FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 02-05-2009, 10:57 PM
Maria Iano
 
Default vsftpd using mysql

My vsftpd server needs to talk to my mysql server, and is being
denied. Before I use audit2allow to make special rules I wanted to ask
whether there is a boolean out there that I am missing. Here is what
audit2allow gives me:


allow ftpd_t mysqld_db_t:dir search;
allow ftpd_t mysqld_t:unix_stream_socket connectto;
allow ftpd_t mysqld_var_run_t:sock_file write;

I notice there is a boolean for httpd to talk to mysql, which makes me
think there might be one for vsftpd. Does anyone know if such a one
exists?


Thanks,
Maria

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 02-06-2009, 09:05 AM
Dominick Grift
 
Default vsftpd using mysql

Op donderdag 05-02-2009 om 18:57 uur [tijdzone -0500], schreef Maria
Iano
> I notice there is a boolean for httpd to talk to mysql, which makes me
> think there might be one for vsftpd. Does anyone know if such a one
> exists?

There is no such boolean for ftpd_t yet i think. One can verify this
using: sesearch --allow -s ftpd_t | grep mysql

There is also a manual page for ftpd_t: man ftpd_selinux

One can easily implement a boolean using the policy you've generated.
You might consider reporting a feature request to bugzilla.redhat.com in
the selinux-policy component

hth, Dominick

> Thanks,
> Maria
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 02-06-2009, 03:58 PM
Maria Iano
 
Default vsftpd using mysql

Thank you so much Dominick - sesearch is a fantastic tool! It tells me
exactly which booleans will do what I need. Either one of two booleans
will provide two of the things I need. So there is only one extra
allow rule that I need to create.


# sesearch --allow -s ftpd_t -t mysqld_var_run_t -c sock_file -p write
-C

Found 2 av rules:
DT allow ftpd_t mysqld_var_run_t : sock_file { ioctl read write create
getattr setattr lock append unlink link rename };
[ allow_ftpd_full_access ]
DT allow ftpd_t mysqld_var_run_t : sock_file { ioctl read write create
getattr setattr lock append unlink link rename }; [ ftp_home_dir ]


# sesearch --allow -s ftpd_t -t mysqld_db_t -c dir -p search -C
Found 2 av rules:
DT allow ftpd_t mysqld_db_t : dir { ioctl read write create getattr
setattr lock unlink link rename add_name remove_name reparent search
rmdir }; [ allow_ftpd_full_access ]
DT allow ftpd_t mysqld_db_t : dir { ioctl read write create getattr
setattr lock unlink link rename add_name remove_name reparent search
rmdir }; [ ftp_home_dir ]


So I can get
allow ftpd_t mysqld_var_run_t:sock_file write;
and
allow ftpd_t mysqld_db_t:dir search;
with booleans.

The only one that I can't get that way is:
allow ftpd_t mysqld_t:unix_stream_socket connectto;

Thanks!
Maria

On Feb 6, 2009, at 5:05 AM, Dominick Grift wrote:



Op donderdag 05-02-2009 om 18:57 uur [tijdzone -0500], schreef Maria
Iano
I notice there is a boolean for httpd to talk to mysql, which makes
me

think there might be one for vsftpd. Does anyone know if such a one
exists?


There is no such boolean for ftpd_t yet i think. One can verify this
using: sesearch --allow -s ftpd_t | grep mysql

There is also a manual page for ftpd_t: man ftpd_selinux

One can easily implement a boolean using the policy you've generated.
You might consider reporting a feature request to
bugzilla.redhat.com in

the selinux-policy component

hth, Dominick


Thanks,
Maria

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list




--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 02-06-2009, 04:15 PM
Dominick Grift
 
Default vsftpd using mysql

On Fri, 2009-02-06 at 11:58 -0500, Maria Iano wrote:
> Thank you so much Dominick - sesearch is a fantastic tool! It tells me
> exactly which booleans will do what I need. Either one of two booleans
> will provide two of the things I need. So there is only one extra
> allow rule that I need to create.

Another way to see if there is a boolean for a denial is to pipe the avc
denial into the input stream of audit2why (or audit2allow -w)

hth, Dominick

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 02-10-2009, 01:36 PM
Daniel J Walsh
 
Default vsftpd using mysql

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Maria Iano wrote:
> My vsftpd server needs to talk to my mysql server, and is being denied.
> Before I use audit2allow to make special rules I wanted to ask whether
> there is a boolean out there that I am missing. Here is what audit2allow
> gives me:
>
> allow ftpd_t mysqld_db_t:dir search;
> allow ftpd_t mysqld_t:unix_stream_socket connectto;
> allow ftpd_t mysqld_var_run_t:sock_file write;
>
> I notice there is a boolean for httpd to talk to mysql, which makes me
> think there might be one for vsftpd. Does anyone know if such a one exists?
>
> Thanks,
> Maria
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Why does ftpd talk to mysqld?

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkmRkOIACgkQrlYvE4MpobNDLwCeP3Sw2rgV9g A+ucvz1ctmZWU8
cQgAoJDc66IvDI6yTi9nThzU1bIzYcqU
=vud7
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 02-10-2009, 01:52 PM
Paul Howarth
 
Default vsftpd using mysql

Daniel J Walsh wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Maria Iano wrote:

My vsftpd server needs to talk to my mysql server, and is being denied.
Before I use audit2allow to make special rules I wanted to ask whether
there is a boolean out there that I am missing. Here is what audit2allow
gives me:

allow ftpd_t mysqld_db_t:dir search;
allow ftpd_t mysqld_t:unix_stream_socket connectto;
allow ftpd_t mysqld_var_run_t:sock_file write;

I notice there is a boolean for httpd to talk to mysql, which makes me
think there might be one for vsftpd. Does anyone know if such a one exists?

Thanks,
Maria

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list


Why does ftpd talk to mysqld?


To use a database backend for virtual users I'd guess.

http://www.niraj.info/vsftpd-mysql

Paul.

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 02-10-2009, 03:12 PM
Daniel J Walsh
 
Default vsftpd using mysql

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Paul Howarth wrote:
> Daniel J Walsh wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Maria Iano wrote:
>>> My vsftpd server needs to talk to my mysql server, and is being denied.
>>> Before I use audit2allow to make special rules I wanted to ask whether
>>> there is a boolean out there that I am missing. Here is what audit2allow
>>> gives me:
>>>
>>> allow ftpd_t mysqld_db_t:dir search;
>>> allow ftpd_t mysqld_t:unix_stream_socket connectto;
>>> allow ftpd_t mysqld_var_run_t:sock_file write;
>>>
>>> I notice there is a boolean for httpd to talk to mysql, which makes me
>>> think there might be one for vsftpd. Does anyone know if such a one
>>> exists?
>>>
>>> Thanks,
>>> Maria
>>>
>>> --
>>> fedora-selinux-list mailing list
>>> fedora-selinux-list@redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>
>> Why does ftpd talk to mysqld?
>
> To use a database backend for virtual users I'd guess.
>
> http://www.niraj.info/vsftpd-mysql
>
> Paul.
Learn something new every day...

Miroslav, can you add the following snippets to F9 and F10 policy.


## <desc>
## <p>
## Allow ftp servers to use connect to mysql database
## </p>
## </desc>
gen_tunable(ftpd_connect_db, false)

## <desc>
## <p>

....

optional_policy(`
tunable_policy(`ftpd_connect_db',`
mysql_stream_connect(ftpd_t)
')
')

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkmRp1QACgkQrlYvE4MpobOr7wCggfFV+KG+kq f1ahBUXlVzSPMk
/2EAoJ9rUjRDGIH9UL+wscGEX6adZAHV
=adVx
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 02-10-2009, 03:17 PM
Paul Howarth
 
Default vsftpd using mysql

Daniel J Walsh wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Paul Howarth wrote:

Daniel J Walsh wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Maria Iano wrote:

My vsftpd server needs to talk to my mysql server, and is being denied.
Before I use audit2allow to make special rules I wanted to ask whether
there is a boolean out there that I am missing. Here is what audit2allow
gives me:

allow ftpd_t mysqld_db_t:dir search;
allow ftpd_t mysqld_t:unix_stream_socket connectto;
allow ftpd_t mysqld_var_run_t:sock_file write;

I notice there is a boolean for httpd to talk to mysql, which makes me
think there might be one for vsftpd. Does anyone know if such a one
exists?

Thanks,
Maria

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Why does ftpd talk to mysqld?

To use a database backend for virtual users I'd guess.

http://www.niraj.info/vsftpd-mysql

Paul.

Learn something new every day...

Miroslav, can you add the following snippets to F9 and F10 policy.


## <desc>
## <p>
## Allow ftp servers to use connect to mysql database
## </p>
## </desc>
gen_tunable(ftpd_connect_db, false)

## <desc>
## <p>

....

optional_policy(`
tunable_policy(`ftpd_connect_db',`
mysql_stream_connect(ftpd_t)
')
')


It's not just vsftpd that can do this btw - proftpd supports postgresql
and LDAP backends for this purpose.


Paul.

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 02-10-2009, 03:29 PM
Manuel Wolfshant
 
Default vsftpd using mysql

Paul Howarth wrote:

[...]

Why does ftpd talk to mysqld?

To use a database backend for virtual users I'd guess.

http://www.niraj.info/vsftpd-mysql

Paul.

Learn something new every day...
[...]


It's not just vsftpd that can do this btw - proftpd supports
postgresql and LDAP backends for this purpose.

I use pureftpd with a mysql backend for virtual users.


manuel

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 02-10-2009, 04:12 PM
Daniel J Walsh
 
Default vsftpd using mysql

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Paul Howarth wrote:
> Daniel J Walsh wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Paul Howarth wrote:
>>> Daniel J Walsh wrote:
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA1
>>>>
>>>> Maria Iano wrote:
>>>>> My vsftpd server needs to talk to my mysql server, and is being
>>>>> denied.
>>>>> Before I use audit2allow to make special rules I wanted to ask whether
>>>>> there is a boolean out there that I am missing. Here is what
>>>>> audit2allow
>>>>> gives me:
>>>>>
>>>>> allow ftpd_t mysqld_db_t:dir search;
>>>>> allow ftpd_t mysqld_t:unix_stream_socket connectto;
>>>>> allow ftpd_t mysqld_var_run_t:sock_file write;
>>>>>
>>>>> I notice there is a boolean for httpd to talk to mysql, which makes me
>>>>> think there might be one for vsftpd. Does anyone know if such a one
>>>>> exists?
>>>>>
>>>>> Thanks,
>>>>> Maria
>>>>>
>>>>> --
>>>>> fedora-selinux-list mailing list
>>>>> fedora-selinux-list@redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>>> Why does ftpd talk to mysqld?
>>> To use a database backend for virtual users I'd guess.
>>>
>>> http://www.niraj.info/vsftpd-mysql
>>>
>>> Paul.
>> Learn something new every day...
>>
>> Miroslav, can you add the following snippets to F9 and F10 policy.
>>
>>
>> ## <desc>
>> ## <p>
>> ## Allow ftp servers to use connect to mysql database
>> ## </p>
>> ## </desc>
>> gen_tunable(ftpd_connect_db, false)
>>
>> ## <desc>
>> ## <p>
>>
>> ....
>>
>> optional_policy(`
>> tunable_policy(`ftpd_connect_db',`
>> mysql_stream_connect(ftpd_t)
>> ')
>> ')
>
> It's not just vsftpd that can do this btw - proftpd supports postgresql
> and LDAP backends for this purpose.
>
> Paul.

Already can connect to ldap through auth_use_sswitch.


optional_policy(`
tunable_policy(`ftpd_connect_db',`
mysql_stream_connect(ftpd_t)
')
')

optional_policy(`
tunable_policy(`ftpd_connect_db',`
postgresql_stream_connect(ftpd_t)
')
')

tunable_policy(`ftpd_connect_db',`
corenet_tcp_connect_mysqld_port(ftpd_t)
corenet_tcp_connect_postgresql_port(ftpd_t)
')

But these others should handle both local and remote databases.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkmRtXEACgkQrlYvE4MpobMGkACeKTWJPpNG8c Enf4x/j3x3wc0d
U7gAoOuIMrLIC1/FpxwFY0de+EW1SkLZ
=KOs4
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 03:16 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org