Description of problem: authenticate users in webaccess via squid, using mysql as backend. Additional info: libreport version: 2.0.18 kernel: 3.6.6-3.fc18.x86_64 description: :SELinux is preventing /usr/bin/perl from 'search' accesses on the directory /var/lib/mysql. : :***** Plugin catchall (100. confidence) suggests *************************** : :If sie denken, dass es perl standardmässig erlaubt sein sollte, search Zugriff auf mysql directory zu erhalten. :Then sie sollten dies als Fehler melden. :Um diesen Zugriff zu erlauben, können Sie ein lokales Richtlinien-Modul erstellen. :Do :zugriff jetzt erlauben, indem Sie die nachfolgenden Befehle ausführen: :# grep basic_db_auth /var/log/audit/audit.log | audit2allow -M mypol :# semodule -i mypol.pp : :Additional Information: :Source Context system_u:system_r:squid_t:s0 :Target Context system_u:object_r:mysqld_db_t:s0 :Target Objects /var/lib/mysql [ dir ] :Source basic_db_auth :Source Path /usr/bin/perl :Port <Unbekannt> :Host (removed) :Source RPM Packages perl-5.16.2-234.fc18.x86_64 :Target RPM Packages mysql-server-5.5.28-1.fc18.x86_64 :Policy RPM selinux-policy-3.11.1-50.fc18.noarch :Selinux Enabled True :Policy Type targeted :Enforcing Mode Permissive :Host Name (removed) :Platform Linux (removed) 3.6.6-3.fc18.x86_64 #1 SMP Mon Nov : 5 16:26:34 UTC 2012 x86_64 x86_64 :Alert Count 7 :First Seen 2012-11-15 23:03:25 CET :Last Seen 2012-11-16 12:06:22 CET :Local ID cab26192-95d7-4272-9809-c262ecb1ea37 : :Raw Audit Messages :type=AVC msg=audit(1353063982.520:359): avc: denied { search } for pid=1300 comm="basic_db_auth" name="mysql" dev="vda3" ino=425360 scontext=system_u:system_r:squid_t:s0 tcontext=system_u:object_r:mysqld_db_t:s0 tclass=dir : : :type=AVC msg=audit(1353063982.520:359): avc: denied { write } for pid=1300 comm="basic_db_auth" name="mysql.sock" dev="vda3" ino=410861 scontext=system_u:system_r:squid_t:s0 tcontext=system_u:object_r:mysqld_var_run_t:s0 tclass=sock_file : : :type=AVC msg=audit(1353063982.520:359): avc: denied { connectto } for pid=1300 comm="basic_db_auth" path="/var/lib/mysql/mysql.sock" scontext=system_u:system_r:squid_t:s0 tcontext=system_u:system_r:mysqld_t:s0 tclass=unix_stream_socket : : :type=SYSCALL msg=audit(1353063982.520:359): arch=x86_64 syscall=connect success=yes exit=0 a0=3 a1=7fffb8356b50 a2=6e a3=7fffb83567e0 items=0 ppid=1073 pid=1300 auid=4294967295 uid=23 gid=23 euid=23 suid=23 fsuid=23 egid=23 sgid=23 fsgid=23 tty=(none) ses=4294967295 comm=basic_db_auth exe=/usr/bin/perl subj=system_u:system_r:squid_t:s0 key=(null) : :Hash: basic_db_auth,squid_t,mysqld_db_t,dir,search : :audit2allow : :#============= squid_t ============== :#!!!! This avc is allowed in the current policy : :allow squid_t mysqld_db_t:dir search; :#!!!! This avc is allowed in the current policy : :allow squid_t mysqld_t:unix_stream_socket connectto; :#!!!! This avc is allowed in the current policy : :allow squid_t mysqld_var_run_t:sock_file write; : :audit2allow -R : :#============= squid_t ============== :#!!!! This avc is allowed in the current policy : :allow squid_t mysqld_db_t:dir search; :#!!!! This avc is allowed in the current policy : :allow squid_t mysqld_t:unix_stream_socket connectto; :#!!!! This avc is allowed in the current policy : :allow squid_t mysqld_var_run_t:sock_file write; :
Created attachment 646816 [details] File: type
Created attachment 646817 [details] File: hashmarkername
i forgot, that there is a 2nd sealert, which i unfortunately already fixed according to the recommendations from sealert: type=AVC msg=audit(1353139749.223:569): avc: denied { write } for pid=1300 comm="basic_db_auth" name="mysql.sock" dev="vda3" ino=410861 scontext=system_u:system_r:squid_t:s0 tcontext=system_u:object_r:mysqld_var_run_t:s0 tclass=sock_file type=AVC msg=audit(1353139749.223:569): avc: denied { connectto } for pid=1300 comm="basic_db_auth" path="/var/lib/mysql/mysql.sock" scontext=system_u:system_r:squid_t:s0 tcontext=system_u:system_r:mysqld_t:s0 tclass=unix_stream_socket ...would be nice, if this could get fixed too...
this one is for the socket...: module mypol 1.0; require { type mysqld_db_t; type mysqld_var_run_t; type squid_t; type mysqld_t; class sock_file write; class unix_stream_socket connectto; class dir search; } #============= squid_t ============== #!!!! This avc is allowed in the current policy allow squid_t mysqld_db_t:dir search; #!!!! This avc is allowed in the current policy allow squid_t mysqld_t:unix_stream_socket connectto; #!!!! This avc is allowed in the current policy allow squid_t mysqld_var_run_t:sock_file write;
Added. commit a48c071d495f35738c324ffc1133ef8128180e4f Author: Miroslav Grepl <mgrepl> Date: Mon Nov 19 11:42:59 2012 +0100 Allow authenticate users in webaccess via squid, using mysql as backend
selinux-policy-3.11.1-57.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-57.fc18
Package selinux-policy-3.11.1-57.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-57.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-19374/selinux-policy-3.11.1-57.fc18 then log in and leave karma (feedback).
Package selinux-policy-3.11.1-59.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-59.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-19374/selinux-policy-3.11.1-59.fc18 then log in and leave karma (feedback).
Package selinux-policy-3.11.1-60.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-60.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-19374/selinux-policy-3.11.1-60.fc18 then log in and leave karma (feedback).
selinux-policy-3.11.1-60.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.