| Summary: | Add boolean for mysql my.cnf access | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Felix Kaechele <felix> |
| Component: | selinux-policy-targeted | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED WORKSFORME | QA Contact: | Ben Levenson <benl> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 16 | CC: | dwalsh |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-11-21 07:59:46 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
Add a policy for this
cat mynsswitch.te
policy_module(mynsswitch, 1.0)
gen_require(`
attribute nsswitch_domain;
')
mysql_read_config(nsswitch_domain)
Works for me and so far I'm happy with the solution. Closing. |
In my shared webhosting scenario I have set up several services to query a MySQL Database for user and password info. It seems that as soon as an application is linked to the mysql client libs and tries to perform a database lookup it tries to open the mysql configuration file my.cnf. SELinux' current policy denies this access making the lookup fail. I'd opt for a boolean that allows access to the my.cnf for such services. So far audit2allow gives me the following: allow dovecot_t mysqld_etc_t:file { read getattr open }; allow groupadd_t mysqld_etc_t:file { read getattr open }; allow local_login_t mysqld_etc_t:file { read getattr open }; allow named_t mysqld_etc_t:file { read getattr open }; allow pam_console_t mysqld_etc_t:file { read getattr open }; allow postfix_bounce_t mysqld_etc_t:file { read getattr open }; allow postfix_cleanup_t mysqld_etc_t:file { read getattr open }; allow postfix_master_t mysqld_etc_t:file { read getattr open }; allow postfix_pickup_t mysqld_etc_t:file { read getattr open }; allow postfix_qmgr_t mysqld_etc_t:file { read getattr open }; allow postfix_smtpd_t mysqld_etc_t:file { read getattr open }; allow postfix_smtp_t mysqld_etc_t:file { read getattr open }; allow procmail_t mysqld_etc_t:file { read getattr open }; allow sendmail_t mysqld_etc_t:file { read getattr open }; allow sshd_t mysqld_etc_t:file { read getattr open }; allow system_dbusd_t mysqld_etc_t:file { read getattr open }; allow useradd_t mysqld_etc_t:file { read getattr open }; Versions: selinux-policy-3.10.0-51.fc16.noarch selinux-policy-targeted-3.10.0-51.fc16.noarch