Mysql Alert
Dominick Grift
domg472 at gmail.com
Fri Jan 8 11:43:13 UTC 2010
On 01/08/2010 11:47 AM, tony at specialistdevelopment.com wrote:
> Hi Guys,
>
> Sorry to keep emailing the group but im determined to crack selinux and
> not just switch it off :)
>
> I have moved my mysql root to /db01/mysql and have sym linked
> /var/lib/mysql to there as well just in case any apps still have mysql
> hard coded to the original location.
>
> The alert im getting is this:
>
> Summary:
>
> SELinux is preventing /bin/bash "read" access on /var/lib/mysql.
>
> Detailed Description:
>
> SELinux denied access requested by mysqld_safe. It is not expected that
> this
> access is required by mysqld_safe and this access may signal an intrusion
> attempt. It is also possible that the specific version or configuration
> of the
> application is causing it to require additional access.
>
> Allowing Access:
>
> You can generate a local policy module to allow this access - see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a
> bug
> report.
>
> Additional Information:
>
> Source Context unconfined_u:system_r:mysqld_safe_t:s0
> Target Context system_u:object_r:mysqld_db_t:s0
> Target Objects /var/lib/mysql [ lnk_file ]
> Source mysqld_safe
> Source Path /bin/bash
> Port <Unknown>
> Host vm-lin-wb01
> Source RPM Packages bash-4.0.35-2.fc12
> Target RPM Packages mysql-server-5.1.41-2.fc12
> Policy RPM selinux-policy-3.6.32-63.fc12
> Selinux Enabled True
> Policy Type targeted
> Enforcing Mode Enforcing
> Plugin Name catchall
> Host Name vm-lin-wb01
> Platform Linux vm-lin-wb01
> 2.6.31.9-174.fc12.i686.PAE #1
> SMP Mon Dec 21 06:04:56 UTC 2009 i686 i686
> Alert Count 1
> First Seen Fri Jan 8 10:06:33 2010
> Last Seen Fri Jan 8 10:06:33 2010
> Local ID f35cf4f8-9714-4d41-8f88-310f8cef5425
> Line Numbers
>
> Raw Audit Messages
>
> node=vm-lin-wb01 type=AVC msg=audit(1262945193.369:25): avc: denied {
> read } for pid=1267 comm="mysqld_safe" name="mysql" dev=dm-2 ino=21498
> scontext=unconfined_u:system_r:mysqld_safe_t:s0
> tcontext=system_u:object_r:mysqld_db_t:s0 tclass=lnk_file
>
> node=vm-lin-wb01 type=SYSCALL msg=audit(1262945193.369:25):
> arch=40000003 syscall=195 success=no exit=-13 a0=9e04f88 a1=bff7924c
> a2=b5cff4 a3=9e04f88 items=0 ppid=1227 pid=1267 auid=501 uid=0 gid=0
> euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2
> comm="mysqld_safe" exe="/bin/bash"
> subj=unconfined_u:system_r:mysqld_safe_t:s0 key=(null)
>
> All the contexts look correct to me, but have i missed something? would
> be grateful if anyone could point me in the right direction.
>
> Thanks in advance :)
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
looks like there is no such rule to allow this access.
> [root at localhost ~]# sesearch --allow -s mysqld_safe_t | grep mysqld_db_t
> allow mysqld_safe_t mysqld_db_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ;
> allow mysqld_safe_t mysqld_db_t : dir { ioctl read write getattr lock add_name remove_name search open } ;
You can allow mysqld_safe_t to read lnk_files with type mysqld_db_t:
echo "avc: denied { read } for pid=1267 comm="mysqld_safe"
name="mysql" dev=dm-2 ino=21498
scontext=unconfined_u:system_r:mysqld_safe_t:s0
tcontext=system_u:object_r:mysqld_db_t:s0 tclass=lnk_file" | audit2allow
-M mymysqldsafe; sudo semodule -i mymysqldsafe.pp
( make sure that you use "mymysqldsafe" for your modules' name. This to
avoid that you overwrite your existing mysql module. )
Please consider reporting this bug. Thanks in advance.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20100108/451d41fd/attachment.bin
More information about the selinux
mailing list