Running the mysql command as a mortal user dies:
$ mysql -hlocalhost -u MMMMMM -p MMMMMM
Enter password:
ERROR 2002: Can't connect to local MySQL server through socket
'/var/lib/mysql/mysql.sock' (13)
after throwing this avc message:
May 24 21:34:19 pink kernel: audit(1085448859.069:0): avc: denied { search } for
pid=4519 exe=/usr/bin/mysql name=mysql dev=dm-6 ino=129035 scontext=user_u:user_r:user_t
tcontext=system_u:object_r:mysqld_db_t tclass=dir
It's not able to search /var/lib/mysql to find the socket...
A (slightly edited) grep shows us:
[/etc/security/selinux/src/policy]3 find . | xargs grep mysqld_var_run | more
./domains/program/apache.te:allow httpd_php_t mysqld_var_run_t:dir { search };
./domains/program/apache.te:allow httpd_php_t mysqld_var_run_t:sock_file { write };
./domains/program/mysqld.te:allow mysqld_t mysqld_var_run_t:sock_file create_file_perms;
./domains/program/mysqld.te:allow initrc_t mysqld_var_run_t:sock_file write;
./domains/program/mysqld.te:allow logrotate_t mysqld_var_run_t:dir search;
./domains/program/mysqld.te:allow logrotate_t mysqld_var_run_t:sock_file write;
./file_contexts/program/mysqld.fc:/var/run/mysqld(/.*)?
system_u:object_r:mysqld_var_run_t
./file_contexts/file_contexts:/var/run/mysqld(/.*)?
system_u:object_r:mysqld_var_run_t
Does anybody see a good reason why we don't have this too:
mysqld.te: allow mysql_cmd_t mysqld_var_run_t:dir search;
mysqld.te: allow mysql_cmd_t mysqld_var_run_t:sock_file write;
and add this to mysqld.fc:
/usr/bin/mysql system_u:object_r:mysql_cmd_t
(or the correct version thereof, it's way too late to think straight.. ;)