mysql_upgrade selinux issues
Daniel J Walsh
dwalsh at redhat.com
Fri Jan 14 16:34:30 UTC 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/14/2011 10:48 AM, Luciano Furtado wrote:
> If I do that would be giving mysqld_t the ability to run any binary
> labeled with bin_t. There got be a better option that would open it up
> too much.
>
>
> On 11-01-14 09:31, Dominick Grift wrote:
>> On 01/14/2011 03:28 PM, Luciano Furtado wrote:
>
>>> when I run audit2allow I get the following:
>
>>> #============= mysqld_t ==============
>>> allow mysqld_t bin_t:dir search;
>>> allow mysqld_t bin_t:file { read execute };
>>> allow mysqld_t bin_t:lnk_file read;
>>> allow mysqld_t shell_exec_t:file { read execute getattr
>>> execute_no_trans };
>
>> I would probably just allow the above. looks like it wants to run mysql
>> command which i guess is labelled bin_t.
>
>> corecmd_exec_bin(mysqld_t)
>> corecmd_exec_shell(mysqld_t)
>
>> should be suffice i believe
>
>>> What's the proper fix here? I dont want to give the mysqld_t permission
>>> to execute arbitrary scripts. The only solution I have right now is to
>>> relabel mysql_upgrade so it runs as unconfined, and that's not much of
>>> a solution.
>
>
>
>
>
>>> Best Regards.
>>> Luciano
>
Being able to execute a binary without a transition does not give you a
huge amount of privs, Just because you can execute a program, does not
mean the program can do everything it was designed to do. For example
if it tries to write to a directory that mysqld_t is not allowed to
write, SELinux will block the write.
- --
selinux mailing list
selinux at lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk0wexYACgkQrlYvE4MpobNEwgCfZQO6kMmwm4r1QHxdgJvDdZNP
0FAAoM5uc3ByLVvM9bzs+vKMZcGjN1Ff
=rH33
-----END PGP SIGNATURE-----
More information about the selinux
mailing list