MySQL+Selinux problem
Stephen Smalley
sds at tycho.nsa.gov
Tue Apr 12 12:23:58 UTC 2005
On Tue, 2005-04-12 at 15:09 +0800, Michael Calizo wrote:
> Hi,
>
> I have been banging my head to resolve this SELinux+MySQL problem on
> fedora Core 3.
>
> I followed this steps from this
> list:https://www.redhat.com/archives/fedora-selinux-list/2004-November/msg00015.html
>
> * Install selinux-policy-targeted-sources.
> * yum install selinux-policy-targeted-sources
> * cd /etc/selinux/targeted/src/policy
> * echo "allow httpd_t var_lib_t:sock_file rw_socket_perms;" >
> domains/program/httpd_socket.te
> * make load
>
> After make load i get this error:
> yada yada yada ....
> Compiling policy ...
> /usr/bin/checkpolicy -o /etc/selinux/strict/policy/policy.19 policy.conf
> /usr/bin/checkpolicy: loading policy configuration from policy.conf
> security: 3 users, 5 roles, 1304 types, 58 bools
> security: 55 classes, 388377 rules
> /usr/bin/checkpolicy: policy configuration loaded
> /usr/bin/checkpolicy: writing binary representation (version 19) to
> /etc/selinux/strict/policy/policy.19
> /usr/bin/checkpolicy -c 18 -o /etc/selinux/strict/policy/policy.18 policy.conf
> /usr/bin/checkpolicy: loading policy configuration from policy.conf
> security: 3 users, 5 roles, 1304 types, 58 bools
> security: 55 classes, 388377 rules
> /usr/bin/checkpolicy: policy configuration loaded
> /usr/bin/checkpolicy: writing binary representation (version 18) to
> /etc/selinux/strict/policy/policy.18
> make: *** No rule to make target
> `file_contexts/program/httpd_socket.fc', needed by
> `file_contexts/file_contexts'. Stop.
>
> Im stuck with this error and i dont know what to do next. Any insights
> are welcome and appreciated.
The policy Makefile expects a .fc file to exist for every .te file under
domains/program. Hence, you have two choices:
1) Move httpd_socket.te from domains/program to domains/misc. This is
preferable anyway, and convention has been to put such rules in
domains/misc/local.te to reduce the risk that your file will ever
conflict with a file in the main policy package. -or-
2) Leave httpd_socket.te under domains/program but touch
file_contexts/program/httpd_socket.fc, creating an empty file with that
name to satisfy the policy Makefile.
I'd favor #1.
--
Stephen Smalley <sds at tycho.nsa.gov>
National Security Agency
More information about the selinux
mailing list