30

I'd like to for once leave SELinux running on a server for the alleged increased security.
I usually disable SELinux to get anything to work.
How do I tell SELinux to allow MySQL connections?
The most I've found in the documentation is this line from mysql.com:

If you are running under Linux and Security-Enhanced Linux (SELinux) is enabled, make sure you have disabled SELinux protection for the mysqld process.

wow ... that's really helpful.

ZygD
  • 317
  • 1
  • 3
  • 11
xivix
  • 543
  • 2
  • 8
  • 15
  • 1
    Please provide all of the following information for us to have a chance of helping you. 1. Linux Distro and Version, 2. MySQL version and installation source, 3. AVC log entries from a denied connection, 4. Relevant MySQL logs, if any 5. The output of `getsebool -a | grep mysql` 6. Exact steps you have taken to reproduce this – hobodave Feb 24 '11 at 23:25

6 Answers6

57

To check SELinux

sestatus

To see what flags are set on httpd processes

getsebool -a | grep httpd

To allow Apache to connect to remote database through SELinux

setsebool httpd_can_network_connect_db 1

Use -P option makes the change permanent. Without this option, the boolean would be reset to 0 at reboot.

setsebool -P httpd_can_network_connect_db 1
Chris0
  • 103
  • 2
Punjab
  • 671
  • 5
  • 3
2

Do you get an error? What flavor of linux are you using? Security context is a good place to start if you are getting an error. ls -Z will give context... But your question is very vague.

  • I am connecting from a windows box. There is no error ... the connection is just refused and the page times out. I know if I turn off selinux everything will be fine. –  Feb 24 '11 at 21:17
  • since the connection is incoming from a windows box, ls -Z only gives me info about the files in whatever directory I'm in on the linux box. –  Feb 24 '11 at 21:18
  • In my question above I cited a mysql reference ... which said to disable selinux protection for the mysqld process ... but it doesn't say how to do that :( Nor can I find out how. –  Feb 24 '11 at 21:20
  • Anything in the logs on the linux box? selinux can stop httpd from making a socket connection... –  Feb 24 '11 at 21:35
  • Nothing in messages or secure logs ... is there a particular log you had in mind? –  Feb 24 '11 at 21:46
  • On the linux box$locate my.cnf -> sudo cat my.cnf in there you should see something like log-error=/path/to/log/mysqlerror.log that is the log I am talking about. Do a sudo cat on that log and we may get a better starting point for your error. –  Feb 24 '11 at 22:12
  • oh ... those are the mysql logs ... mysql is never seeing the connection because selinux is stopping it ... I thought you meant some kind of selinux logs. I know where the mysql logs are ... there's no mention of an error in those logs. –  Feb 24 '11 at 22:15
  • oh ... and I'm using Fedora –  Feb 24 '11 at 22:22
2

Apparently configuring selinux isn't trivial. You may wish to start here.

setenforce 0

puts selinux into permissive mode, where it allows anything but logs what it's allowing. A reboot or

setenforce 1

returns to blocking whatever the policy doesn't permit.

Check out these selinux policy docs for mySQL in Fedora.

Paul
  • 779
  • 1
  • 9
  • 18
2

you can build local policy too:

"You can generate a local policy module to allow this access.Do allow this access for now by executing:"

grep httpd /var/log/audit/audit.log | audit2allow -M mypol

semodule -i mypol.pp

or enable globally for the actual session:

setsebool httpd_can_network_connect_db 1

or permanent:

setsebool -P httpd_can_network_connect_db 1
Raffaello
  • 163
  • 1
  • 7
1

The ausearch command can help find the error log.

jscott
  • 24,204
  • 8
  • 77
  • 99
vnix27
  • 856
  • 2
  • 11
  • 19
1

Are you sure it's selinux? Normal connections from outside should be allowed by selinux. So it could also be the firewall. If you have local services trying to connect to mysqld, that's something different: http://docs.fedoraproject.org/en-US/Fedora/13/html/Managing_Confined_Services/sect-Managing_Confined_Services-MySQL-Booleans.html

AndreasM
  • 1,083
  • 8
  • 13