RedHat 5 SELinux Gets In My Way
Ack, my WordPress suffers connectile dysfunction on a fresh install of RedHat 5! Not only did I get the above message, but dmesg was filling up with errors like this:
audit(1179258445.529:38): avc: denied { name_connect } for pid=3332 comm=“httpd” dest=3306 scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mysqld_port_t:s0 tclass=tcp_socket
It turns out that I was getting stung by SELinux, which is enabled by default in RedHat 5. All the extra security is probably a good idea, if I knew how to configure it, but for the moment it was breaking a live site.
So I (well, Cliffy, Al, and I), took the short cut and set SELINUX=permissive in /etc/sysconfig/selinux (we could have gone with SELINUX=disabled, but this will help us learn…while we watch it fill our log files).
None of this would be a problem, likely, if I wasn’t using a remote MySQL server, but….
3 Comments
Comments RSS TrackBack Identifier URI
Leave a comment
Would still potentially pose the same problems. At least if I am understanding you correctly. SELinux is more like a system firewall rather than a network firewall, so processes are restricted to their permissions, regardless of where the process is being executed. So, httpd was trying to operate outside the boundaries set within SELinux.
At least if I remember correctly. It has been a few years since I have messed with it at all.
sealert is your friend. It goes through the error logs, and tells you what all the selinux alerts and denials mean, and how to fix them.
it’s part of the setroubleshoot package, which should be installed by default.
Simon
[...] » RedHat 5 SELinux Gets In My Way So I (well, Cliffy, Al, and I), took the short cut and set SELINUX=permissive in /etc/sysconfig/selinux (we could have gone with SELINUX=disabled, but this will help us learn…while we watch it fill our log files). (tags: selinux security redhat) [...]