MySQL 4.1 & SELinux on FC6
phil at noggle.biz
Wed May 9 19:28:14 UTC 2007
> I'm performing a bit of an experiment setting up some software on FC6
> and confining it in an SELinux domain. In taking a survey of potential
> obstacles, I've run into something that I'm hoping y'all can provide
> some guidance on. The application I'm setting up was initially deployed
> on RHEL4 (SELinux disabled) and thus depends on MySQL (version 4.1). In
> developing policy I'd really like to use the most up to date modular
> policy from FC6 (anticipating our transition to RHEL5), but the MySQL
> packaged in FC6 is 5.0.
> From my perspective, my options are:
> (1) try using MySQL 5.0 and hope the application doesn't break (cross
> your fingers)
> (2) install MySQL 4.1 (from source / older package) and try to use the
> FC6 policy for MySQL 5.0 and hope that works.
> I'm not really sure which is the best choice (though option 1 does seem
> like higher risk) so I thought I'd ask for some advice. Has anyone used
> the FC6 MySQL policy with older versions of MySQL? Am I nuts for even
> trying this?
> There's another team working to bring this software up to date for
> deployment on RHEL5 but naturally our efforts are in parallel so I can't
> benefit from their work just yet (nor can I, or do I want to monkey
> around in their Java code). I could always develop my policy on the
> older RHEL4 platform and use our standard build but when integration
> begins that would put me way behind the ball as (from what I understand)
> the policy in RHEL5 is vastly improved / different, which is why I'm
> trying to use FC6 in my initial tests.
I just realized I screwed up the subject line in my original post.
apache 4.1 should have read MySQL 4.1. My bad.
Just for posterity I figure I'd respond to my own email in the case that
someone has to perform a similar task.
I was successful in getting an old MySQL 4.1 rpm from the MySQL website
up and running using the policy module that ships with FC6. It was a
surprisingly good exercise in MySQL configuration (which I had hoped to
avoid) and policy module writing / manipulation. I'm not sure if MySQL
5.X still uses the my_print_defaults helper program to parse the my.cnf
file, but a domain for this was missing from the existing policy module.
I wrote one (just enough to run and read /etc/my.cnf) and I've got a
running MySQL 4.1 using strict policy.
It's interesting to see how an application is configured can effect the
policy. The 4.1 RPM from MySQL-AB ships with all logs, run files and db
files in the same directory ... not very conducive to getting the file
contexts right. Either way, alls well that ends well.
More information about the fedora-selinux-list