Schlagwort: linux

Create custom SELinux Policy

tomas.dusek@tomdus.de Schreib einen Kommentar

Problem: The apche httpd cannot connect to tomcat running on port 8009 with AJP protocol.

Detection

curl localhost returns 503

curl localhost
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>503 Service Unavailable</title>
</head><body>
<h1>Service Unavailable</h1>
<p>The server is temporarily unable to service your
request due to maintenance downtime or capacity
problems. Please try again later.</p>
</body></html>

There is Permission denied: AH00957 in apache httpd (ssl)_error_log

sudo cat /var/log/httpd/error_log
[Wed Feb 15 16:24:38.140421 2023] [proxy:error] [pid 10679:tid 10824] (13)Permission denied: AH00957: AJP: attempt to connect to 127.0.0.1:8009 (127.0.0.1) failed[Wed Feb 15 16:24:38.140455 2023] [proxy:error] [pid 10679:tid 10824] AH00959: ap_proxy_connect_backend disabling worker for (127.0.0.1) for 60s[Wed Feb 15 16:24:38.140458 2023] [proxy_ajp:error] [pid 10679:tid 10824] [client 127.0.0.1:36812] AH00896: failed to make connection to backend: 127.0.0.1

Remedy (1)

sudo setsebool -P httpd_can_network_connect 1

Remedy (2)

Create custom SELinux policy, let generate type enforcement file

sudo grep http /var/log/audit/audit.log | grep denied | audit2allow -m httplocalconf > httplocalconf.te

Edit generated type enforcement httplocalconf.te file

module httplocalconf 1.0;

require {
        type httpd_t;
        type http_port_t;
        class tcp_socket name_connect;
        class file read;
}

#============= httpd_t ==============

#!!!! This avc can be allowed using one of the these booleans:
#     httpd_can_network_connect, httpd_graceful_shutdown, httpd_can_network_relay, nis_enabled
allow httpd_t http_port_t:tcp_socket name_connect;

Convert it to policy module

checkmodule -M -m -o httplocalconf.mod httplocalconf.te

Compile new  policy

semodule_package -o httplocalconf.pp -m httplocalconf.mod

Install new policy

sudo semodule -i httplocalconf.pp

Links

How to create its own custom SELinux policy module wisely

How to read and correct SELinux denial messages

Chapter 5. Troubleshooting problems related to SELinux

Connect to MySQL with python

tomas.dusek@tomdus.de Schreib einen Kommentar

The mysql libraries are not per see installed with python, thus:

sudo apt-get install python-mysql

Script:


#!/usr/bin/python
import MySQLdb

db = MySQLdb.connect(host="localhost", # your host, usually localhost
    user="tomas", # your username
    passwd="tomas1234", # your password
    db="test") # name of the data base

# Create a cursor object that executes all required queries
cur = db.cursor()

# create sample table
cur.execute("CREATE TABLE IF NOT EXISTS tomastest(id INT NOT NULL AUTO_INCREMENT PRIMARY KEY, data VARCHAR(100))")

# create sample data
cur.execute("INSERT INTO tomastest(data) VALUES('Test data'); commit;")

# execute select sql
cur.execute("SELECT * FROM tomastest")

# Get the number of rows in the resultset
numrows = cur.rowcount
print "Rows count: ",numrows
for row in cur.fetchall():
    print row[0], row[1]
db.close()

If not providede, thus create test mysql db (sMySQL Docs)

mysql> CREATE DATABASE test;
mysql> use test

If not already exist create user (MySQL Docs)

mysql> CREATE USER 'tomas'@'localhost' IDENTIFIED BY 'tomas1234';
mysql> GRANT ALL ON test.* TO 'tomas'@'localhost';