Bug 551380
| Summary: | Need additional support for prelude | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 5 | Reporter: | Sachin Prabhu <sprabhu> |
| Component: | selinux-policy-targeted | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | medium | Docs Contact: | |
| Priority: | low | ||
| Version: | 5.4 | CC: | dwalsh, eparis, jrieden, mmalik, sgrubb |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: |
With SELinux running in the enforcing mode, the Prelude Manager was unable to connect to a MySQL server, and did not work properly. With this update, the SELinux rules have been updated to permit such connection, so that the Prelude Manager can access the server as expected.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-01-13 21:48:17 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Fedora releases do not currently have corenet_tcp_connect_mysql_port(prelude_t) But if the mysql is local, they could get prelude to use the local fifo_file, which should be allowed. The two dac_override and dac_read_search, are probably caused by files with the wrong ownership on them. These are also not in Fedora. These permissions mean root is not the owner of a file and does not have group or other rights to the file. Sorry I have no idea of which file it is trying to access. (In reply to comment #1) > Fedora releases do not currently have > > corenet_tcp_connect_mysql_port(prelude_t) > Fixed in selinux-policy-2.4.6-283.el5.noarch
Technical note added. If any revisions are required, please edit the "Technical Notes" field
accordingly. All revisions will be proofread by the Engineering Content Services team.
New Contents:
With SELinux running in the enforcing mode, the Prelude Manager was unable to connect to a MySQL server, and did not work properly. With this update, the SELinux rules have been updated to permit such connection, so that the Prelude Manager can access the server as expected.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-0026.html |
A user is using prelude packages which were downloaded either from EPEL or recompiled from Fedora. However they are hitting a road block because of the the restrictions placed on prelude by the targeted policies. The package has been configured to connect to a MySQL database on another machine. It fails with the following messages node=NODE type=AVC msg=audit(1259824960.750:24): avc: denied { name_connect } for pid=1669 comm="prelude-manager" dest=3306 scontext=root:system_r:prelude_t:s0 tcontext=system_u:object_r:mysqld_port_t:s0 tclass=tcp_socket Prelude-lml also needs the rights for dac_override and dac_read_search to use a pattern like /var/log/remote/*/messages. node=NODENAME type=AVC msg=audit(1260255800.409:159): avc: denied { dac_override } for pid=7340 comm="prelude-lml" capability=1 scontext=root:system_r:prelude_lml_t:s0 tcontext=root:system_r:prelude_lml_t:s0 tclass=capability node=NODENAME type=AVC msg=audit(1260255800.409:159): avc: denied { dac_read_search } for pid=7340 comm="prelude-lml" capability=2 scontext=root:system_r:prelude_lml_t:s0 tcontext=root:system_r:prelude_lml_t:s0 tclass=capability The user would like the policies to be fixed in the RPMs instead of creating custom policies.