On Tue, 2005-08-09 at 20:02 +0100, Damir Dezeljin wrote:
> Hi.
>
> I enabled the SELinux in ENFORCING mode on my server of security reasons.
> Unfortunately when SELinux is ENFORCING its policy the MySQL replication
> is not working. Below is the output from 'dmesg'.
>
> Can please someone explain me simply how can I define a costum policy (add
> few rules to the existing one)?
> How to solve the below problem?
> Is there a simple document describing how can I create and configure a
> new role on an existing policy (I need persistent config - so after
> rebooting I would like my definitions are loaded automatically). << I
> already reat some docs about SELinux, however I didn't find a 'normal' doc
> for described tasks.
>
> # dmesg
> audit(1123620294.714:4): avc: denied { connect } for pid=2206
> comm="mysqld" scontext=root:system_r:mysqld_t
> tcontext=root:system_r:mysqld_t tclass=tcp_socket
> audit(1123620294.714:5): avc: denied { name_connect } for pid=2206
> comm="mysqld" dest=3306 scontext=root:system_r:mysqld_t
> tcontext=system_u:object_r:mysqld_port_t tclass=tcp_socket
There's information on customising policy at:
http://fedora.redhat.com/docs/selinux-apache-fc3/sn-debugging-and-customizing.html
The document's written for httpd on FC3 but the same principles apply.
It assumes you're using the "strict" policy, but you're probably using
"targeted" - just change "strict" to "targeted" wherever it appears.
Also, if you're running auditd then the AVC messages will be
in /var/log/audit/audit.log rather than /var/log/messages.
You might also want to bring this up on fedora-selinux-list; you might
be able to persuade Dan to add a boolean to allow this type of
connection and hence not need to customise policy at all in future.
Paul.
--
Paul Howarth <paul@xxxxxxxxxxxx>
