Ping a Specific Port

Question

xivix

Asked: 2011-02-25 12:23:16 +0800 CST2011-02-25 12:23:16 +0800 CST 2011-02-25 12:23:16 +0800 CST

How do I allow MySQL connections through SELinux?

772

I'd like to for once leave SELinux running on a server for the alleged increased security.
I usually disable SELinux to get anything to work.
How do I tell SELinux to allow MySQL connections?
The most I've found in the documentation is this line from mysql.com:

If you are running under Linux and Security-Enhanced Linux (SELinux) is enabled, make sure you have disabled SELinux protection for the mysqld process.

wow ... that's really helpful.

6 Answers

Voted

Punjab · Answer 1 · 2012-12-11T13:30:47+08:00

Punjab

2012-12-11T13:30:47+08:002012-12-11T13:30:47+08:00

To check SELinux

sestatus

To see what flags are set on httpd processes

getsebool -a | grep httpd

To allow Apache to connect to remote database through SELinux

setsebool httpd_can_network_connect_db 1

Use -P option makes the change permanent. Without this option, the boolean would be reset to 0 at reboot.

setsebool -P httpd_can_network_connect_db 1

56

Tamler · Answer 2 · 2011-02-25T13:03:38+08:00

Tamler

2011-02-25T13:03:38+08:002011-02-25T13:03:38+08:00

Do you get an error? What flavor of linux are you using? Security context is a good place to start if you are getting an error. ls -Z will give context... But your question is very vague.

2

Paul · Answer 3 · 2011-02-26T20:30:19+08:00

Paul

2011-02-26T20:30:19+08:002011-02-26T20:30:19+08:00

Apparently configuring selinux isn't trivial. You may wish to start here.

setenforce 0

puts selinux into permissive mode, where it allows anything but logs what it's allowing. A reboot or

setenforce 1

returns to blocking whatever the policy doesn't permit.

Check out these selinux policy docs for mySQL in Fedora.

2

Raffaello · Answer 4 · 2013-12-25T04:24:01+08:00

Raffaello

2013-12-25T04:24:01+08:002013-12-25T04:24:01+08:00

you can build local policy too:

"You can generate a local policy module to allow this access.Do allow this access for now by executing:"

grep httpd /var/log/audit/audit.log | audit2allow -M mypol

semodule -i mypol.pp

or enable globally for the actual session:

setsebool httpd_can_network_connect_db 1

or permanent:

setsebool -P httpd_can_network_connect_db 1

2

vnix27 · Answer 5 · 2011-02-26T22:24:50+08:00

vnix27

2011-02-26T22:24:50+08:002011-02-26T22:24:50+08:00

The ausearch command can help find the error log.

1

AndreasM · Answer 6 · 2011-03-16T07:09:35+08:00

AndreasM

2011-03-16T07:09:35+08:002011-03-16T07:09:35+08:00

Are you sure it's selinux? Normal connections from outside should be allowed by selinux. So it could also be the firewall. If you have local services trying to connect to mysqld, that's something different: http://docs.fedoraproject.org/en-US/Fedora/13/html/Managing_Confined_Services/sect-Managing_Confined_Services-MySQL-Booleans.html

1

How do I allow MySQL connections through SELinux?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Resolve host name from IP address

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?