Mysql Alert
tony at specialistdevelopment.com
tony at specialistdevelopment.com
Fri Jan 8 12:11:58 UTC 2010
Ho Dominick,
Thanks ill try that, thanks to everyone for their help over the last
couple of days, im starting to like and understand selinux, but no
doubt there will be some more issues :)
Thanks again.
Tony
Quoting Dominick Grift <domg472 at gmail.com>:
> On 01/08/2010 12:45 PM, Manuel Wolfshant wrote:
>> tony at specialistdevelopment.com wrote:
>>> Hi Guys,
>>>
>>> Sorry to keep emailing the group but im determined to crack selinux
>>> and not just switch it off :)
>>>
>>> I have moved my mysql root to /db01/mysql and have sym linked
>>> /var/lib/mysql to there as well just in case any apps still have mysql
>>> hard coded to the original location.
>> Use mount --bind instead of symlink
>
> Whoops i did not notice this issue is due to custom configuration. So
> this issue probably does not justify a bugreport.
>
> I do not think SELinux plays nice with mount --bind so that may not work.
>
> You just manually allow mysqld_safe_t to read the link file , like i
> showed in my example.
>
> Make sure though that the link target is properly labeled (mysqld_db_t)
> and that mysqld_safe_t can access it. ( label db01 dir with a type
> mysqld_safe_t has access to search. for example var_t or mysqld_db_t.
>
>>
>>
>>>
>>> The alert im getting is this:
>>>
>>> Summary:
>>>
>>> SELinux is preventing /bin/bash "read" access on /var/lib/mysql.
>>>
>>> Detailed Description:
>>>
>>> SELinux denied access requested by mysqld_safe. It is not expected
>>> that this
>>> access is required by mysqld_safe and this access may signal an intrusion
>>> attempt. It is also possible that the specific version or
>>> configuration of the
>>> application is causing it to require additional access.
>>>
>>> Allowing Access:
>>>
>>> You can generate a local policy module to allow this access - see FAQ
>>> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file
>>> a bug
>>> report.
>>>
>>> Additional Information:
>>>
>>> Source Context unconfined_u:system_r:mysqld_safe_t:s0
>>> Target Context system_u:object_r:mysqld_db_t:s0
>>> Target Objects /var/lib/mysql [ lnk_file ]
>>> Source mysqld_safe
>>> Source Path /bin/bash
>>> Port <Unknown>
>>> Host vm-lin-wb01
>>> Source RPM Packages bash-4.0.35-2.fc12
>>> Target RPM Packages mysql-server-5.1.41-2.fc12
>>> Policy RPM selinux-policy-3.6.32-63.fc12
>>> Selinux Enabled True
>>> Policy Type targeted
>>> Enforcing Mode Enforcing
>>> Plugin Name catchall
>>> Host Name vm-lin-wb01
>>> Platform Linux vm-lin-wb01
>>> 2.6.31.9-174.fc12.i686.PAE #1
>>> SMP Mon Dec 21 06:04:56 UTC 2009 i686 i686
>>> Alert Count 1
>>> First Seen Fri Jan 8 10:06:33 2010
>>> Last Seen Fri Jan 8 10:06:33 2010
>>> Local ID f35cf4f8-9714-4d41-8f88-310f8cef5425
>>> Line Numbers
>>>
>>> Raw Audit Messages
>>>
>>> node=vm-lin-wb01 type=AVC msg=audit(1262945193.369:25): avc: denied
>>> { read } for pid=1267 comm="mysqld_safe" name="mysql" dev=dm-2
>>> ino=21498 scontext=unconfined_u:system_r:mysqld_safe_t:s0
>>> tcontext=system_u:object_r:mysqld_db_t:s0 tclass=lnk_file
>>>
>>> node=vm-lin-wb01 type=SYSCALL msg=audit(1262945193.369:25):
>>> arch=40000003 syscall=195 success=no exit=-13 a0=9e04f88 a1=bff7924c
>>> a2=b5cff4 a3=9e04f88 items=0 ppid=1227 pid=1267 auid=501 uid=0 gid=0
>>> euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2
>>> comm="mysqld_safe" exe="/bin/bash"
>>> subj=unconfined_u:system_r:mysqld_safe_t:s0 key=(null)
>>>
>>> All the contexts look correct to me, but have i missed something?
>>> would be grateful if anyone could point me in the right direction.
>>>
>>> Thanks in advance :)
>>>
>>> --
>>> fedora-selinux-list mailing list
>>> fedora-selinux-list at redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>
>>
>
>
>
More information about the fedora-selinux-list
mailing list