MySQL 4.1 & SELinux on FC6

Philip Tricca phil at
Wed May 9 19:28:14 UTC 2007

phil wrote:
> I'm performing a bit of an experiment setting up some software on FC6 
> and confining it in an SELinux domain.  In taking a survey of potential 
> obstacles, I've run into something that I'm hoping y'all can provide 
> some guidance on.  The application I'm setting up was initially deployed 
> on RHEL4 (SELinux disabled) and thus depends on MySQL (version 4.1).  In 
> developing policy I'd really like to use the most up to date modular 
> policy from FC6 (anticipating our transition to RHEL5), but the MySQL 
> packaged in FC6 is 5.0.
>  From my perspective, my options are:
> (1) try using MySQL 5.0 and hope the application doesn't break (cross 
> your fingers)
> (2) install MySQL 4.1 (from source / older package) and try to use the 
> FC6 policy for MySQL 5.0 and hope that works.
> I'm not really sure which is the best choice (though option 1 does seem 
> like higher risk) so I thought I'd ask for some advice.  Has anyone used 
> the FC6 MySQL policy with older versions of MySQL?  Am I nuts for even 
> trying this?
> There's another team working to bring this software up to date for 
> deployment on RHEL5 but naturally our efforts are in parallel so I can't 
> benefit from their work just yet (nor can I, or do I want to monkey 
> around in their Java code).  I could always develop my policy on the 
> older RHEL4 platform and use our standard build but when integration 
> begins that would put me way behind the ball as (from what I understand) 
> the policy in RHEL5 is vastly improved / different, which is why I'm 
> trying to use FC6 in my initial tests.

I just realized I screwed up the subject line in my original post. 
apache 4.1 should have read MySQL 4.1.  My bad.

Just for posterity I figure I'd respond to my own email in the case that 
someone has to perform a similar task.

I was successful in getting an old MySQL 4.1 rpm from the MySQL website 
up and running using the policy module that ships with FC6.  It was a 
surprisingly good exercise in MySQL configuration (which I had hoped to 
avoid) and policy module writing / manipulation.  I'm not sure if MySQL 
5.X still uses the my_print_defaults helper program to parse the my.cnf 
file, but a domain for this was missing from the existing policy module. 
I wrote one (just enough to run and read /etc/my.cnf) and I've got a 
running MySQL 4.1 using strict policy.

It's interesting to see how an application is configured can effect the 
policy.  The 4.1 RPM from MySQL-AB ships with all logs, run files and db 
files in the same directory ... not very conducive to getting the file 
contexts right.  Either way, alls well that ends well.

- Philip

More information about the fedora-selinux-list mailing list