Description of problem: At present, I can add a apache administrator, webadm_u, that restricts the user (sudo) to access /var/www and restart httpd. If an equivalent MySQL administrator is set up in a similar fashion, the MySQL db administrator user can't connect to the db after sudo. Version-Release number of selected component (if applicable): - Current targeted policy. How reproducible: A Linux user 'dbadmin' was created, then: a) semanage user -a -L s0 -r s0 -R "staff_r dbadm_r system_r" -P user dbadm_u b) cp /etc/selinux/targeted/contexts/users/staff_u /etc/selinux/targeted/contexts/users/dbadm_u c) semanage login -a -s dbadm_u -r s0 dbadmin echo "dbadmin ALL=(ALL) TYPE=dbadm_t ROLE=dbadm_r ALL" > /etc/sudoers.d/dbadmin d) chmod 0440 /etc/sudoers.d/dbadmin e) user dbadmin performs sudo -s to change contexts from dbadm_u/staff_r/staff_t to dbadm_u/dbadm_r/dbadm_t attempting to connect to mysql db results in avc denied while transitioning from scontext dbadm_u/dbadm_r/dbadm_t to tcontext dbadm_u/system_r/mysqld_t Workaround fix: mkdir ~/mydbadm; cd ~/mydbadm; echo "policy_module(mydbadm, 1.0.0) gen_require(\` type dbadm_t; ') mysql_stream_connect(dbadm_t)" > mydbadm.te; make -f /usr/share/selinux/devel/Makefile mydbadm.pp sudo semodule -i mydbadm.pp
I have added this to F15 policy.
mysql_admin should contain mysql_stream_connect($1)
Fixed in selinux-policy-3.9.7-33.fc14
selinux-policy-3.9.7-34.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-34.fc14
selinux-policy-3.9.7-37.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-37.fc14
selinux-policy-3.9.7-37.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report.