The MySQL server is on the local host but connecting over a TCP socket.
On Jun 14, 2012, at 7:34 PM, Pádraig Brady <P@xxxxxxxxxxxxxx> wrote:
> On 06/14/2012 09:45 PM, Joseph Breu wrote:
>> Hi All,
>>
>> Running through a Fedora/OpenStack deployment in our lab and ran into the following selinux policy violation:
>>
>> type=AVC msg=audit(1339706457.635:1431): avc: denied { name_connect } for pid=31822 comm="glance-registry" dest=3306 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:mysqld_port_t:s0 tclass=tcp_socket
>>
>> I have the following installed:
>> openstack-glance-2012.1-4.fc17.noarch
>> python-glance-2012.1-4.fc17.noarch
>> selinux-policy-targeted-3.10.0-130.fc17.noarch
>> selinux-policy-3.10.0-130.fc17.noarch
>
> So they're the latest selinux policy packages.
> The changelog says 3.10.0-120 allowed glance to connect to mysql.
> Though looking at the change it added:
>
> mysql_stream_connect(glance_registry_t)
>
> That only allows connecting on a local unix stream socket I think.
> We might have to add this rule for more general connections?
>
> allow glance_registry_t mysqld_port_t:tcp_socket name_connect;
>
> You could test it out temporarily like:
>
> echo 'type=AVC ... rest from above' | audit2allow -M openstack-glance
> semodule -i openstack-glance.pp
>
> Is your mysql server on a separate system to the glance-registry service?
> Could you send the output from:
>
> grep sql_connection /etc/glance/glance-registry.conf
>
> cheers,
> Pádraig.
_______________________________________________
cloud mailing list
cloud@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/cloud
