phil wrote:
I'm performing a bit of an experiment setting up some software on FC6
and confining it in an SELinux domain. In taking a survey of potential
obstacles, I've run into something that I'm hoping y'all can provide
some guidance on. The application I'm setting up was initially deployed
on RHEL4 (SELinux disabled) and thus depends on MySQL (version 4.1). In
developing policy I'd really like to use the most up to date modular
policy from FC6 (anticipating our transition to RHEL5), but the MySQL
packaged in FC6 is 5.0.
From my perspective, my options are:
(1) try using MySQL 5.0 and hope the application doesn't break (cross
your fingers)
(2) install MySQL 4.1 (from source / older package) and try to use the
FC6 policy for MySQL 5.0 and hope that works.
I'm not really sure which is the best choice (though option 1 does seem
like higher risk) so I thought I'd ask for some advice. Has anyone used
the FC6 MySQL policy with older versions of MySQL? Am I nuts for even
trying this?
There's another team working to bring this software up to date for
deployment on RHEL5 but naturally our efforts are in parallel so I can't
benefit from their work just yet (nor can I, or do I want to monkey
around in their Java code). I could always develop my policy on the
older RHEL4 platform and use our standard build but when integration
begins that would put me way behind the ball as (from what I understand)
the policy in RHEL5 is vastly improved / different, which is why I'm
trying to use FC6 in my initial tests.
I just realized I screwed up the subject line in my original post.
apache 4.1 should have read MySQL 4.1. My bad.
Just for posterity I figure I'd respond to my own email in the case that
someone has to perform a similar task.
I was successful in getting an old MySQL 4.1 rpm from the MySQL website
up and running using the policy module that ships with FC6. It was a
surprisingly good exercise in MySQL configuration (which I had hoped to
avoid) and policy module writing / manipulation. I'm not sure if MySQL
5.X still uses the my_print_defaults helper program to parse the my.cnf
file, but a domain for this was missing from the existing policy module.
I wrote one (just enough to run and read /etc/my.cnf) and I've got a
running MySQL 4.1 using strict policy.
It's interesting to see how an application is configured can effect the
policy. The 4.1 RPM from MySQL-AB ships with all logs, run files and db
files in the same directory ... not very conducive to getting the file
contexts right. Either way, alls well that ends well.
Cheers,
- Philip
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
