Dominick Grift wrote:
On 01/08/2010 12:45 PM, Manuel Wolfshant wrote:
tony@specialistdevelopment.com wrote:
Hi Guys,
Sorry to keep emailing the group but im determined to crack selinux and not just switch it off :)
I have moved my mysql root to /db01/mysql and have sym linked /var/lib/mysql to there as well just in case any apps still have mysql hard coded to the original location.
Use mount --bind instead of symlink
Whoops i did not notice this issue is due to custom configuration. So this issue probably does not justify a bugreport.
I do not think SELinux plays nice with mount --bind so that may not work.
It does. Better that it plays with symlinks
You just manually allow mysqld_safe_t to read the link file , like i showed in my example.
Make sure though that the link target is properly labeled (mysqld_db_t) and that mysqld_safe_t can access it. ( label db01 dir with a type mysqld_safe_t has access to search. for example var_t or mysqld_db_t.
The alert im getting is this:
Summary:
SELinux is preventing /bin/bash "read" access on /var/lib/mysql.
Detailed Description:
SELinux denied access requested by mysqld_safe. It is not expected that this access is required by mysqld_safe and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug report.
Additional Information:
Source Context unconfined_u:system_r:mysqld_safe_t:s0 Target Context system_u:object_r:mysqld_db_t:s0 Target Objects /var/lib/mysql [ lnk_file ] Source mysqld_safe Source Path /bin/bash Port <Unknown> Host vm-lin-wb01 Source RPM Packages bash-4.0.35-2.fc12 Target RPM Packages mysql-server-5.1.41-2.fc12 Policy RPM selinux-policy-3.6.32-63.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name vm-lin-wb01 Platform Linux vm-lin-wb01 2.6.31.9-174.fc12.i686.PAE #1 SMP Mon Dec 21 06:04:56 UTC 2009 i686 i686 Alert Count 1 First Seen Fri Jan 8 10:06:33 2010 Last Seen Fri Jan 8 10:06:33 2010 Local ID f35cf4f8-9714-4d41-8f88-310f8cef5425 Line Numbers
Raw Audit Messages
node=vm-lin-wb01 type=AVC msg=audit(1262945193.369:25): avc: denied { read } for pid=1267 comm="mysqld_safe" name="mysql" dev=dm-2 ino=21498 scontext=unconfined_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:mysqld_db_t:s0 tclass=lnk_file
node=vm-lin-wb01 type=SYSCALL msg=audit(1262945193.369:25): arch=40000003 syscall=195 success=no exit=-13 a0=9e04f88 a1=bff7924c a2=b5cff4 a3=9e04f88 items=0 ppid=1227 pid=1267 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="mysqld_safe" exe="/bin/bash" subj=unconfined_u:system_r:mysqld_safe_t:s0 key=(null)
All the contexts look correct to me, but have i missed something? would be grateful if anyone could point me in the right direction.
Thanks in advance :)
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list