Apache and MySQL settings in SELinux

Apache and MySQL settings in SELinux-Linux Enterprise Application-Linux server application information. For details, refer to the following section. Fedora Core 3 activates SELinux by default during installation. SELinux provides higher security than normal linux kernels. Theoretically, when the system overflows due to unknown vulnerabilities, normal users cannot obtain the permissions of Super Users. However, due to the improvement of SELinux security, some problems we have never encountered before will occur during use.
Two days ago, I encountered some problems when I used Fedora Core 3 to build a PHP + MySQL WebServer. Now, if you have encountered the same problem, you can easily solve it after reading this article.
1. Apache-Document root must be a directory problem.
The concurrency issue may also be caused by the 403 Forbidden access issue.
Symptom description:
Do not use the default/var/www/html file of the system as the Document Root. Create a new directory and modify/etc/httpd/conf/httpd. in conf, restart Apache Daemon and find that Apache cannot be started. The system reports an error:
Document root must be a directory
However, the DocumentRoot we set is indeed a directory, and apache users have the read permission.
In another case, a new virtual directory or file cannot be accessed. Forbidden, 403 Error is displayed, but the file or directory has the read permission.
Cause:
At first, I wanted to figure out why, but it gave me the feeling that permission is a problem. In the traditional way of thinking in Linux, permissions are absolutely no problem. But do SELinux have other security settings?
Check avc message, view the/var/log/messages file, and find a section similar to the following:
Dec 24 17:54:59 hostname kernel: audit (1098222899.827: 0): avc :\
Denied {getattr} for pid = 19029 exe =/usr/sbin/httpd \
Path =/var/www/html/about.html dev = dm-0 ino = 373900 \
Scontext = root: system_r: httpd_t tcontext = user_ubject_r: user_home_t \
Tclass = file
Hey, the problem is found. It is really a ghost of SELinux's new features. I set the directory or file to the user_home_t type, so the apache process has no permissions and cannot be accessed. SELinux target policy for Apache processes specifies that apache processes can only access directories or files of the httpd_sys_content_t type.
Solution:
Simply change the policy type of the directory or file to httpd_sys_content_t.
Use root User
# Chcon-t httpd_sys_content_t directory name or file name
Then you can run the ls-laZ command to view the policy type of the file directory.

2. Mysql-Can't connect to local MySQL server through socket '/var/lib/mysql. sock' (13)
Just now, Apache has a problem with mySQL.
Symptom:
The mysql command of this machine can log on to the database and operate normally. However, the following error is reported when you connect to the mySQL database on the page written in php:
Can't connect to local MySQL server through socket '/var/lib/mysql. sock' (13)
Cause:
View the mysql. sock file, which exists and can be read or written by anyone. In avc message (/var/log/messages), there are also records of policy errors.
Run the ps-efZ | grep mysql command to check the mysql process. It is found that mySQL uses the unconfined_t undefined policy type to run, while mysql. sock And mysqld files all have var_lib_t policy types. Obviously, this should be a Fedora Core 3 BUG, SELinux target policy BUG, and redhat did not set a correct target policy for mySQL.
Solution:
Search for the bugzilla System of redhat and find the BUG.
Bug #: 138421.
Https://bugzilla.redhat.com/bugzill...g.cgi? Id = 138421
On this page, find the patch for installing the new target policy.
Patch download page:
Ftp://people.redhat.com/dwalsh/SELinux/FC3
You can also download it from the attachment in this article.
Download
Selinux-policy-targeted-1.17.30-2.23 and above versions can be normal use of mySQL.
If selinux-policy-targeted-source (source Code) is installed on your original system, you must also download the source rpm file and upgrade the package first because the two packages are dependent.
Patch installation method:
Use the root user.
Upgrade target-policy-source (if you have installed this package before)
# Rpm-Uvh selinux-policy-targeted-sources-1.17.30-2.61.noarch.rpm
Update target-policy
# Rpm-Uvh selinux-policy-targeted-1.17.30-2.61.noarch.rpm
Update target policy related to mysql
# Rpm-q-l mysql-server | restorecon-R-v-f-
# Rpm-q-l mysql | restorecon-R-v-f-
Restart mysql services
# Service mysqld restart
It must be valid.