[RESOLVED] SELinux Policy - CentOS 6 and Plesk 11.0.9

Support for security such as Firewalls and securing linux
Post Reply
xeont
Posts: 3
Joined: 2013/06/14 14:08:27

[RESOLVED] SELinux Policy - CentOS 6 and Plesk 11.0.9

Post by xeont » 2013/06/14 15:05:52

Hi,

I just want to know, is it safe to Allow this,

type=AVC msg=audit(1371040560.733:21059): avc: denied { connectto } for pid=9890 comm="sshd" path="/var/lib/mysql/mysql.sock" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:mysqld_t:s0 tclass=unix_stream_socket

Please advise.

Regards,
Xeont

unspawn
Posts: 172
Joined: 2006/12/11 12:28:52

[RESOLVED] SELinux Policy - CentOS 6 and Plesk 11.0.9

Post by unspawn » 2013/06/16 10:19:01

Instead of the AVC message you should pipe it through 'audit2allow -v':
[code]
#============= sshd_t ==============
# src="sshd_t" tgt="mysqld_t" class="unix_stream_socket", perms="connectto"
# comm="sshd" exe="" path=""
allow sshd_t mysqld_t:unix_stream_socket connectto;
[/code]
and post [i]your understanding of[/i] that result.


[quote]xeont wrote:
I just want to know, is it safe to Allow this[/quote]
What the above, if loaded as a custom local policy, would do is allow a process with a SSH daemon context to use a local UNIX socket to connect to a process running in the MySQL daemon context. As long as proper machine, account and service hardening is in place, service access ACLs, configuration and authentication are not weakened and other SELinux rules apply this should not represent a threat IMHO.

xeont
Posts: 3
Joined: 2013/06/14 14:08:27

Re: [RESOLVED] SELinux Policy - CentOS 6 and Plesk 11.0.9

Post by xeont » 2013/06/28 23:26:53

Thank you very much unspawn.

I didnt receive a notification to my email about the reply.

Appreciate your help.

Post Reply