SELinux denies access requested by httpd (Apache)

This post is listing denied access list requested by httpd (Apache) service and ways to fix them. Solved problems :

• Database over network access

environment : Fedora 14,built in apache installation, add with yum PHP and MySQL installation.

Database (MySQL) access over network

Trying to connect to local database (MySQL) with host : 127.0.0.1. SELinux troubleshooter browser shows below :

Summary:
SELinux is preventing /usr/sbin/httpd "name_connect" access on <Unknown>.


Detailed Description:
SELinux denied access requested by httpd. The current boolean settings do not
allow this access. If you have not setup httpd to require this access this may
signal an intrusion attempt. If you do intend this access you need to change the
booleans on this system to allow the access.


Allowing Access:
One of the following booleans is set incorrectly: httpd_can_network_connect, httpd_can_network_connect_db


Fix Command:
Choose one of the following to allow access:
Allow HTTPD scripts and modules to connect to the network using any TCP port.

# setsebool -P httpd_can_network_connect 1

Allow HTTPD scripts and modules to connect to databases over the network.

# setsebool -P httpd_can_network_connect_db 1

Additional Information :
Source Context                unconfined_u:system_r:httpd_t:s0
Target Context                system_u:object_r:mysqld_port_t:s0
Target Objects                None [ tcp_socket ]
Source                        httpd
Source Path                   /usr/sbin/httpd
Port                          3306
Host                          localhost.localdomain
Source RPM Packages           httpd-2.2.16-1.fc14
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.7-19.fc14
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall_boolean
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 2.6.35.6-45.fc14.i686
                              #1 SMP Mon Oct 18 23:56:17 UTC 2010 i686 i686
Alert Count                   1
First Seen                    Sun 23 Jan 2011 02:42:11 AM WIT
Last Seen                     Sun 23 Jan 2011 02:42:11 AM WIT
Local ID                      42bde576-2147-4060-b325-4c4e52c181eb
Line Numbers                  


Raw Audit Messages            
node=localhost.localdomain type=AVC msg=audit(1295725331.225:22524): avc:  denied  { name_connect } for  pid=3878 comm="httpd" dest=3306 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mysqld_port_t:s0 tclass=tcp_socket


node=localhost.localdomain type=SYSCALL msg=audit(1295725331.225:22524): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bff40ec0 a2=6e820c0 a3=b items=0 ppid=3871 pid=3878 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=1 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)

This problem is solved by below (console) command : 

# setsebool -P httpd_can_network_connect_db 1

SELinux prevented write access to directory
A PHP application needed full manipulation (write, append, read)  of text files in some directories. SELinux troubleshooter browser showed :


Summary
SELinux prevented httpd (/usr/sbin/httpd) write access to directory_a.


Detailed Description :
SELinux prevented httpd write access to directory_a. httpd scripts are not allowed to
write to content without explicit labeling of all files. If directory_a is writable
content. it needs to be labeled httpd_sys_rw_content_t or if all you need is
append you can label it httpd_sys_ra_content_t. Please refer to 'man
httpd_selinux' for more information on setting up httpd and selinux.


Allowing Access :
You can alter the file context by executing chcon -R -t httpd_sys_rw_content_t
'directory_a' You must also change the default file context files on the system in order
to preserve them even on a full relabel. "semanage fcontext -a -t
httpd_sys_rw_content_t 'directory_a'"


Fix Command :
chcon -R -t httpd_sys_rw_content_t 'directory_a'


Additional Information :
Source Context                unconfined_u:system_r:httpd_t:s0
Target Context                unconfined_u:object_r:httpd_sys_content_t:s0
Target Objects                directory_a [ dir ]
Source                        httpd
Source Path                   /usr/sbin/httpd
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           httpd-2.2.16-1.fc14
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.7-19.fc14
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   httpd_write_content
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 2.6.35.6-45.fc14.i686
                              #1 SMP Mon Oct 18 23:56:17 UTC 2010 i686 i686
Alert Count                   2
First Seen                    Mon 24 Jan 2011 02:55:07 PM WIT
Last Seen                     Mon 24 Jan 2011 02:58:04 PM WIT
Local ID                      b393b6e3-8717-49c0-869a-cb8bf31f46e3
Line Numbers                  


Raw Audit Messages            
node=localhost.localdomain type=AVC msg=audit(1295855884.922:210): avc:  denied  { write } for  pid=12346 comm="httpd" name="directory_a" dev=dm-0 ino=927573 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir
node=localhost.localdomain type=SYSCALL msg=audit(1295855884.922:210): arch=40000003 syscall=39 success=no exit=-13 a0=123a400 a1=1ff a2=b75ed128 a3=ffffffff items=0 ppid=12341 pid=12346 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=3 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)

This problem is solved by apply label httpd_sys_rw_content_t to directory directory_a using GNOME explorer 

<coming up next>