Ho Dominick,
Thanks ill try that, thanks to everyone for their help over the last
couple of days, im starting to like and understand selinux, but no
doubt there will be some more issues :)
Thanks again.
Tony
Quoting Dominick Grift <domg472@xxxxxxxxx>:
On 01/08/2010 12:45 PM, Manuel Wolfshant wrote:
tony@xxxxxxxxxxxxxxxxxxxxxxxxx wrote:
Hi Guys,
Sorry to keep emailing the group but im determined to crack selinux
and not just switch it off :)
I have moved my mysql root to /db01/mysql and have sym linked
/var/lib/mysql to there as well just in case any apps still have mysql
hard coded to the original location.
Use mount --bind instead of symlink
Whoops i did not notice this issue is due to custom configuration. So
this issue probably does not justify a bugreport.
I do not think SELinux plays nice with mount --bind so that may not work.
You just manually allow mysqld_safe_t to read the link file , like i
showed in my example.
Make sure though that the link target is properly labeled (mysqld_db_t)
and that mysqld_safe_t can access it. ( label db01 dir with a type
mysqld_safe_t has access to search. for example var_t or mysqld_db_t.
The alert im getting is this:
Summary:
SELinux is preventing /bin/bash "read" access on /var/lib/mysql.
Detailed Description:
SELinux denied access requested by mysqld_safe. It is not expected
that this
access is required by mysqld_safe and this access may signal an intrusion
attempt. It is also possible that the specific version or
configuration of the
application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file
a bug
report.
Additional Information:
Source Context unconfined_u:system_r:mysqld_safe_t:s0
Target Context system_u:object_r:mysqld_db_t:s0
Target Objects /var/lib/mysql [ lnk_file ]
Source mysqld_safe
Source Path /bin/bash
Port <Unknown>
Host vm-lin-wb01
Source RPM Packages bash-4.0.35-2.fc12
Target RPM Packages mysql-server-5.1.41-2.fc12
Policy RPM selinux-policy-3.6.32-63.fc12
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Plugin Name catchall
Host Name vm-lin-wb01
Platform Linux vm-lin-wb01
2.6.31.9-174.fc12.i686.PAE #1
SMP Mon Dec 21 06:04:56 UTC 2009 i686 i686
Alert Count 1
First Seen Fri Jan 8 10:06:33 2010
Last Seen Fri Jan 8 10:06:33 2010
Local ID f35cf4f8-9714-4d41-8f88-310f8cef5425
Line Numbers
Raw Audit Messages
node=vm-lin-wb01 type=AVC msg=audit(1262945193.369:25): avc: denied
{ read } for pid=1267 comm="mysqld_safe" name="mysql" dev=dm-2
ino=21498 scontext=unconfined_u:system_r:mysqld_safe_t:s0
tcontext=system_u:object_r:mysqld_db_t:s0 tclass=lnk_file
node=vm-lin-wb01 type=SYSCALL msg=audit(1262945193.369:25):
arch=40000003 syscall=195 success=no exit=-13 a0=9e04f88 a1=bff7924c
a2=b5cff4 a3=9e04f88 items=0 ppid=1227 pid=1267 auid=501 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2
comm="mysqld_safe" exe="/bin/bash"
subj=unconfined_u:system_r:mysqld_safe_t:s0 key=(null)
All the contexts look correct to me, but have i missed something?
would be grateful if anyone could point me in the right direction.
Thanks in advance :)
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
