LOG:Jan 17 23:46:46 s1 setroubleshoot: SELinux is preventing the http daemon from connecting to network port 3306 For complete SELinux messages. run sealert -l ed55546b-97a3-4eea-9cf2-9aa2b6fce245
看得出是selinux的问题。
根据日志提示,开始解决。
[root@s1 ~]# sealert -l ed55546b-97a3-4eea-9cf2-9aa2b6fce245
摘要:
SELinux is preventing the http daemon from connecting to network port 3306
详细的描述:
SELinux has denied the http daemon from connecting to 3306. An httpd script is
trying to do a network connect to a remote port. If you did not setup httpd to
network connections, this could signal a intrusion attempt.
正在允许访问:
If you want httpd to connect to network ports you need to turn on the
httpd_can_network_network_connect boolean: “setsebool -P
httpd_can_network_connect=1”
以下命令将允许这个权限:
setsebool -P httpd_can_network_connect=1
附加的信息:
源上下文 root:system_r:httpd_t
目标上下文 system_u:object_r:mysqld_port_t
目标对象 None [ tcp_socket ]
Source httpd
Source Path /usr/sbin/httpd
Port 3306
Host s1
Source RPM Packages httpd-2.2.3-43.el5
Target RPM Packages
策略 RPM selinux-policy-2.4.6-279.el5
Selinux 激活 True
策略类型 targeted
MLS 激活 True
强制模式 Enforcing
插件名称 httpd_can_network_connect
主机名 s1
平台 Linux s1 2.6.18-194.el5 #1 SMP Tue Mar 16 21:52:43
EDT 2010 i686 i686
警告记数 27
First Seen Mon Jan 17 23:41:16 2011
Last Seen Tue Jan 18 00:05:35 2011
Local ID ed55546b-97a3-4eea-9cf2-9aa2b6fce245
行数
原始 Audit 消息
host=s1 type=AVC msg=audit(1295280335.304:112): avc: denied { name_connect } f or pid=4718 comm=”httpd” dest=3306 scontext=root:system_r:httpd_t:s0 tcontext=s ystem_u:object_r:mysqld_port_t:s0 tclass=tcp_socket
host=s1 type=SYSCALL msg=audit(1295280335.304:112): arch=40000003 syscall=102 su ccess=no exit=-13 a0=3 a1=bf8c5a20 a2=3fbe6f8 a3=2 items=0 ppid=4716 pid=4718 au id=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=2 comm=”httpd” exe=”/usr/sbin/httpd” subj=root:system_r:httpd_t:s0 key=(null )
[root@s1 ~]# setsebool -P httpd_can_network_connect=1
[root@s1 ~]#
再次访问,解决。