On 01/08/2010 12:45 PM, Manuel Wolfshant wrote: > tony@xxxxxxxxxxxxxxxxxxxxxxxxx wrote: >> Hi Guys, >> >> Sorry to keep emailing the group but im determined to crack selinux >> and not just switch it off :) >> >> I have moved my mysql root to /db01/mysql and have sym linked >> /var/lib/mysql to there as well just in case any apps still have mysql >> hard coded to the original location. > Use mount --bind instead of symlink Whoops i did not notice this issue is due to custom configuration. So this issue probably does not justify a bugreport. I do not think SELinux plays nice with mount --bind so that may not work. You just manually allow mysqld_safe_t to read the link file , like i showed in my example. Make sure though that the link target is properly labeled (mysqld_db_t) and that mysqld_safe_t can access it. ( label db01 dir with a type mysqld_safe_t has access to search. for example var_t or mysqld_db_t. > > >> >> The alert im getting is this: >> >> Summary: >> >> SELinux is preventing /bin/bash "read" access on /var/lib/mysql. >> >> Detailed Description: >> >> SELinux denied access requested by mysqld_safe. It is not expected >> that this >> access is required by mysqld_safe and this access may signal an intrusion >> attempt. It is also possible that the specific version or >> configuration of the >> application is causing it to require additional access. >> >> Allowing Access: >> >> You can generate a local policy module to allow this access - see FAQ >> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file >> a bug >> report. >> >> Additional Information: >> >> Source Context unconfined_u:system_r:mysqld_safe_t:s0 >> Target Context system_u:object_r:mysqld_db_t:s0 >> Target Objects /var/lib/mysql [ lnk_file ] >> Source mysqld_safe >> Source Path /bin/bash >> Port <Unknown> >> Host vm-lin-wb01 >> Source RPM Packages bash-4.0.35-2.fc12 >> Target RPM Packages mysql-server-5.1.41-2.fc12 >> Policy RPM selinux-policy-3.6.32-63.fc12 >> Selinux Enabled True >> Policy Type targeted >> Enforcing Mode Enforcing >> Plugin Name catchall >> Host Name vm-lin-wb01 >> Platform Linux vm-lin-wb01 >> 2.6.31.9-174.fc12.i686.PAE #1 >> SMP Mon Dec 21 06:04:56 UTC 2009 i686 i686 >> Alert Count 1 >> First Seen Fri Jan 8 10:06:33 2010 >> Last Seen Fri Jan 8 10:06:33 2010 >> Local ID f35cf4f8-9714-4d41-8f88-310f8cef5425 >> Line Numbers >> >> Raw Audit Messages >> >> node=vm-lin-wb01 type=AVC msg=audit(1262945193.369:25): avc: denied >> { read } for pid=1267 comm="mysqld_safe" name="mysql" dev=dm-2 >> ino=21498 scontext=unconfined_u:system_r:mysqld_safe_t:s0 >> tcontext=system_u:object_r:mysqld_db_t:s0 tclass=lnk_file >> >> node=vm-lin-wb01 type=SYSCALL msg=audit(1262945193.369:25): >> arch=40000003 syscall=195 success=no exit=-13 a0=9e04f88 a1=bff7924c >> a2=b5cff4 a3=9e04f88 items=0 ppid=1227 pid=1267 auid=501 uid=0 gid=0 >> euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 >> comm="mysqld_safe" exe="/bin/bash" >> subj=unconfined_u:system_r:mysqld_safe_t:s0 key=(null) >> >> All the contexts look correct to me, but have i missed something? >> would be grateful if anyone could point me in the right direction. >> >> Thanks in advance :) >> >> -- >> fedora-selinux-list mailing list >> fedora-selinux-list@xxxxxxxxxx >> https://www.redhat.com/mailman/listinfo/fedora-selinux-list > >
Attachment:
signature.asc
Description: OpenPGP digital signature
-- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
