Hi,
I'm incurring some problems with MySQL and SELinux, and I need help.
Running a 64-bit Fedora 12 with mysql-server-5.1.47-2.fc12.x86_64.
$ ps -eZ | grep mysqld
system_u:system_r:mysqld_safe_t:s0 1321 ? 00:00:00 mysqld_safe
system_u:system_r:mysqld_t:s0 1410 ? 00:00:01 mysqld
My problem is:
it is only possible to use "LOAD DATA INFILE" statement if SELinux is
in its permissive state.
Strangely, logs below show no avc denial (all I can tell from them is
Chinese tried to break into, and last line probably refers to when I
added mysql user to some group I created). But statement won't work in
enforcing state. Nothing gives me any tip concerning the referred
MySQL statement issue.
# cat /var/log/audit/audit.log | grep mysql
type=USER_LOGIN msg=audit(1305401554.802:34): user pid=2229 uid=0
auid=4294967295 ses=4294967295
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login
acct="mysql" exe="/usr/sbin/sshd" hostname=? addr=218.241.236.69
terminal=sshd res=failed'
type=USER_LOGIN msg=audit(1305401556.759:36): user pid=2229 uid=0
auid=4294967295 ses=4294967295
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login
acct="mysql" exe="/usr/sbin/sshd" hostname=? addr=218.241.236.69
terminal=sshd res=failed'
type=USER_LOGIN msg=audit(1305404558.850:1653): user pid=3709 uid=0
auid=4294967295 ses=4294967295
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login
acct="mysql" exe="/usr/sbin/sshd" hostname=? addr=218.241.236.69
terminal=sshd res=failed'
type=USER_LOGIN msg=audit(1305404560.536:1655): user pid=3709 uid=0
auid=4294967295 ses=4294967295
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login
acct="mysql" exe="/usr/sbin/sshd" hostname=? addr=218.241.236.69
terminal=sshd res=failed'
type=USER_LOGIN msg=audit(1305404563.834:1656): user pid=3711 uid=0
auid=4294967295 ses=4294967295
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login
acct="mysql" exe="/usr/sbin/sshd" hostname=? addr=218.241.236.69
terminal=sshd res=failed'
type=USER_LOGIN msg=audit(1305404566.207:1658): user pid=3711 uid=0
auid=4294967295 ses=4294967295
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login
acct="mysql" exe="/usr/sbin/sshd" hostname=? addr=218.241.236.69
terminal=sshd res=failed'
type=ADD_GROUP msg=audit(1322849937.081:18): user pid=1989 uid=0
auid=4294967295 ses=4294967295
subj=system_u:system_r:useradd_t:s0-s0:c0.c1023 msg='op=adding group
acct="mysql" exe="/usr/sbin/useradd" hostname=? addr=? terminal=?
res=success'
Firstly, where could that avc denial be in?
And, well, I want to keep SELinux enforcing its policies, except for
what is needed in order to make "LOAD DATA INFILE" work.
So, what would be the proper way to achieve that?
Marcio Barbado, Jr.