mysql issues...
Valdis.Kletnieks at vt.edu
Valdis.Kletnieks at vt.edu
Tue May 25 02:15:15 UTC 2004
Running the mysql command as a mortal user dies:
$ mysql -hlocalhost -u MMMMMM -p MMMMMM
Enter password:
ERROR 2002: Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (13)
after throwing this avc message:
May 24 21:34:19 pink kernel: audit(1085448859.069:0): avc: denied { search } for pid=4519 exe=/usr/bin/mysql name=mysql dev=dm-6 ino=129035 scontext=user_u:user_r:user_t tcontext=system_u:object_r:mysqld_db_t tclass=dir
It's not able to search /var/lib/mysql to find the socket...
A (slightly edited) grep shows us:
[/etc/security/selinux/src/policy]3 find . | xargs grep mysqld_var_run | more
./domains/program/apache.te:allow httpd_php_t mysqld_var_run_t:dir { search };
./domains/program/apache.te:allow httpd_php_t mysqld_var_run_t:sock_file { write };
./domains/program/mysqld.te:allow mysqld_t mysqld_var_run_t:sock_file create_file_perms;
./domains/program/mysqld.te:allow initrc_t mysqld_var_run_t:sock_file write;
./domains/program/mysqld.te:allow logrotate_t mysqld_var_run_t:dir search;
./domains/program/mysqld.te:allow logrotate_t mysqld_var_run_t:sock_file write;
./file_contexts/program/mysqld.fc:/var/run/mysqld(/.*)? system_u:object_r:mysqld_var_run_t
./file_contexts/file_contexts:/var/run/mysqld(/.*)? system_u:object_r:mysqld_var_run_t
Does anybody see a good reason why we don't have this too:
mysqld.te: allow mysql_cmd_t mysqld_var_run_t:dir search;
mysqld.te: allow mysql_cmd_t mysqld_var_run_t:sock_file write;
and add this to mysqld.fc:
/usr/bin/mysql system_u:object_r:mysql_cmd_t
(or the correct version thereof, it's way too late to think straight.. ;)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20040524/6778105f/attachment.sig>
More information about the fedora-selinux-list
mailing list