Posted by: Xjlittle
centos, getsebool, Linux, selinux, selinux apache, selinux httpd, selinux mysql, selinux nfs, setsebool
I am bringing up a new Virtual Host with VMs of MySQL, music-repo and a webserver. All of these are on CentOS with SELinux enabled. No, I’m not a glutton for punishments using SELinux for all of these machines that are interconnected to each other. I believe the time is coming when organizations are going to insist on the type of security that SELinux provides.
Moving on I mentioned that my MySQL server is on one box and my web server on another. One of the applications that I use is KPlaylist. This is a streaming server for mp3s, movies or just about anything you want to stream. My first snag was getting it to log into MySQL and create the database.
After about an hour of looking for normal causes I decided to turn on setroubleshoot. This is a great tool when looking for SELinux problems. After I turned it on I found this in /var/log/messages:
Nov 20 15:40:47 web setroubleshoot: SELinux is preventing the http daemon from connecting to network port 3306 For complete SELinux messages. run sealert -l 65919ff0-ddd1-4a4b-801d-f54023da86ac
So then I ran the sealert command shown in the message:
sealert -l 65919ff0-ddd1-4a4b-801d-f54023da86ac
This gave me the following along with some other information:
setsebool -P httpd_can_network_connect=1
Voila! My problem was fixed. Well almost. I then discovered that iptables was blocking the port. After opening the port using the gui “system-config-securitylevel” all was well. KPLaylist installed it’s database just like it was supposed to.
My next hurdle was getting the nfs share on the music-repo server to mount on to the web server. Checking for another sealert I found one on the webserver called
Nov 20 23:57:33 web setroubleshoot: SELinux prevented the http daemon from reading files stored on a NFS filesytem. For complete SELinux messages. run sealert -l f76bd0be-d375-436f-9c09-2086da0d7a39
After running this I got the following information:
setsebool -P httpd_use_nfs=1
Well this didn’t totally solve my problem but I did notice that things were getting fixed with the setsebool command. I went looking around the net to see what I could learn about it.
What I learned is that if you are having a problem with a service is that you should run the command getsebool -a |grep someservice. I decided to try that with NFS and this is what I got:
[root@music-repo ~]# getsebool -a |grep nfs
allow_ftpd_use_nfs --> off
allow_nfsd_anon_write --> off
nfs_export_all_ro --> on
nfs_export_all_rw --> on
nfsd_disable_trans --> off
samba_share_nfs --> off
use_nfs_home_dirs --> off
The last line was what I found interesting. I had originally had my music directory on the music-repo machine at the root of the system. My thought was OK let’s create a user with a home directory and enable that boolean. I created a user on the musiic-repo system called apache and moved the /music directory into /home/apache. I then ran the command:
setsebool -P use_nfs_home_dirs=on
I also moved my music directory that I was mounting to under /var/www which is apache’s home and ran the same command. Now everything was connected and working like it is supposed to be.
A note of interest to those of you who would prefer a gui..you should install policycoreutils-gui. This will give you a nice gui called system-config-selinux. In this gui you can browse through everthing SELinux has to say and can change.
Now to get that setup as a share for the Windows users so that they can store their music and get it backed up.