Rootop 服务器运维与web架构

SELinux is preventing the http daemon from connecting to network port 3306 For complete SELinux messages

| 暂无评论

Mar  7 10:04:59 s1 setroubleshoot: SELinux is preventing the http daemon from connecting to network port 3306 For complete SELinux messages. run sealert -l 8317c5f8-15b1-48cb-854f-294d207f83b2

[root@s1 ~]# sealert -l 8317c5f8-15b1-48cb-854f-294d207f83b2


SELinux is preventing the http daemon from connecting to network port 3306


[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux has denied the http daemon from connecting to 3306. An httpd script is
trying to do a network connect to a remote port. If you did not setup httpd to
network connections, this could signal a intrusion attempt.


If you want httpd to connect to network ports you need to turn on the
httpd_can_network_network_connect boolean: “setsebool -P


setsebool -P httpd_can_network_connect=1


源上下文                  root:system_r:httpd_t
目标上下文               system_u:object_r:mysqld_port_t
目标对象                  None [ tcp_socket ]
Source                        httpd
Source Path                   /usr/sbin/httpd
Port                          3306
Host                          s1
Source RPM Packages           httpd-2.2.3-43.el5
Target RPM Packages
策略 RPM                    selinux-policy-2.4.6-279.el5
Selinux 激活                True
策略类型                  targeted
MLS 激活                    True
强制模式                  Permissive
插件名称                  httpd_can_network_connect
主机名                     s1
平台                        Linux s1 2.6.18-194.el5 #1 SMP Tue Mar 16 21:52:39
                              EDT 2010 x86_64 x86_64
警告记数                  960
First Seen                    Mon Mar  7 09:04:13 2011
Last Seen                     Mon Mar  7 10:08:16 2011
Local ID                      8317c5f8-15b1-48cb-854f-294d207f83b2

原始 Audit 消息

host=s1 type=AVC msg=audit(1299463696.250:1396): avc:  denied  { name_connect }                  for  pid=14554 comm=”httpd” dest=3306 scontext=root:system_r:httpd_t:s0 tcontext                 =system_u:object_r:mysqld_port_t:s0 tclass=tcp_socket

host=s1 type=SYSCALL msg=audit(1299463696.250:1396): arch=c000003e syscall=42 su                 ccess=no exit=-115 a0=f a1=7fff7d8e7d60 a2=10 a3=0 items=0 ppid=14550 pid=14554                  auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none                 ) ses=55 comm=”httpd” exe=”/usr/sbin/httpd” subj=root:system_r:httpd_t:s0 key=(n                 ull)

[root@s1 ~]#
[root@s1 ~]# setsebool -P

Usage:  setsebool [ -P ] boolean value | bool1=val1 bool2=val2…

[root@s1 ~]# httpd_can_network_connect=1
[root@s1 ~]# setenforce 1