6

So I have chrooted MySQL into /opt/chroot/mysql, and everything runs fine. Apache is configured normally, and also runs fine.

I created a small PHP script which connects to the MySQL Daemon, and configured PHP so that the default socket used is the chrooted one. When SELinux is disabled, the script is able to connect fine. However, when SELinux is enabled, the script fails to connect (with error number 13), and the audit log tells me that SELinux denied the request.

Every tutorial I've found that deals with this problem tells me to disable SELinux. This is not what I want to do, so please don't suggest it! I want a solution that works whilst SELinux is enabled...I assume one must exist...

I'd guess that I probably have to change the SELinux contexts for the mysql files, but I'm not sure what to change them into to make it work.

Rsaesha
  • 360
  • 3
  • 10

1 Answers1

6

UPDATE 2

type=AVC msg=audit(1318863312.959:435): avc: denied { connectto } for pid=12472 comm="httpd" path="/opt/chroot/mysql/var/lib/mysql/mysql.sock" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket

You can build the custom SELinux policy module by following steps:

# grep httpd_t audit.log | audit2allow -m httpd > httpd.te
# checkmodule -M -m -o httpd.mod httpd.te
# semodule_package -m httpd.mod -o httpd.pp 
# semodule -i httpd.pp

Refer to this topic for more details.


UPDATE

  1. Run semanage command to add a context mapping for /opt/chroot/mysql/var/lib/mysql/:

    # semanage fcontext -a -t mysqld_db_t "/opt/chroot/mysql/var/lib/mysql(/.*)?"
    
  2. And use restorecon command to apply this context mapping:

    # restorecon -Rv /opt/chroot/mysql/var/lib/mysql
    

If you are connecting via TCP/IP, try this:

# setsebool -P httpd_can_network_connect 1
quanta
  • 50,327
  • 19
  • 152
  • 213
  • Alas, I'm connecting to a local socket. You'd think the solution should be easier for local sockets... – Rsaesha Oct 17 '11 at 11:18
  • There's a more specific sebool for this, actually: `# setsebool -P httpd_can_network_connect_db 1` – jgoldschrafe Oct 17 '11 at 13:02
  • Well I ran the context mapping command, and it changed all the contexts fine. I also ran both the setsebool commands, and they ran fine too. The PHP page still displays the error: "Can't connect to local MySQL server through socket '/opt/chroot/mysql/var/lib/mysql/mysql.sock' (13)", even when I restarted both MySQL and Apache. – Rsaesha Oct 17 '11 at 14:56
  • Also, the audit log reports this error: `type=AVC msg=audit(1318863312.959:435): avc: denied { connectto } for pid=12472 comm="httpd" path="/opt/chroot/mysql/var/lib/mysql/mysql.sock" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket` – Rsaesha Oct 17 '11 at 15:00
  • Change the above commands to corresponding datadir `/opt/chroot/mysql/var/lib/mysql/` and try again. – quanta Oct 17 '11 at 15:42
  • Thanks, your second update (with custom SE policy) worked perfectly! – Rsaesha Oct 17 '11 at 15:50
  • +1. Was able to use the custom SELinux policy package build steps to solve my problem @ http://serverfault.com/questions/433726/selinux-allow-multiple-services-access-to-same-home-dir – Mike Purcell Oct 01 '12 at 22:57
  • [mysql selinux](https://blogs.oracle.com/jsmyth/selinux-and-mysql) would indicate that `semanage fcontext -a -t mysqld_db_t "/opt/chroot/mysql/var/lib/mysql(/.*)?" && restorecon -Rv /opt/chroot/mysql/var/lib/mysql` would a simpler approach. – danblack Sep 22 '18 at 03:32