Mar 7 10:04:59 s1 setroubleshoot: SELinux is preventing the http daemon from connecting to network port 3306 For complete SELinux messages. run sealert -l 8317c5f8-15b1-48cb-854f-294d207f83b2
[root@s1 ~]# sealert -l 8317c5f8-15b1-48cb-854f-294d207f83b2
摘要:
SELinux is preventing the http daemon from connecting to network port 3306
详细的描述:
[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]
SELinux has denied the http daemon from connecting to 3306. An httpd script is
trying to do a network connect to a remote port. If you did not setup httpd to
network connections, this could signal a intrusion attempt.
正在允许访问:
If you want httpd to connect to network ports you need to turn on the
httpd_can_network_network_connect boolean: “setsebool -P
httpd_can_network_connect=1″
以下命令将允许这个权限:
setsebool -P httpd_can_network_connect=1
附加的信息:
源上下文 root:system_r:httpd_t
目标上下文 system_u:object_r:mysqld_port_t
目标对象 None [ tcp_socket ]
Source httpd
Source Path /usr/sbin/httpd
Port 3306
Host s1
Source RPM Packages httpd-2.2.3-43.el5
Target RPM Packages
策略 RPM selinux-policy-2.4.6-279.el5
Selinux 激活 True
策略类型 targeted
MLS 激活 True
强制模式 Permissive
插件名称 httpd_can_network_connect
主机名 s1
平台 Linux s1 2.6.18-194.el5 #1 SMP Tue Mar 16 21:52:39
EDT 2010 x86_64 x86_64
警告记数 960
First Seen Mon Mar 7 09:04:13 2011
Last Seen Mon Mar 7 10:08:16 2011
Local ID 8317c5f8-15b1-48cb-854f-294d207f83b2
行数
原始 Audit 消息
host=s1 type=AVC msg=audit(1299463696.250:1396): avc: denied { name_connect } for pid=14554 comm=”httpd” dest=3306 scontext=root:system_r:httpd_t:s0 tcontext =system_u:object_r:mysqld_port_t:s0 tclass=tcp_socket
host=s1 type=SYSCALL msg=audit(1299463696.250:1396): arch=c000003e syscall=42 su ccess=no exit=-115 a0=f a1=7fff7d8e7d60 a2=10 a3=0 items=0 ppid=14550 pid=14554 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none ) ses=55 comm=”httpd” exe=”/usr/sbin/httpd” subj=root:system_r:httpd_t:s0 key=(n ull)
[root@s1 ~]#
[root@s1 ~]# setsebool -P
Usage: setsebool [ -P ] boolean value | bool1=val1 bool2=val2…
[root@s1 ~]# httpd_can_network_connect=1
[root@s1 ~]# setenforce 1
原创文章,转载请注明。本文链接地址: https://www.rootop.org/pages/292.html