Bug 551380 - Need additional support for prelude
Summary: Need additional support for prelude
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy-targeted
Version: 5.4
Hardware: All
OS: Linux
low
medium
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-12-30 11:32 UTC by Sachin Prabhu
Modified: 2018-11-14 17:25 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
With SELinux running in the enforcing mode, the Prelude Manager was unable to connect to a MySQL server, and did not work properly. With this update, the SELinux rules have been updated to permit such connection, so that the Prelude Manager can access the server as expected.
Clone Of:
Environment:
Last Closed: 2011-01-13 21:48:17 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:0026 0 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2011-01-12 16:11:15 UTC

Description Sachin Prabhu 2009-12-30 11:32:52 UTC
A user is using prelude packages which were downloaded either from EPEL or recompiled from Fedora. However they are hitting a road block because of the the restrictions placed on prelude by the targeted policies.


The package has been configured to connect to a MySQL database on another machine. It fails with the following messages

node=NODE type=AVC msg=audit(1259824960.750:24): avc: denied { name_connect } for pid=1669 comm="prelude-manager" dest=3306 scontext=root:system_r:prelude_t:s0 tcontext=system_u:object_r:mysqld_port_t:s0 tclass=tcp_socket

Prelude-lml also needs the rights for dac_override and dac_read_search to use a pattern like /var/log/remote/*/messages.

node=NODENAME type=AVC msg=audit(1260255800.409:159): avc:  denied  { dac_override } for  pid=7340 comm="prelude-lml" capability=1 scontext=root:system_r:prelude_lml_t:s0 tcontext=root:system_r:prelude_lml_t:s0 tclass=capability
node=NODENAME type=AVC msg=audit(1260255800.409:159): avc:  denied  { dac_read_search } for  pid=7340 comm="prelude-lml" capability=2 scontext=root:system_r:prelude_lml_t:s0 tcontext=root:system_r:prelude_lml_t:s0 tclass=capability 

The user would like the policies to be fixed in the RPMs instead of creating custom policies.

Comment 1 Daniel Walsh 2009-12-30 13:37:30 UTC
Fedora releases do not currently have

corenet_tcp_connect_mysql_port(prelude_t)


But if the mysql is local, they could get prelude to use the local fifo_file, which should be allowed.

The two dac_override and dac_read_search, are probably caused by files with the wrong ownership on them.  These are also not in Fedora.  These permissions mean root is not the owner of a file and does not have group or other rights to the file.  Sorry I have no idea of which file it is trying to access.

Comment 3 Miroslav Grepl 2010-09-09 13:29:03 UTC
(In reply to comment #1)
> Fedora releases do not currently have
> 
> corenet_tcp_connect_mysql_port(prelude_t)
> 

Fixed in selinux-policy-2.4.6-283.el5.noarch

Comment 6 Jaromir Hradilek 2011-01-05 16:08:57 UTC
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
With SELinux running in the enforcing mode, the Prelude Manager was unable to connect to a MySQL server, and did not work properly. With this update, the SELinux rules have been updated to permit such connection, so that the Prelude Manager can access the server as expected.

Comment 8 errata-xmlrpc 2011-01-13 21:48:17 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0026.html


Note You need to log in before you can comment on or make changes to this bug.