On 01/08/2010 11:47 AM, tony@xxxxxxxxxxxxxxxxxxxxxxxxx wrote: > Hi Guys, > > Sorry to keep emailing the group but im determined to crack selinux and > not just switch it off :) > > I have moved my mysql root to /db01/mysql and have sym linked > /var/lib/mysql to there as well just in case any apps still have mysql > hard coded to the original location. > > The alert im getting is this: > > Summary: > > SELinux is preventing /bin/bash "read" access on /var/lib/mysql. > > Detailed Description: > > SELinux denied access requested by mysqld_safe. It is not expected that > this > access is required by mysqld_safe and this access may signal an intrusion > attempt. It is also possible that the specific version or configuration > of the > application is causing it to require additional access. > > Allowing Access: > > You can generate a local policy module to allow this access - see FAQ > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a > bug > report. > > Additional Information: > > Source Context unconfined_u:system_r:mysqld_safe_t:s0 > Target Context system_u:object_r:mysqld_db_t:s0 > Target Objects /var/lib/mysql [ lnk_file ] > Source mysqld_safe > Source Path /bin/bash > Port <Unknown> > Host vm-lin-wb01 > Source RPM Packages bash-4.0.35-2.fc12 > Target RPM Packages mysql-server-5.1.41-2.fc12 > Policy RPM selinux-policy-3.6.32-63.fc12 > Selinux Enabled True > Policy Type targeted > Enforcing Mode Enforcing > Plugin Name catchall > Host Name vm-lin-wb01 > Platform Linux vm-lin-wb01 > 2.6.31.9-174.fc12.i686.PAE #1 > SMP Mon Dec 21 06:04:56 UTC 2009 i686 i686 > Alert Count 1 > First Seen Fri Jan 8 10:06:33 2010 > Last Seen Fri Jan 8 10:06:33 2010 > Local ID f35cf4f8-9714-4d41-8f88-310f8cef5425 > Line Numbers > > Raw Audit Messages > > node=vm-lin-wb01 type=AVC msg=audit(1262945193.369:25): avc: denied { > read } for pid=1267 comm="mysqld_safe" name="mysql" dev=dm-2 ino=21498 > scontext=unconfined_u:system_r:mysqld_safe_t:s0 > tcontext=system_u:object_r:mysqld_db_t:s0 tclass=lnk_file > > node=vm-lin-wb01 type=SYSCALL msg=audit(1262945193.369:25): > arch=40000003 syscall=195 success=no exit=-13 a0=9e04f88 a1=bff7924c > a2=b5cff4 a3=9e04f88 items=0 ppid=1227 pid=1267 auid=501 uid=0 gid=0 > euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 > comm="mysqld_safe" exe="/bin/bash" > subj=unconfined_u:system_r:mysqld_safe_t:s0 key=(null) > > All the contexts look correct to me, but have i missed something? would > be grateful if anyone could point me in the right direction. > > Thanks in advance :) > > -- > fedora-selinux-list mailing list > fedora-selinux-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-selinux-list looks like there is no such rule to allow this access. > [root@localhost ~]# sesearch --allow -s mysqld_safe_t | grep mysqld_db_t > allow mysqld_safe_t mysqld_db_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ; > allow mysqld_safe_t mysqld_db_t : dir { ioctl read write getattr lock add_name remove_name search open } ; You can allow mysqld_safe_t to read lnk_files with type mysqld_db_t: echo "avc: denied { read } for pid=1267 comm="mysqld_safe" name="mysql" dev=dm-2 ino=21498 scontext=unconfined_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:mysqld_db_t:s0 tclass=lnk_file" | audit2allow -M mymysqldsafe; sudo semodule -i mymysqldsafe.pp ( make sure that you use "mymysqldsafe" for your modules' name. This to avoid that you overwrite your existing mysql module. ) Please consider reporting this bug. Thanks in advance.
Attachment:
signature.asc
Description: OpenPGP digital signature
-- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
