Mysql Alert
Dominick Grift
domg472 at gmail.com
Fri Jan 8 11:57:31 UTC 2010
On 01/08/2010 12:45 PM, Manuel Wolfshant wrote:
> tony at specialistdevelopment.com wrote:
>> Hi Guys,
>>
>> Sorry to keep emailing the group but im determined to crack selinux
>> and not just switch it off :)
>>
>> I have moved my mysql root to /db01/mysql and have sym linked
>> /var/lib/mysql to there as well just in case any apps still have mysql
>> hard coded to the original location.
> Use mount --bind instead of symlink
Whoops i did not notice this issue is due to custom configuration. So
this issue probably does not justify a bugreport.
I do not think SELinux plays nice with mount --bind so that may not work.
You just manually allow mysqld_safe_t to read the link file , like i
showed in my example.
Make sure though that the link target is properly labeled (mysqld_db_t)
and that mysqld_safe_t can access it. ( label db01 dir with a type
mysqld_safe_t has access to search. for example var_t or mysqld_db_t.
>
>
>>
>> The alert im getting is this:
>>
>> Summary:
>>
>> SELinux is preventing /bin/bash "read" access on /var/lib/mysql.
>>
>> Detailed Description:
>>
>> SELinux denied access requested by mysqld_safe. It is not expected
>> that this
>> access is required by mysqld_safe and this access may signal an intrusion
>> attempt. It is also possible that the specific version or
>> configuration of the
>> application is causing it to require additional access.
>>
>> Allowing Access:
>>
>> You can generate a local policy module to allow this access - see FAQ
>> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file
>> a bug
>> report.
>>
>> Additional Information:
>>
>> Source Context unconfined_u:system_r:mysqld_safe_t:s0
>> Target Context system_u:object_r:mysqld_db_t:s0
>> Target Objects /var/lib/mysql [ lnk_file ]
>> Source mysqld_safe
>> Source Path /bin/bash
>> Port <Unknown>
>> Host vm-lin-wb01
>> Source RPM Packages bash-4.0.35-2.fc12
>> Target RPM Packages mysql-server-5.1.41-2.fc12
>> Policy RPM selinux-policy-3.6.32-63.fc12
>> Selinux Enabled True
>> Policy Type targeted
>> Enforcing Mode Enforcing
>> Plugin Name catchall
>> Host Name vm-lin-wb01
>> Platform Linux vm-lin-wb01
>> 2.6.31.9-174.fc12.i686.PAE #1
>> SMP Mon Dec 21 06:04:56 UTC 2009 i686 i686
>> Alert Count 1
>> First Seen Fri Jan 8 10:06:33 2010
>> Last Seen Fri Jan 8 10:06:33 2010
>> Local ID f35cf4f8-9714-4d41-8f88-310f8cef5425
>> Line Numbers
>>
>> Raw Audit Messages
>>
>> node=vm-lin-wb01 type=AVC msg=audit(1262945193.369:25): avc: denied
>> { read } for pid=1267 comm="mysqld_safe" name="mysql" dev=dm-2
>> ino=21498 scontext=unconfined_u:system_r:mysqld_safe_t:s0
>> tcontext=system_u:object_r:mysqld_db_t:s0 tclass=lnk_file
>>
>> node=vm-lin-wb01 type=SYSCALL msg=audit(1262945193.369:25):
>> arch=40000003 syscall=195 success=no exit=-13 a0=9e04f88 a1=bff7924c
>> a2=b5cff4 a3=9e04f88 items=0 ppid=1227 pid=1267 auid=501 uid=0 gid=0
>> euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2
>> comm="mysqld_safe" exe="/bin/bash"
>> subj=unconfined_u:system_r:mysqld_safe_t:s0 key=(null)
>>
>> All the contexts look correct to me, but have i missed something?
>> would be grateful if anyone could point me in the right direction.
>>
>> Thanks in advance :)
>>
>> --
>> fedora-selinux-list mailing list
>> fedora-selinux-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20100108/747f357e/attachment.bin
More information about the selinux
mailing list