FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 02-10-2009, 07:06 PM
Maria Iano
 
Default vsftpd using mysql

On Feb 10, 2009, at 9:36 AM, Daniel J Walsh wrote:


Maria Iano wrote:
My vsftpd server needs to talk to my mysql server, and is being
denied.
Before I use audit2allow to make special rules I wanted to ask
whether
there is a boolean out there that I am missing. Here is what
audit2allow

gives me:

allow ftpd_t mysqld_db_t:dir search;
allow ftpd_t mysqld_t:unix_stream_socket connectto;
allow ftpd_t mysqld_var_run_t:sock_file write;

I notice there is a boolean for httpd to talk to mysql, which makes
me
think there might be one for vsftpd. Does anyone know if such a one
exists?




Why does ftpd talk to mysqld?


It authenticates against a mysql database for users connecting over
ftp. It uses pam_mysql.


Thanks,
Maria

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 02-10-2009, 07:19 PM
Maria Iano
 
Default vsftpd using mysql

On Feb 10, 2009, at 11:12 AM, Daniel J Walsh wrote:



Maria Iano wrote:
My vsftpd server needs to talk to my mysql server, and is being
denied.
Before I use audit2allow to make special rules I wanted to ask
whether
there is a boolean out there that I am missing. Here is what
audit2allow

gives me:

allow ftpd_t mysqld_db_t:dir search;
allow ftpd_t mysqld_t:unix_stream_socket connectto;
allow ftpd_t mysqld_var_run_t:sock_file write;

I notice there is a boolean for httpd to talk to mysql, which
makes me

think there might be one for vsftpd. Does anyone know if such a one
exists?

Thanks,
Maria



Why does ftpd talk to mysqld?


To use a database backend for virtual users I'd guess.

http://www.niraj.info/vsftpd-mysql

Paul.

Learn something new every day...

Miroslav, can you add the following snippets to F9 and F10 policy.


## <desc>
## <p>
## Allow ftp servers to use connect to mysql database
## </p>
## </desc>
gen_tunable(ftpd_connect_db, false)

## <desc>
## <p>

....

optional_policy(`
tunable_policy(`ftpd_connect_db',`
mysql_stream_connect(ftpd_t)
')
')



Thank you, this will be very helpful!

I am probably revealing my ignorance here, but...

shouldn't a boolean for ftpd_connect_db allow all three of the things
that were denied?:


allow ftpd_t mysqld_db_t:dir search;
allow ftpd_t mysqld_t:unix_stream_socket connectto;
allow ftpd_t mysqld_var_run_t:sock_file write;

Otherwise I also have to turn on either the allow_ftpd_full_access
boolean or the ftp_home_dir boolean, both of which do more than I need
just to talk to mysql.


I'm sure you have a good reason (too much clutter perhaps) but I am
curious.


Thanks,
Maria



--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 02-10-2009, 07:36 PM
Paul Howarth
 
Default vsftpd using mysql

On Tue, 10 Feb 2009 15:19:06 -0500
Maria Iano <maria@iano.org> wrote:

>
> On Feb 10, 2009, at 11:12 AM, Daniel J Walsh wrote:
> >>>
> >>>
> >>> Maria Iano wrote:
> >>>> My vsftpd server needs to talk to my mysql server, and is being
> >>>> denied.
> >>>> Before I use audit2allow to make special rules I wanted to ask
> >>>> whether
> >>>> there is a boolean out there that I am missing. Here is what
> >>>> audit2allow
> >>>> gives me:
> >>>>
> >>>> allow ftpd_t mysqld_db_t:dir search;
> >>>> allow ftpd_t mysqld_t:unix_stream_socket connectto;
> >>>> allow ftpd_t mysqld_var_run_t:sock_file write;
> >>>>
> >>>> I notice there is a boolean for httpd to talk to mysql, which
> >>>> makes me
> >>>> think there might be one for vsftpd. Does anyone know if such a
> >>>> one exists?
> >>>>
> >>>> Thanks,
> >>>> Maria
> >>>>
> >>>
> >>> Why does ftpd talk to mysqld?
> >>
> >> To use a database backend for virtual users I'd guess.
> >>
> >> http://www.niraj.info/vsftpd-mysql
> >>
> >> Paul.
> > Learn something new every day...
> >
> > Miroslav, can you add the following snippets to F9 and F10 policy.
> >
> >
> > ## <desc>
> > ## <p>
> > ## Allow ftp servers to use connect to mysql database
> > ## </p>
> > ## </desc>
> > gen_tunable(ftpd_connect_db, false)
> >
> > ## <desc>
> > ## <p>
> >
> > ....
> >
> > optional_policy(`
> > tunable_policy(`ftpd_connect_db',`
> > mysql_stream_connect(ftpd_t)
> > ')
> > ')
> >
>
> Thank you, this will be very helpful!
>
> I am probably revealing my ignorance here, but...
>
> shouldn't a boolean for ftpd_connect_db allow all three of the
> things that were denied?:
>
> allow ftpd_t mysqld_db_t:dir search;
> allow ftpd_t mysqld_t:unix_stream_socket connectto;
> allow ftpd_t mysqld_var_run_t:sock_file write;
>
> Otherwise I also have to turn on either the allow_ftpd_full_access
> boolean or the ftp_home_dir boolean, both of which do more than I
> need just to talk to mysql.
>
> I'm sure you have a good reason (too much clutter perhaps) but I am
> curious.

mysql_stream_connect(ftpd_t) expands to the following rules:

allow ftpd_t mysqld_var_run_t:dir { getattr search };
allow ftpd_t mysqld_var_run_t:sock_file { getattr write };
allow ftpd_t mysqld_t:unix_stream_socket connectto;
allow ftpd_t mysqld_db_t:dir { getattr search };
allow ftpd_t mysqld_var_run_t:sock_file { getattr write };
allow ftpd_t mysqld_t:unix_stream_socket connectto;

So it does what you need, and very little more. It's such a common
idiom that macros are used to simplify the rules.

Paul.

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 10:20 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org