simplified question
Paul Howarth
paul at city-fan.org
Mon Nov 14 18:06:14 UTC 2005
Craig White wrote:
> I have selinux-targeted-policy-sources installed.
>
> I am trying to make entries that fix these two errors
> in //etc/selinux/targeted/src/policy/domains/local.te
>
> #1
>
> Nov 14 10:43:14 srv1 dbus: Can't send to audit system: USER_AVC pid=3024
> uid=81 loginuid=-1 message=avc: denied { send_msg } for
> scontext=user_u:system_r:unconfined_t tcontext=user_u:system_r:initrc_t
> tclass=dbus
allow unconfined_t initrc_t:dbus send_msg;
> #2
>
> Nov 14 10:43:14 srv1 kernel: audit(1131990194.347:11): avc: denied
> { connectto } for pid=2941 comm="httpd" name="mysql.sock"
> scontext=user_u:system_r:httpd_t tcontext=user_u:system_r:initrc_t
> tclass=unix_stream_socket
allow httpd_t initrc_t:unix_stream_socket connectto;
> Can anyone tell me what might work here? This doesn't work...
>
> # cat /etc/selinux/targeted/src/policy/domains/local.te
> ## http to mysql
> allow httpd_t var_t:sock_file write;
> allow httpd_t unconfined_t:unix_stream_socket connectto;
See audit2allow(1) for a tool to generate rules from AVC messages.
However, I think the problem might be better resolved by other means.
The second of these issues appears to be related to your mysql.sock
having context user_u:system_r:initrc_t; on my FC4 box,
/var/lib/mysql/mysql.sock has context
system_u:object_r:mysqld_var_run_t. You might want to look into why that
is first.
Paul.
More information about the fedora-selinux-list
mailing list