Re: Mysql Alert

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 01/08/2010 12:45 PM, Manuel Wolfshant wrote:
> tony@xxxxxxxxxxxxxxxxxxxxxxxxx wrote:
>> Hi Guys,
>>
>> Sorry to keep emailing the group but im determined to crack selinux
>> and not just switch it off :)
>>
>> I have moved my mysql root to /db01/mysql and have sym linked
>> /var/lib/mysql to there as well just in case any apps still have mysql
>> hard coded to the original location.
> Use mount --bind instead of symlink

Whoops i did not notice this issue is due to custom configuration. So
this issue probably does not justify a bugreport.

I do not think SELinux plays nice with mount --bind so that may not work.

You just manually allow mysqld_safe_t to read the link file , like i
showed in my example.

Make sure though that the link target is properly labeled (mysqld_db_t)
and that mysqld_safe_t can access it. ( label db01 dir with a type
mysqld_safe_t has access to search. for example var_t or mysqld_db_t.

> 
> 
>>
>> The alert im getting is this:
>>
>> Summary:
>>
>> SELinux is preventing /bin/bash "read" access on /var/lib/mysql.
>>
>> Detailed Description:
>>
>> SELinux denied access requested by mysqld_safe. It is not expected
>> that this
>> access is required by mysqld_safe and this access may signal an intrusion
>> attempt. It is also possible that the specific version or
>> configuration of the
>> application is causing it to require additional access.
>>
>> Allowing Access:
>>
>> You can generate a local policy module to allow this access - see FAQ
>> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file
>> a bug
>> report.
>>
>> Additional Information:
>>
>> Source Context                unconfined_u:system_r:mysqld_safe_t:s0
>> Target Context                system_u:object_r:mysqld_db_t:s0
>> Target Objects                /var/lib/mysql [ lnk_file ]
>> Source                        mysqld_safe
>> Source Path                   /bin/bash
>> Port                          <Unknown>
>> Host                          vm-lin-wb01
>> Source RPM Packages           bash-4.0.35-2.fc12
>> Target RPM Packages           mysql-server-5.1.41-2.fc12
>> Policy RPM                    selinux-policy-3.6.32-63.fc12
>> Selinux Enabled               True
>> Policy Type                   targeted
>> Enforcing Mode                Enforcing
>> Plugin Name                   catchall
>> Host Name                     vm-lin-wb01
>> Platform                      Linux vm-lin-wb01
>> 2.6.31.9-174.fc12.i686.PAE #1
>>                               SMP Mon Dec 21 06:04:56 UTC 2009 i686 i686
>> Alert Count                   1
>> First Seen                    Fri Jan  8 10:06:33 2010
>> Last Seen                     Fri Jan  8 10:06:33 2010
>> Local ID                      f35cf4f8-9714-4d41-8f88-310f8cef5425
>> Line Numbers
>>
>> Raw Audit Messages
>>
>> node=vm-lin-wb01 type=AVC msg=audit(1262945193.369:25): avc:  denied 
>> { read } for  pid=1267 comm="mysqld_safe" name="mysql" dev=dm-2
>> ino=21498 scontext=unconfined_u:system_r:mysqld_safe_t:s0
>> tcontext=system_u:object_r:mysqld_db_t:s0 tclass=lnk_file
>>
>> node=vm-lin-wb01 type=SYSCALL msg=audit(1262945193.369:25):
>> arch=40000003 syscall=195 success=no exit=-13 a0=9e04f88 a1=bff7924c
>> a2=b5cff4 a3=9e04f88 items=0 ppid=1227 pid=1267 auid=501 uid=0 gid=0
>> euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2
>> comm="mysqld_safe" exe="/bin/bash"
>> subj=unconfined_u:system_r:mysqld_safe_t:s0 key=(null)
>>
>> All the contexts look correct to me, but have i missed something?
>> would be grateful if anyone could point me in the right direction.
>>
>> Thanks in advance :)
>>
>> -- 
>> fedora-selinux-list mailing list
>> fedora-selinux-list@xxxxxxxxxx
>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> 
> 


Attachment: signature.asc
Description: OpenPGP digital signature

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux