The MySQL server is on the local host but connecting over a TCP socket. On Jun 14, 2012, at 7:34 PM, Pádraig Brady <P@xxxxxxxxxxxxxx> wrote: > On 06/14/2012 09:45 PM, Joseph Breu wrote: >> Hi All, >> >> Running through a Fedora/OpenStack deployment in our lab and ran into the following selinux policy violation: >> >> type=AVC msg=audit(1339706457.635:1431): avc: denied { name_connect } for pid=31822 comm="glance-registry" dest=3306 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:mysqld_port_t:s0 tclass=tcp_socket >> >> I have the following installed: >> openstack-glance-2012.1-4.fc17.noarch >> python-glance-2012.1-4.fc17.noarch >> selinux-policy-targeted-3.10.0-130.fc17.noarch >> selinux-policy-3.10.0-130.fc17.noarch > > So they're the latest selinux policy packages. > The changelog says 3.10.0-120 allowed glance to connect to mysql. > Though looking at the change it added: > > mysql_stream_connect(glance_registry_t) > > That only allows connecting on a local unix stream socket I think. > We might have to add this rule for more general connections? > > allow glance_registry_t mysqld_port_t:tcp_socket name_connect; > > You could test it out temporarily like: > > echo 'type=AVC ... rest from above' | audit2allow -M openstack-glance > semodule -i openstack-glance.pp > > Is your mysql server on a separate system to the glance-registry service? > Could you send the output from: > > grep sql_connection /etc/glance/glance-registry.conf > > cheers, > Pádraig. _______________________________________________ cloud mailing list cloud@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/cloud