SELinux and MySQL

Stuart Sears stuart at sjsears.com
Wed Aug 16 12:13:44 UTC 2006 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ryan Golhar wrote:
(among other things.)
Hi Ryan
I have come into this thread rather late having just resubscribed to the
list so hopefullly I am not repeating advice you have already received.
Apologies if this is not the case.

> I would like to use SELinux with RHEL 4.  Its new and I�m gonna have to
> learn it sooner or later.  

Well, RH do training courses (RHS427/9) covering this, although that is
a fairly large expense if it is out of your personal pocket.

There are also docs on the RH website:
http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/

> I suppose my problem is that I'm totally new to it and not sure how to
> configure it to allow certain programs access to certain files.  I
> suspect this is only one piece of it and I'm sure I'm going to run into
> a whole lot more.  I've googled it and read some but most of what I've
> found is overviews and white papers.  Nothing that gives hands on
> experience.

Editing and customising policy is actually quite simple in what you need
to do (a couple of text files usually suffice). Read the RH docs above
for more information and be prepared for trial and error.
You should also be aware that if you have a support agreement with RH

Are you seeing SELinux error messages in your logs when you try to start
mysqld?
these will be in /var/log/messages and start avc:
(actually, if you are running the audit daemon your selinux logs end up
in /var/log/audit/audit.log)

I suspect that the issue you are facing is not a broken policy as such,
but probably mislabeled files

are your MySQL databases in the standard location (probably somewhere in
/var)?

if so, you might try this:

restorecon -v /location/of/mysql/db/files

> 
> The only real useful thing I've found is http://seedit.sourceforge.net/,
> but it�s a GUI tool and I'd rather stick to the shell.
Be prepared for a little pain, in that case.
SELinux is becoming far more user (well, admin-)friendly in FC5/6  - and
thus also in RHEL5 when it arrives.
also, seedit achieves what it does by simplifying the policy language
and won't work too well with FC5/6 and RHEL5

Regards

Stuart
- --
Stuart Sears RHCA RHCX
To err is human, to forgive is Not Company Policy.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFE4wv4amPtx1brPQ4RAnM/AJ9GRc89idjhi78ZYq7sFcwVMnNw6ACfQuI4
wnyYmf2BswwmDkLWgPLPxXw=
=oIhR
-----END PGP SIGNATURE-----

More information about the redhat-list mailing list