
> gentoo-hardened@gentoo.org mailing list
> 
Hi,
Which one of all hardened projects are you using (grsec,RSBAC,SELinux)?
What is in the logs (on screen)?
Rumen

[-- Attachment #2: Type: application/pgp-signature, Size: 198 bytes --]

[gentoo-hardened] Re: mysql-apache-php

[James Smith]

Jan 26 16:30:29 [kernel] audit(1138318229.114:51): avc:  denied  { search } 
for  pid=4137 comm="apache2" name="mysqld" dev=hda3 ino=269837 
scontext=system_u:system_r:httpd_t 
tcontext=system_u:object_r:mysqld_var_run_t tclass=dir
Jan 26 16:30:46 [kernel] audit(1138318246.947:54): avc:  denied  
{ name_connect } for  pid=20815 comm="apache2" dest=80 
scontext=system_u:system_r:httpd_t tcontext=system_u:object_r:http_port_t 
tclass=tcp_socket

Here are the two that seem to be most common.

Thanks again.

James
-- 
gentoo-hardened@gentoo.org mailing list

Re: [gentoo-hardened] Re: mysql-apache-php

[Mivz]

James Smith wrote:

>Jan 26 16:30:29 [kernel] audit(1138318229.114:51): avc:  denied  { search } 
>for  pid=4137 comm="apache2" name="mysqld" dev=hda3 ino=269837 
>scontext=system_u:system_r:httpd_t 
>tcontext=system_u:object_r:mysqld_var_run_t tclass=dir
>Jan 26 16:30:46 [kernel] audit(1138318246.947:54): avc:  denied  
>{ name_connect } for  pid=20815 comm="apache2" dest=80 
>scontext=system_u:system_r:httpd_t tcontext=system_u:object_r:http_port_t 
>tclass=tcp_socket
>
>Here are the two that seem to be most common.
>
>Thanks again.
>
>James
>  
>
I think your problem lies somewhere else. I see httpd_t tryes to access 
the mysql server. This is, I think, because you  use mod_php. mod_php 
runs whit in the apache memory space. So this is why is looks like 
apache is trying to access mysql.
This is not secure. To overcome this, you can run php as a cgi program. 
This is slower, but then apache wil exec php the proper way, which cause 
the php to run in the php_t. And the php_t shoul have access to the 
mysqld_var_run_t (probably the mysqld.sock). Then you can also use 
suexec2 to run the scripts as proper users and not as the apache user.

Mivz
-- 
gentoo-hardened@gentoo.org mailing list