Bug 877642 - SELinux is preventing /usr/bin/perl from 'search' accesses on the directory /var/lib/mysql.
Summary: SELinux is preventing /usr/bin/perl from 'search' accesses on the directory /...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 18
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:69c3fb5a363eb440130b6f0556e...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-11-17 15:19 UTC by Grosswiler Roger
Modified: 2012-12-07 04:31 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-12-07 04:31:42 UTC
Type: ---


Attachments (Terms of Use)
File: type (9 bytes, text/plain)
2012-11-17 15:19 UTC, Grosswiler Roger
no flags Details
File: hashmarkername (14 bytes, text/plain)
2012-11-17 15:19 UTC, Grosswiler Roger
no flags Details

Description Grosswiler Roger 2012-11-17 15:19:11 UTC
Description of problem:
authenticate users in webaccess via squid, using mysql as backend.

Additional info:
libreport version: 2.0.18
kernel:         3.6.6-3.fc18.x86_64

description:
:SELinux is preventing /usr/bin/perl from 'search' accesses on the directory /var/lib/mysql.
:
:*****  Plugin catchall (100. confidence) suggests  ***************************
:
:If sie denken, dass es perl standardmässig erlaubt sein sollte, search Zugriff auf mysql directory zu erhalten.
:Then sie sollten dies als Fehler melden.
:Um diesen Zugriff zu erlauben, können Sie ein lokales Richtlinien-Modul erstellen.
:Do
:zugriff jetzt erlauben, indem Sie die nachfolgenden Befehle ausführen:
:# grep basic_db_auth /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                system_u:system_r:squid_t:s0
:Target Context                system_u:object_r:mysqld_db_t:s0
:Target Objects                /var/lib/mysql [ dir ]
:Source                        basic_db_auth
:Source Path                   /usr/bin/perl
:Port                          <Unbekannt>
:Host                          (removed)
:Source RPM Packages           perl-5.16.2-234.fc18.x86_64
:Target RPM Packages           mysql-server-5.5.28-1.fc18.x86_64
:Policy RPM                    selinux-policy-3.11.1-50.fc18.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Permissive
:Host Name                     (removed)
:Platform                      Linux (removed) 3.6.6-3.fc18.x86_64 #1 SMP Mon Nov
:                              5 16:26:34 UTC 2012 x86_64 x86_64
:Alert Count                   7
:First Seen                    2012-11-15 23:03:25 CET
:Last Seen                     2012-11-16 12:06:22 CET
:Local ID                      cab26192-95d7-4272-9809-c262ecb1ea37
:
:Raw Audit Messages
:type=AVC msg=audit(1353063982.520:359): avc:  denied  { search } for  pid=1300 comm="basic_db_auth" name="mysql" dev="vda3" ino=425360 scontext=system_u:system_r:squid_t:s0 tcontext=system_u:object_r:mysqld_db_t:s0 tclass=dir
:
:
:type=AVC msg=audit(1353063982.520:359): avc:  denied  { write } for  pid=1300 comm="basic_db_auth" name="mysql.sock" dev="vda3" ino=410861 scontext=system_u:system_r:squid_t:s0 tcontext=system_u:object_r:mysqld_var_run_t:s0 tclass=sock_file
:
:
:type=AVC msg=audit(1353063982.520:359): avc:  denied  { connectto } for  pid=1300 comm="basic_db_auth" path="/var/lib/mysql/mysql.sock" scontext=system_u:system_r:squid_t:s0 tcontext=system_u:system_r:mysqld_t:s0 tclass=unix_stream_socket
:
:
:type=SYSCALL msg=audit(1353063982.520:359): arch=x86_64 syscall=connect success=yes exit=0 a0=3 a1=7fffb8356b50 a2=6e a3=7fffb83567e0 items=0 ppid=1073 pid=1300 auid=4294967295 uid=23 gid=23 euid=23 suid=23 fsuid=23 egid=23 sgid=23 fsgid=23 tty=(none) ses=4294967295 comm=basic_db_auth exe=/usr/bin/perl subj=system_u:system_r:squid_t:s0 key=(null)
:
:Hash: basic_db_auth,squid_t,mysqld_db_t,dir,search
:
:audit2allow
:
:#============= squid_t ==============
:#!!!! This avc is allowed in the current policy
:
:allow squid_t mysqld_db_t:dir search;
:#!!!! This avc is allowed in the current policy
:
:allow squid_t mysqld_t:unix_stream_socket connectto;
:#!!!! This avc is allowed in the current policy
:
:allow squid_t mysqld_var_run_t:sock_file write;
:
:audit2allow -R
:
:#============= squid_t ==============
:#!!!! This avc is allowed in the current policy
:
:allow squid_t mysqld_db_t:dir search;
:#!!!! This avc is allowed in the current policy
:
:allow squid_t mysqld_t:unix_stream_socket connectto;
:#!!!! This avc is allowed in the current policy
:
:allow squid_t mysqld_var_run_t:sock_file write;
:

Comment 1 Grosswiler Roger 2012-11-17 15:19:16 UTC
Created attachment 646816 [details]
File: type

Comment 2 Grosswiler Roger 2012-11-17 15:19:19 UTC
Created attachment 646817 [details]
File: hashmarkername

Comment 3 Grosswiler Roger 2012-11-17 15:23:30 UTC
i forgot, that there is a 2nd sealert, which i unfortunately already fixed according to the recommendations from sealert:

type=AVC msg=audit(1353139749.223:569): avc:  denied  { write } for  pid=1300 comm="basic_db_auth" name="mysql.sock" dev="vda3" ino=410861 scontext=system_u:system_r:squid_t:s0 tcontext=system_u:object_r:mysqld_var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1353139749.223:569): avc:  denied  { connectto } for  pid=1300 comm="basic_db_auth" path="/var/lib/mysql/mysql.sock" scontext=system_u:system_r:squid_t:s0 tcontext=system_u:system_r:mysqld_t:s0 tclass=unix_stream_socket


...would be nice, if this could get fixed too...

Comment 4 Grosswiler Roger 2012-11-17 15:24:50 UTC
this one is for the socket...:

module mypol 1.0;

require {
	type mysqld_db_t;
	type mysqld_var_run_t;
	type squid_t;
	type mysqld_t;
	class sock_file write;
	class unix_stream_socket connectto;
	class dir search;
}

#============= squid_t ==============
#!!!! This avc is allowed in the current policy

allow squid_t mysqld_db_t:dir search;
#!!!! This avc is allowed in the current policy

allow squid_t mysqld_t:unix_stream_socket connectto;
#!!!! This avc is allowed in the current policy

allow squid_t mysqld_var_run_t:sock_file write;

Comment 5 Miroslav Grepl 2012-11-19 10:45:39 UTC
Added.

commit a48c071d495f35738c324ffc1133ef8128180e4f
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Mon Nov 19 11:42:59 2012 +0100

    Allow authenticate users in webaccess via squid, using mysql as backend

Comment 6 Fedora Update System 2012-11-28 20:58:11 UTC
selinux-policy-3.11.1-57.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-57.fc18

Comment 7 Fedora Update System 2012-11-30 06:36:38 UTC
Package selinux-policy-3.11.1-57.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-57.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-19374/selinux-policy-3.11.1-57.fc18
then log in and leave karma (feedback).

Comment 8 Fedora Update System 2012-12-02 19:30:34 UTC
Package selinux-policy-3.11.1-59.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-59.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-19374/selinux-policy-3.11.1-59.fc18
then log in and leave karma (feedback).

Comment 9 Fedora Update System 2012-12-06 20:12:53 UTC
Package selinux-policy-3.11.1-60.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-60.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-19374/selinux-policy-3.11.1-60.fc18
then log in and leave karma (feedback).

Comment 10 Fedora Update System 2012-12-07 04:31:44 UTC
selinux-policy-3.11.1-60.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.