Apache and MySQL settings in SELinux

Fedora Core 3 Activates the SELinux option by default at installation time. SELinux provides a higher security than the normal Linux kernel, and in theory, it is impossible for an average user to get Superuser privileges when the system overflows with an unknown vulnerability. However, it is because of the increased security of the selinux that we are using, there are some problems we have never encountered before.

I ran into some problems the other day when I used Fedora Core 3 to build Php+mysql's webserver. Now tidy up, if you also encounter the same problem, then, read this article, it should be easy to solve.

1. Apache-document root must is a directory problem.

It is possible to have concurrent problems with this problem as well as 403 forbidden blocked access.

Description of the phenomenon:

Do not use the system default/var/www/html as the system's document Root, create a new directory, modify the configuration in/etc/httpd/conf/httpd.conf, and then restart the Apache daemon. Found Apache unable to start, system error:

Document root must be a directory

However, the documentroot we set up is indeed a directory, and the Apache user has Read permission.

Another scenario: When you create a new virtual directory or file, you cannot access it, display forbidden, 403 Error, but the file or directory has Read permissions.

The cause of the problem:

At first I wanted to think about why, but give me the feeling is the issue of permissions, with the traditional way of thinking of Linux, permissions are absolutely no problem. But if you think about it, will selinux have other security settings?

Check the AVC message, view the/var/log/messages file, and find a paragraph similar to the following:

DEC 17:54:59 hostname kernel:audit (1098222899.827:0): AVC:

Denied {getattr} for pid=19029 exe=/usr/sbin/httpd

path=/var/www/html/about.html dev=dm-0 ino=373900

scontext=root:system_r:httpd_t tcontext=user_ubject_r:user_home_t

Tclass=file

Hey, the problem has been found, really is selinux new characteristics of the ghost. I set the directory or file to the user_home_t type, so the Apache process has no permissions and cannot be accessed. The SELinux target policy used for the Apache process stipulates that the Apache process can only access directories or files of the httpd_sys_content_t type.

Solution:

It's easy to change the directory or file's policy type to httpd_sys_content_t.

Using the root user

# chcon-t httpd_sys_content_t directory name or filename

You can then use the Ls-laz command to view the policy type of the file directory

2. Mysql-can ' t connect to the local Mysql server through socket '/var/lib/mysql/mysql.sock ' (13)

Just finished apache,mysql again problem.

Problem phenomenon:

This machine uses MySQL command to log on to the database normally and operate normally. But in PHP pages, anyway, when connecting to the MySQL database, the following error will be reported:

Can ' t connect to the local MySQL server through socket '/var/lib/mysql/mysql.sock ' (13)

Problem Reason:

View the Mysql.sock file, exists and can be read and written by anyone. Found a record of the same policy error in the AVC message (/var/log/messages).

Ps-efz|grep mysql command to check the process of MySQL, found that MySQL used unconfined_t this undefined policy type is running, and the Mysql.sock and mysqld file policy types are var_lib_t. Obviously, this should be a Fedora Core 3 bug,selinux target policy bug,redhat does not have the correct target policy for MySQL.

Solution:

Search on Redhat's bugzilla system and found the bug.

Bug #: 138421

https://bugzilla.redhat.com/bugzill...g.cgi?id=138421

Find a patch installation for the new target policy on this page

Patch Download page:

Ftp://people.redhat.com/dwalsh/SELinux/FC3

You can also download it from the attachment in this article

Just download

selinux-policy-targeted-1.17.30-2.23 above version will be able to use the normal MySQL.

If your original system has Selinux-policy-targeted-source (source code), then you must also download the source RPM file and upgrade the package first because two packages have dependencies.

Patch Installation Method:

Use root user.

Upgrade the new Target-policy-source first (if you've installed this package before)

# RPM-UVH selinux-policy-targeted-sources-1.17.30-2.61.noarch.rpm

Upgrade a new Target-policy

# RPM-UVH selinux-policy-targeted-1.17.30-2.61.noarch.rpm

Update MySQL-related target policy

# rpm-q-L Mysql-server | Restorecon-r-v-f-

# rpm-q-L MySQL | Restorecon-r-v-f-

To restart MySQL Services

# Service Mysqld Restart

Try it, it'll work.