Mysql Alert
Manuel Wolfshant
wolfy at nobugconsulting.ro
Fri Jan 8 12:23:34 UTC 2010
Dominick Grift wrote:
> On 01/08/2010 12:45 PM, Manuel Wolfshant wrote:
>
>> tony at specialistdevelopment.com wrote:
>>
>>> Hi Guys,
>>>
>>> Sorry to keep emailing the group but im determined to crack selinux
>>> and not just switch it off :)
>>>
>>> I have moved my mysql root to /db01/mysql and have sym linked
>>> /var/lib/mysql to there as well just in case any apps still have mysql
>>> hard coded to the original location.
>>>
>> Use mount --bind instead of symlink
>>
>
> Whoops i did not notice this issue is due to custom configuration. So
> this issue probably does not justify a bugreport.
>
> I do not think SELinux plays nice with mount --bind so that may not work.
>
It does. Better that it plays with symlinks
> You just manually allow mysqld_safe_t to read the link file , like i
> showed in my example.
>
> Make sure though that the link target is properly labeled (mysqld_db_t)
> and that mysqld_safe_t can access it. ( label db01 dir with a type
> mysqld_safe_t has access to search. for example var_t or mysqld_db_t.
>
>
>>
>>> The alert im getting is this:
>>>
>>> Summary:
>>>
>>> SELinux is preventing /bin/bash "read" access on /var/lib/mysql.
>>>
>>> Detailed Description:
>>>
>>> SELinux denied access requested by mysqld_safe. It is not expected
>>> that this
>>> access is required by mysqld_safe and this access may signal an intrusion
>>> attempt. It is also possible that the specific version or
>>> configuration of the
>>> application is causing it to require additional access.
>>>
>>> Allowing Access:
>>>
>>> You can generate a local policy module to allow this access - see FAQ
>>> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file
>>> a bug
>>> report.
>>>
>>> Additional Information:
>>>
>>> Source Context unconfined_u:system_r:mysqld_safe_t:s0
>>> Target Context system_u:object_r:mysqld_db_t:s0
>>> Target Objects /var/lib/mysql [ lnk_file ]
>>> Source mysqld_safe
>>> Source Path /bin/bash
>>> Port <Unknown>
>>> Host vm-lin-wb01
>>> Source RPM Packages bash-4.0.35-2.fc12
>>> Target RPM Packages mysql-server-5.1.41-2.fc12
>>> Policy RPM selinux-policy-3.6.32-63.fc12
>>> Selinux Enabled True
>>> Policy Type targeted
>>> Enforcing Mode Enforcing
>>> Plugin Name catchall
>>> Host Name vm-lin-wb01
>>> Platform Linux vm-lin-wb01
>>> 2.6.31.9-174.fc12.i686.PAE #1
>>> SMP Mon Dec 21 06:04:56 UTC 2009 i686 i686
>>> Alert Count 1
>>> First Seen Fri Jan 8 10:06:33 2010
>>> Last Seen Fri Jan 8 10:06:33 2010
>>> Local ID f35cf4f8-9714-4d41-8f88-310f8cef5425
>>> Line Numbers
>>>
>>> Raw Audit Messages
>>>
>>> node=vm-lin-wb01 type=AVC msg=audit(1262945193.369:25): avc: denied
>>> { read } for pid=1267 comm="mysqld_safe" name="mysql" dev=dm-2
>>> ino=21498 scontext=unconfined_u:system_r:mysqld_safe_t:s0
>>> tcontext=system_u:object_r:mysqld_db_t:s0 tclass=lnk_file
>>>
>>> node=vm-lin-wb01 type=SYSCALL msg=audit(1262945193.369:25):
>>> arch=40000003 syscall=195 success=no exit=-13 a0=9e04f88 a1=bff7924c
>>> a2=b5cff4 a3=9e04f88 items=0 ppid=1227 pid=1267 auid=501 uid=0 gid=0
>>> euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2
>>> comm="mysqld_safe" exe="/bin/bash"
>>> subj=unconfined_u:system_r:mysqld_safe_t:s0 key=(null)
>>>
>>> All the contexts look correct to me, but have i missed something?
>>> would be grateful if anyone could point me in the right direction.
>>>
>>> Thanks in advance :)
>>>
>>> --
>>> fedora-selinux-list mailing list
>>> fedora-selinux-list at redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>>
>>
>
>
>
> ------------------------------------------------------------------------
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
--
Manuel Wolfshant linux registered user #131416
IT manager NoBug Consulting SRL
A: Yes.
>Q: Are you sure?
>>A: Because it reverses the logical flow of conversation.
>>>Q: Why is top posting frowned upon?
More information about the fedora-selinux-list
mailing list