Bug 877642
| Summary: | SELinux is preventing /usr/bin/perl from 'search' accesses on the directory /var/lib/mysql. | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Grosswiler Roger <roger> | ||||||
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||
| Severity: | unspecified | Docs Contact: | |||||||
| Priority: | unspecified | ||||||||
| Version: | 18 | CC: | dominick.grift, dwalsh, mgrepl | ||||||
| Target Milestone: | --- | ||||||||
| Target Release: | --- | ||||||||
| Hardware: | x86_64 | ||||||||
| OS: | Unspecified | ||||||||
| Whiteboard: | abrt_hash:69c3fb5a363eb440130b6f0556e20d652e8c92c3df7e6a16032de3381ad9677d | ||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2012-12-07 04:31:42 UTC | Type: | --- | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Attachments: |
|
||||||||
Created attachment 646816 [details]
File: type
Created attachment 646817 [details]
File: hashmarkername
i forgot, that there is a 2nd sealert, which i unfortunately already fixed according to the recommendations from sealert:
type=AVC msg=audit(1353139749.223:569): avc: denied { write } for pid=1300 comm="basic_db_auth" name="mysql.sock" dev="vda3" ino=410861 scontext=system_u:system_r:squid_t:s0 tcontext=system_u:object_r:mysqld_var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1353139749.223:569): avc: denied { connectto } for pid=1300 comm="basic_db_auth" path="/var/lib/mysql/mysql.sock" scontext=system_u:system_r:squid_t:s0 tcontext=system_u:system_r:mysqld_t:s0 tclass=unix_stream_socket
...would be nice, if this could get fixed too...
this one is for the socket...:
module mypol 1.0;
require {
type mysqld_db_t;
type mysqld_var_run_t;
type squid_t;
type mysqld_t;
class sock_file write;
class unix_stream_socket connectto;
class dir search;
}
#============= squid_t ==============
#!!!! This avc is allowed in the current policy
allow squid_t mysqld_db_t:dir search;
#!!!! This avc is allowed in the current policy
allow squid_t mysqld_t:unix_stream_socket connectto;
#!!!! This avc is allowed in the current policy
allow squid_t mysqld_var_run_t:sock_file write;
Added.
commit a48c071d495f35738c324ffc1133ef8128180e4f
Author: Miroslav Grepl <mgrepl>
Date: Mon Nov 19 11:42:59 2012 +0100
Allow authenticate users in webaccess via squid, using mysql as backend
selinux-policy-3.11.1-57.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-57.fc18 Package selinux-policy-3.11.1-57.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-57.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-19374/selinux-policy-3.11.1-57.fc18 then log in and leave karma (feedback). Package selinux-policy-3.11.1-59.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-59.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-19374/selinux-policy-3.11.1-59.fc18 then log in and leave karma (feedback). Package selinux-policy-3.11.1-60.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-60.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-19374/selinux-policy-3.11.1-60.fc18 then log in and leave karma (feedback). selinux-policy-3.11.1-60.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report. |
Description of problem: authenticate users in webaccess via squid, using mysql as backend. Additional info: libreport version: 2.0.18 kernel: 3.6.6-3.fc18.x86_64 description: :SELinux is preventing /usr/bin/perl from 'search' accesses on the directory /var/lib/mysql. : :***** Plugin catchall (100. confidence) suggests *************************** : :If sie denken, dass es perl standardmässig erlaubt sein sollte, search Zugriff auf mysql directory zu erhalten. :Then sie sollten dies als Fehler melden. :Um diesen Zugriff zu erlauben, können Sie ein lokales Richtlinien-Modul erstellen. :Do :zugriff jetzt erlauben, indem Sie die nachfolgenden Befehle ausführen: :# grep basic_db_auth /var/log/audit/audit.log | audit2allow -M mypol :# semodule -i mypol.pp : :Additional Information: :Source Context system_u:system_r:squid_t:s0 :Target Context system_u:object_r:mysqld_db_t:s0 :Target Objects /var/lib/mysql [ dir ] :Source basic_db_auth :Source Path /usr/bin/perl :Port <Unbekannt> :Host (removed) :Source RPM Packages perl-5.16.2-234.fc18.x86_64 :Target RPM Packages mysql-server-5.5.28-1.fc18.x86_64 :Policy RPM selinux-policy-3.11.1-50.fc18.noarch :Selinux Enabled True :Policy Type targeted :Enforcing Mode Permissive :Host Name (removed) :Platform Linux (removed) 3.6.6-3.fc18.x86_64 #1 SMP Mon Nov : 5 16:26:34 UTC 2012 x86_64 x86_64 :Alert Count 7 :First Seen 2012-11-15 23:03:25 CET :Last Seen 2012-11-16 12:06:22 CET :Local ID cab26192-95d7-4272-9809-c262ecb1ea37 : :Raw Audit Messages :type=AVC msg=audit(1353063982.520:359): avc: denied { search } for pid=1300 comm="basic_db_auth" name="mysql" dev="vda3" ino=425360 scontext=system_u:system_r:squid_t:s0 tcontext=system_u:object_r:mysqld_db_t:s0 tclass=dir : : :type=AVC msg=audit(1353063982.520:359): avc: denied { write } for pid=1300 comm="basic_db_auth" name="mysql.sock" dev="vda3" ino=410861 scontext=system_u:system_r:squid_t:s0 tcontext=system_u:object_r:mysqld_var_run_t:s0 tclass=sock_file : : :type=AVC msg=audit(1353063982.520:359): avc: denied { connectto } for pid=1300 comm="basic_db_auth" path="/var/lib/mysql/mysql.sock" scontext=system_u:system_r:squid_t:s0 tcontext=system_u:system_r:mysqld_t:s0 tclass=unix_stream_socket : : :type=SYSCALL msg=audit(1353063982.520:359): arch=x86_64 syscall=connect success=yes exit=0 a0=3 a1=7fffb8356b50 a2=6e a3=7fffb83567e0 items=0 ppid=1073 pid=1300 auid=4294967295 uid=23 gid=23 euid=23 suid=23 fsuid=23 egid=23 sgid=23 fsgid=23 tty=(none) ses=4294967295 comm=basic_db_auth exe=/usr/bin/perl subj=system_u:system_r:squid_t:s0 key=(null) : :Hash: basic_db_auth,squid_t,mysqld_db_t,dir,search : :audit2allow : :#============= squid_t ============== :#!!!! This avc is allowed in the current policy : :allow squid_t mysqld_db_t:dir search; :#!!!! This avc is allowed in the current policy : :allow squid_t mysqld_t:unix_stream_socket connectto; :#!!!! This avc is allowed in the current policy : :allow squid_t mysqld_var_run_t:sock_file write; : :audit2allow -R : :#============= squid_t ============== :#!!!! This avc is allowed in the current policy : :allow squid_t mysqld_db_t:dir search; :#!!!! This avc is allowed in the current policy : :allow squid_t mysqld_t:unix_stream_socket connectto; :#!!!! This avc is allowed in the current policy : :allow squid_t mysqld_var_run_t:sock_file write; :