Re: mysql issues...

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, 25 May 2004 12:15, Valdis.Kletnieks@xxxxxx wrote:
> Running the mysql command as a mortal user dies:
>
> $ mysql -hlocalhost -u MMMMMM -p MMMMMM
> Enter password:
> ERROR 2002: Can't connect to local MySQL server through socket
> '/var/lib/mysql/mysql.sock' (13)
>
> after throwing this avc message:
> May 24 21:34:19 pink kernel: audit(1085448859.069:0): avc:  denied  {
> search } for  pid=4519 exe=/usr/bin/mysql name=mysql dev=dm-6 ino=129035
> scontext=user_u:user_r:user_t tcontext=system_u:object_r:mysqld_db_t
> tclass=dir

How should we determine who gets mysql client access?  Should we have a 
tunable determining whether we allow userdomain?

> It's not able to search /var/lib/mysql to find the socket...
>
> A (slightly edited) grep shows us:
>
> Does anybody see a good reason why we don't have this too:
>
> mysqld.te: allow mysql_cmd_t mysqld_var_run_t:dir search;
> mysqld.te: allow mysql_cmd_t mysqld_var_run_t:sock_file write;
>
> and add this to mysqld.fc:
>
> /usr/bin/mysql          system_u:object_r:mysql_cmd_t

Why have mysql_cmd_t instead of just allowing user_t directly?  What is the 
benefit in having a domain for client access?

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux