MySQL+Selinux problem

Stephen Smalley sds at tycho.nsa.gov
Tue Apr 12 12:23:58 UTC 2005 

On Tue, 2005-04-12 at 15:09 +0800, Michael Calizo wrote:
> Hi,
> 
> I have been banging my head to resolve this SELinux+MySQL problem on
> fedora Core 3.
> 
> I followed this steps from this
> list:https://www.redhat.com/archives/fedora-selinux-list/2004-November/msg00015.html
> 
>    * Install selinux-policy-targeted-sources.
>    * yum install selinux-policy-targeted-sources
>    * cd /etc/selinux/targeted/src/policy
>    * echo "allow httpd_t var_lib_t:sock_file rw_socket_perms;" >
>      domains/program/httpd_socket.te
>    * make load
> 
> After  make load i get this error:
> yada yada yada ....
> Compiling policy ...
> /usr/bin/checkpolicy  -o /etc/selinux/strict/policy/policy.19 policy.conf
> /usr/bin/checkpolicy:  loading policy configuration from policy.conf
> security:  3 users, 5 roles, 1304 types, 58 bools
> security:  55 classes, 388377 rules
> /usr/bin/checkpolicy:  policy configuration loaded
> /usr/bin/checkpolicy:  writing binary representation (version 19) to
> /etc/selinux/strict/policy/policy.19
> /usr/bin/checkpolicy -c 18 -o /etc/selinux/strict/policy/policy.18 policy.conf
> /usr/bin/checkpolicy:  loading policy configuration from policy.conf
> security:  3 users, 5 roles, 1304 types, 58 bools
> security:  55 classes, 388377 rules
> /usr/bin/checkpolicy:  policy configuration loaded
> /usr/bin/checkpolicy:  writing binary representation (version 18) to
> /etc/selinux/strict/policy/policy.18
> make: *** No rule to make target
> `file_contexts/program/httpd_socket.fc', needed by
> `file_contexts/file_contexts'.  Stop.
> 
> Im stuck with this error and i dont know what to do next. Any insights
> are welcome and appreciated.

The policy Makefile expects a .fc file to exist for every .te file under
domains/program.  Hence, you have two choices:
1) Move httpd_socket.te from domains/program to domains/misc.  This is
preferable anyway, and convention has been to put such rules in
domains/misc/local.te to reduce the risk that your file will ever
conflict with a file in the main policy package. -or-
2) Leave httpd_socket.te under domains/program but touch
file_contexts/program/httpd_socket.fc, creating an empty file with that
name to satisfy the policy Makefile.

I'd favor #1.

-- 
Stephen Smalley <sds at tycho.nsa.gov>
National Security Agency

More information about the selinux mailing list