From: Mahrud Sayrafi dinovirus@gmail.com
Sample AVC: Mar 14 04:49:33 bastion01.phx2.fedoraproject.org tag_audit_log: node=10.5.126.12 type=AVC msg=audit(1363236565.099:97140): avc: denied { relabelfrom } for pid=3979 comm="restorecond" name="shadow.db" dev=dm-0 ino=1055216 scontext=system_u:system_r:restorecond_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file
--- configs/system/selinux/modules/fedora.te | 1 + 1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/configs/system/selinux/modules/fedora.te b/configs/system/selinux/modules/fedora.te index b9031f3..00d3fba 100644 --- a/configs/system/selinux/modules/fedora.te +++ b/configs/system/selinux/modules/fedora.te @@ -37,6 +37,7 @@ allow domain initrc_t:fifo_file write; # This will be fixed once we fix the fasClient auth_read_shadow(restorecond_t) auth_relabelto_shadow(restorecond_t) +auth_relabelfrom_shadow(restorecond_t)
allow system_mail_t httpd_sys_content_t:dir search; dontaudit system_mail_t httpd_t:file read;
From: Mahrud Sayrafi dinovirus@gmail.com
Sample AVC: Mar 14 05:37:53 paste01.phx2.fedoraproject.org tag_audit_log: node=10.5.126.59 type=AVC msg=audit(1363239466.136:23868): avc: denied { name_connect } for pid=22371 comm="httpd" dest=3306 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mysqld_port_t:s0 tclass=tcp_socket Almost all of AVCs from that host are due to this problem.
--- modules/selinux-policy/files/modules/paste.te | 12 ++++++++++++ modules/sticky-notes/manifests/init.pp | 4 ++++ 2 files changed, 16 insertions(+), 0 deletions(-) create mode 100644 modules/selinux-policy/files/modules/paste.te
diff --git a/modules/selinux-policy/files/modules/paste.te b/modules/selinux-policy/files/modules/paste.te new file mode 100644 index 0000000..62ab22d --- /dev/null +++ b/modules/selinux-policy/files/modules/paste.te @@ -0,0 +1,12 @@ + +module paste 1.0; + +require { + type mysqld_port_t; + type httpd_t; + class tcp_socket name_connect; +} + +#============= httpd_t ============== + +allow httpd_t mysqld_port_t:tcp_socket name_connect; diff --git a/modules/sticky-notes/manifests/init.pp b/modules/sticky-notes/manifests/init.pp index f8d7d44..1cefed8 100644 --- a/modules/sticky-notes/manifests/init.pp +++ b/modules/sticky-notes/manifests/init.pp @@ -84,6 +84,10 @@ class sticky-notes { require => Package["sticky-notes"], }
+ # Fix SELinux AVCs due to httpd trying to connect to mysql tcp port + if ($operatingsystem == "RedHat" and $operatingsystemrelease >= 6) { + selinux-policy::custom { 'paste': } + } }
# Proxy setup
On Thu, 14 Mar 2013 08:58:38 +0000 Mahrud Sayrafi dinovirus+NOSPAM@gmail.com wrote:
...snip...
- # Fix SELinux AVCs due to httpd trying to connect to mysql tcp port
- if ($operatingsystem == "RedHat" and $operatingsystemrelease >= 6)
{
- selinux-policy::custom { 'paste': }
- }
}
# Proxy setup
I think we could do this one via the httpd_can_network_connect_db selinux boolean?
kevin
From: Mahrud Sayrafi dinovirus@gmail.com
Sample AVC: Mar 14 05:37:53 paste01.phx2.fedoraproject.org tag_audit_log: node=10.5.126.59 type=AVC msg=audit(1363239466.136:23868): avc: denied { name_connect } for pid=22371 comm="httpd" dest=3306 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mysqld_port_t:s0 tclass=tcp_socket Almost all of AVCs from that host are due to this problem.
--- modules/sticky-notes/manifests/init.pp | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-)
diff --git a/modules/sticky-notes/manifests/init.pp b/modules/sticky-notes/manifests/init.pp index f8d7d44..cad4443 100644 --- a/modules/sticky-notes/manifests/init.pp +++ b/modules/sticky-notes/manifests/init.pp @@ -84,6 +84,10 @@ class sticky-notes { require => Package["sticky-notes"], }
+ selboolean { "httpd_can_network_connect_db": + persistent => true, + value => on, + } }
# Proxy setup
Yes please! audit2why (or maybe audit2allow) should recommend the same thing.
-josh On Mar 15, 2013, at 5:54 PM, Kevin Fenzi kevin@scrye.com wrote:
On Thu, 14 Mar 2013 08:58:38 +0000 Mahrud Sayrafi dinovirus+NOSPAM@gmail.com wrote:
...snip...
- # Fix SELinux AVCs due to httpd trying to connect to mysql tcp port
- if ($operatingsystem == "RedHat" and $operatingsystemrelease >= 6)
{
- selinux-policy::custom { 'paste': }
- }
}
# Proxy setup
I think we could do this one via the httpd_can_network_connect_db selinux boolean?
kevin _______________________________________________ infrastructure mailing list infrastructure@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/infrastructure
On Thu, 14 Mar 2013 08:58:37 +0000 Mahrud Sayrafi dinovirus+NOSPAM@gmail.com wrote:
...snip...
auth_read_shadow(restorecond_t) auth_relabelto_shadow(restorecond_t) +auth_relabelfrom_shadow(restorecond_t)
allow system_mail_t httpd_sys_content_t:dir search; dontaudit system_mail_t httpd_t:file read;
Applied thanks!
kevin
infrastructure@lists.fedoraproject.org