Mysql – How to allow MySQL connections through SELinux

MySQLselinux

I'd like to for once leave SELinux running on a server for the alleged increased security.
I usually disable SELinux to get anything to work.
How do I tell SELinux to allow MySQL connections?
The most I've found in the documentation is this line from mysql.com:

If you are running under Linux and Security-Enhanced Linux (SELinux) is enabled, make sure you have disabled SELinux protection for the mysqld process.

wow … that's really helpful.

Best Answer

To check SELinux

sestatus

To see what flags are set on httpd processes

getsebool -a | grep httpd

To allow Apache to connect to remote database through SELinux

setsebool httpd_can_network_connect_db 1

Use -P option makes the change permanent. Without this option, the boolean would be reset to 0 at reboot.

setsebool -P httpd_can_network_connect_db 1

Related Solutions

Mysql – How to Exempt MySQL from SELinux targeted list

You don't need to disable SELinux at all. What you need to do is label the port you want use.

To check for the labeled ports for MySQL in the policy:


 # semanage port -l | grep mysql
mysqld_port_t                  tcp      1186, 3306, 63132-63163
mysqlmanagerd_port_t           tcp      2273

To label a $custom port:


 # semanage port -a -t mysqld_port_t -p tcp $custom

The main reference for this is the semanage(8) manpage.

Centos – SELinux: Letting Apache talk to MySQL on CentOS

UPDATE 2

type=AVC msg=audit(1318863312.959:435): avc: denied { connectto } for pid=12472 comm="httpd" path="/opt/chroot/mysql/var/lib/mysql/mysql.sock" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket

You can build the custom SELinux policy module by following steps:

# grep httpd_t audit.log | audit2allow -m httpd > httpd.te
# checkmodule -M -m -o httpd.mod httpd.te
# semodule_package -m httpd.mod -o httpd.pp 
# semodule -i httpd.pp

Refer to this topic for more details.

UPDATE

Run semanage command to add a context mapping for /opt/chroot/mysql/var/lib/mysql/:
```
# semanage fcontext -a -t mysqld_db_t "/opt/chroot/mysql/var/lib/mysql(/.*)?"
```
And use restorecon command to apply this context mapping:
```
# restorecon -Rv /opt/chroot/mysql/var/lib/mysql
```

If you are connecting via TCP/IP, try this:

# setsebool -P httpd_can_network_connect 1

Best Answer

Related Solutions

Mysql – How to Exempt MySQL from SELinux targeted list

Centos – SELinux: Letting Apache talk to MySQL on CentOS

Related Topic