On Mon, 2005-11-14 at 18:06 +0000, Paul Howarth wrote:
> Craig White wrote:
> > I have selinux-targeted-policy-sources installed.
> >
> > I am trying to make entries that fix these two errors
> > in //etc/selinux/targeted/src/policy/domains/local.te
> >
> > #1
> >
> > Nov 14 10:43:14 srv1 dbus: Can't send to audit system: USER_AVC pid=3024
> > uid=81 loginuid=-1 message=avc: denied { send_msg } for
> > scontext=user_u:system_r:unconfined_t tcontext=user_u:system_r:initrc_t
> > tclass=dbus
>
> allow unconfined_t initrc_t:dbus send_msg;
>
> > #2
> >
> > Nov 14 10:43:14 srv1 kernel: audit(1131990194.347:11): avc: denied
> > { connectto } for pid=2941 comm="httpd" name="mysql.sock"
> > scontext=user_u:system_r:httpd_t tcontext=user_u:system_r:initrc_t
> > tclass=unix_stream_socket
>
> allow httpd_t initrc_t:unix_stream_socket connectto;
>
> > Can anyone tell me what might work here? This doesn't work...
> >
> > # cat /etc/selinux/targeted/src/policy/domains/local.te
> > ## http to mysql
> > allow httpd_t var_t:sock_file write;
> > allow httpd_t unconfined_t:unix_stream_socket connectto;
>
> See audit2allow(1) for a tool to generate rules from AVC messages.
>
> However, I think the problem might be better resolved by other means.
> The second of these issues appears to be related to your mysql.sock
> having context user_u:system_r:initrc_t; on my FC4 box,
> /var/lib/mysql/mysql.sock has context
> system_u:object_r:mysqld_var_run_t. You might want to look into why that
> is first.
----
Thanks Paul,
well - this was from CentOS 4.2 so that may account for a difference. I
tried asking on CentOS list several times and all that seems to do is
spark a debate between those that simply shut off SELinux and those like
me who want to learn to live with it...of course the questions never get
answered.
audit2allow doesn't show anything concerning the dbus error. That still
is present. The above did fix the problem with connecting between httpd
-> mysql.sock so that is cool. The dbus error has been around for a
while and it doesn't seem to prevent anything that I need but would like
the education of it - so it remains.
audit2allow doesn't have a man page so I haven't garnered much of
anything that isn't in audit2allow --help.
I'll keep looking but I appreciate the help and I have learned much
today already (selinux-targeted-policy-sources was a good one)
grep -r mysql /etc/selinux |grep run
turns up (among other things)...
/etc/selinux/targeted/contexts/files/file_contexts:/var/lib/mysql/mysql
\.sock -s system_u:object_r:mysqld_var_run_t
Craig
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
