[PATCH 2/2] Fix SELinux AVCs on paste hosts due to httpd trying to connect to mysql
Mahrud Sayrafi
dinovirus+NOSPAM at gmail.com
Thu Mar 14 08:58:38 UTC 2013
From: Mahrud Sayrafi <dinovirus at gmail.com>
Sample AVC:
Mar 14 05:37:53 paste01.phx2.fedoraproject.org tag_audit_log: node=10.5.126.59 type=AVC msg=audit(1363239466.136:23868): avc: denied { name_connect } for pid=22371 comm="httpd" dest=3306 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mysqld_port_t:s0 tclass=tcp_socket
Almost all of AVCs from that host are due to this problem.
---
modules/selinux-policy/files/modules/paste.te | 12 ++++++++++++
modules/sticky-notes/manifests/init.pp | 4 ++++
2 files changed, 16 insertions(+), 0 deletions(-)
create mode 100644 modules/selinux-policy/files/modules/paste.te
diff --git a/modules/selinux-policy/files/modules/paste.te b/modules/selinux-policy/files/modules/paste.te
new file mode 100644
index 0000000..62ab22d
--- /dev/null
+++ b/modules/selinux-policy/files/modules/paste.te
@@ -0,0 +1,12 @@
+
+module paste 1.0;
+
+require {
+ type mysqld_port_t;
+ type httpd_t;
+ class tcp_socket name_connect;
+}
+
+#============= httpd_t ==============
+
+allow httpd_t mysqld_port_t:tcp_socket name_connect;
diff --git a/modules/sticky-notes/manifests/init.pp b/modules/sticky-notes/manifests/init.pp
index f8d7d44..1cefed8 100644
--- a/modules/sticky-notes/manifests/init.pp
+++ b/modules/sticky-notes/manifests/init.pp
@@ -84,6 +84,10 @@ class sticky-notes {
require => Package["sticky-notes"],
}
+ # Fix SELinux AVCs due to httpd trying to connect to mysql tcp port
+ if ($operatingsystem == "RedHat" and $operatingsystemrelease >= 6) {
+ selinux-policy::custom { 'paste': }
+ }
}
# Proxy setup
--
1.7.2.1
More information about the infrastructure
mailing list