[DSE-Dev] Bug#962842: selinux-policy-default: SElinux prevents apache2 access to the mysql (mariadb) socket
Maksim K.
debian_bug at k-max.name
Mon Jun 15 00:06:55 BST 2020
Package: selinux-policy-default
Version: 2:2.20161023.1-9
Severity: important
Dear Maintainer,
I 've configured my server as LAMP server for wordpress hosting.
I installed ex versions of packages:
***
root at vps:~# dpkg -l | grep "apache\|mysql\|mariadb\|php\|wordpress"
ii apache2 2.4.25-3+deb9u9 amd64 Apache HTTP Server
ii apache2-bin 2.4.25-3+deb9u9 amd64 Apache HTTP Server (modules and other binary files)
ii apache2-data 2.4.25-3+deb9u9 all Apache HTTP Server (common files)
ii apache2-doc 2.4.25-3+deb9u9 all Apache HTTP Server (on-site documentation)
ii apache2-utils 2.4.25-3+deb9u9 amd64 Apache HTTP Server (utility programs for web servers)
ii libapache2-mod-php 1:7.0+49 all server-side, HTML-embedded scripting language (Apache 2 module) (default)
ii libapache2-mod-php7.0 7.0.33-0+deb9u7 amd64 server-side, HTML-embedded scripting language (Apache 2 module)
ii libdbd-mysql-perl 4.041-2 amd64 Perl5 database interface to the MariaDB/MySQL database
ii libmariadbclient18:amd64 10.1.44-0+deb9u1 amd64 MariaDB database client library
ii libphp-phpmailer 5.2.14+dfsg-2.3+deb9u1 all full featured email transfer class for PHP
ii mariadb-client-10.1 10.1.44-0+deb9u1 amd64 MariaDB database client binaries
ii mariadb-client-core-10.1 10.1.44-0+deb9u1 amd64 MariaDB database core client binaries
ii mariadb-common 10.1.44-0+deb9u1 all MariaDB common metapackage
ii mariadb-server 10.1.44-0+deb9u1 all MariaDB database server (metapackage depending on the latest version)
ii mariadb-server-10.1 10.1.44-0+deb9u1 amd64 MariaDB database server binaries
ii mariadb-server-core-10.1 10.1.44-0+deb9u1 amd64 MariaDB database core server files
ii mysql-common 5.8+1.0.2 all MySQL database common files, e.g. /etc/mysql/my.cnf
ii php-common 1:49 all Common files for PHP packages
ii php-gd 1:7.0+49 all GD module for PHP [default]
ii php-getid3 1.9.12+dfsg-1 all scripts to extract information from multimedia files
ii php-mysql 1:7.0+49 all MySQL module for PHP [default]
ii php7.0-cli 7.0.33-0+deb9u7 amd64 command-line interpreter for the PHP scripting language
ii php7.0-common 7.0.33-0+deb9u7 amd64 documentation, examples and common module for PHP
ii php7.0-gd 7.0.33-0+deb9u7 amd64 GD module for PHP
ii php7.0-json 7.0.33-0+deb9u7 amd64 JSON module for PHP
ii php7.0-mysql 7.0.33-0+deb9u7 amd64 MySQL module for PHP
ii php7.0-opcache 7.0.33-0+deb9u7 amd64 Zend OpCache module for PHP
ii php7.0-readline 7.0.33-0+deb9u7 amd64 readline module for PHP
ii python3-pymysql 0.7.10-1 all Pure-Python MySQL Driver - Python 3.x
ii wordpress 4.7.5+dfsg-2+deb9u6 all weblog manager
ii wordpress-l10n 4.7.5+dfsg-2+deb9u6 all weblog manager - language files
ii wordpress-theme-twentyseventeen 4.7.5+dfsg-2+deb9u6 all weblog manager - twentyseventeen theme files
***
I endabled next systemd units:
***
root at vps:~# systemctl list-units | grep "apache\|mysql\|mariadb\|php"
apache2.service loaded active running The Apache HTTP Server
mariadb.service loaded active running MariaDB 10.1.44 database server
phpsessionclean.timer loaded active waiting Clean PHP session files every 30 mins
***
So, by default mariaDB configured to interact by unix socked.
After start MariaDB, it creates expected socket:
***
root at vps:~# ls -la /var/run/mysqld/
total 0
drwxr-xr-x. 2 mysql root 40 Jun 15 01:52 .
drwxr-xr-x. 26 root root 800 Jun 15 01:25 ..
root at vps:~# systemctl start mariadb
root at vps:~# ls -lZ /run/mysqld/
total 4
-rw-rw----. 1 mysql mysql system_u:object_r:mysqld_var_run_t:s0 5 Jun 15 01:52 mysqld.pid
srwxrwxrwx. 1 mysql mysql system_u:object_r:mysqld_var_run_t:s0 0 Jun 15 01:52 mysqld.sock
root at vps:~# systemctl status mariadb
● mariadb.service - MariaDB 10.1.44 database server
Loaded: loaded (/lib/systemd/system/mariadb.service; enabled; vendor preset: enabled)
Active: active (running) since Mon 2020-06-15 01:52:51 MSK; 19s ago
Docs: man:mysqld(8)
https://mariadb.com/kb/en/library/systemd/
Process: 3136 ExecStartPost=/bin/sh -c systemctl unset-environment _WSREP_START_POSITION (code=exited, status=0/SUCCESS)
Process: 3134 ExecStartPost=/etc/mysql/debian-start (code=exited, status=0/SUCCESS)
Process: 3030 ExecStartPre=/bin/sh -c [ ! -e /usr/bin/galera_recovery ] && VAR= || VAR=`/usr/bin/galera_recovery`; [ $? -eq 0 ] && systemctl set-environment _WSREP_START_POSITION=$VAR || exit 1 (code=exited, status=0/SUCCESS
Process: 3025 ExecStartPre=/bin/sh -c systemctl unset-environment _WSREP_START_POSITION (code=exited, status=0/SUCCESS)
Process: 3022 ExecStartPre=/usr/bin/install -m 755 -o mysql -g root -d /var/run/mysqld (code=exited, status=0/SUCCESS)
Main PID: 3107 (mysqld)
Status: "Taking your SQL requests now..."
Tasks: 26 (limit: 4915)
CGroup: /system.slice/mariadb.service
└─3107 /usr/sbin/mysqld
Jun 15 01:52:50 vps systemd[1]: Starting MariaDB 10.1.44 database server...
Jun 15 01:52:51 vps mysqld[3107]: 2020-06-15 1:52:51 139931111169408 [Note] /usr/sbin/mysqld (mysqld 10.1.44-MariaDB-0+deb9u1) starting as process 3107 ...
Jun 15 01:52:51 vps systemd[1]: Started MariaDB 10.1.44 database server.
root at vps:~#
***
But when I am trying to open configured and enabled Wordpress site, it shows me message "Error establishing a database connection".
And I can see in the audit.log message like this:
***
type=AVC msg=audit(1592175454.425:292): avc: denied { execmem } for pid=774 comm="apache2" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=process permissive=0
type=AVC msg=audit(1592175454.429:293): avc: denied { execmem } for pid=774 comm="apache2" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=process permissive=0
type=AVC msg=audit(1592175454.429:294): avc: denied { execmem } for pid=774 comm="apache2" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=process permissive=0
type=AVC msg=audit(1592175454.441:295): avc: denied { execmem } for pid=774 comm="apache2" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=process permissive=0
type=AVC msg=audit(1592175454.441:296): avc: denied { connectto } for pid=774 comm="apache2" path="/run/mysqld/mysqld.sock" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=0
***
I expected to see "tcontext=system_u:system_r:mysqld_var_run_t:s0" in the audit.log, since "ls -lZ /run/mysqld/" it shows.
But audit.log shows me "tcontext=<...>:init_t:s0".
So, I have to use audit2allow to allow this work.
***
root at vps:/tmp# cat apache2.te
module apache2 1.0;
require {
type httpd_t;
type init_t;
class unix_stream_socket connectto;
}
#============= httpd_t ==============
#!!!! This avc is allowed in the current policy
allow httpd_t init_t:unix_stream_socket connectto;
***
-- System Information:
Debian Release: 9.12
APT prefers oldstable-updates
APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-12-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages selinux-policy-default depends on:
ii libselinux1 2.6-3+b3
ii libsemanage1 2.6-2
ii libsepol1 2.6-2
ii policycoreutils 2.6-3
ii selinux-utils 2.6-3+b3
Versions of packages selinux-policy-default recommends:
ii checkpolicy 2.6-2
ii setools 4.0.1-6
Versions of packages selinux-policy-default suggests:
pn logcheck <none>
pn syslog-summary <none>
-- no debconf information
More information about the SELinux-devel
mailing list