My problem is:
it is only possible to use "LOAD DATA INFILE" statement if SELinux is
in its permissive state.
Strangely, logs below show no avc denial (all I can tell from them is
Chinese tried to break into, and last line probably refers to when I
added mysql user to some group I created). But statement won't work in
enforcing state. Nothing gives me any tip concerning the referred
MySQL statement issue.
And, well, I want to keep SELinux enforcing its policies, except for
what is needed in order to make "LOAD DATA INFILE" work.
So, what would be the proper way to achieve that?
Marcio Barbado, Jr.
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
01-07-2012, 10:01 AM
Dominick Grift
MySQL's LOAD DATA INFILE statement
On Sat, 2012-01-07 at 02:26 -0300, Marcio B. Jr. wrote:
> Hi,
> I'm incurring some problems with MySQL and SELinux, and I need help.
>
> Running a 64-bit Fedora 12 with mysql-server-5.1.47-2.fc12.x86_64.
>
> $ ps -eZ | grep mysqld
> system_u:system_r:mysqld_safe_t:s0 1321 ? 00:00:00 mysqld_safe
> system_u:system_r:mysqld_t:s0 1410 ? 00:00:01 mysqld
>
> My problem is:
> it is only possible to use "LOAD DATA INFILE" statement if SELinux is
> in its permissive state.
This event may have been silently denied.
To reproduce the issue and expose silent denials:
run: semodule -DB
reproduce the issue
see if there is now an AVC denial displayed that is related to your
issue
run: semodule -B
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
01-09-2012, 03:39 AM
"Marcio B. Jr."
MySQL's LOAD DATA INFILE statement
Hi Dominick, thanks for answering.
This is a really unusual situation. So far I cannot explain why but
after re-enabling enforcement for more tests, statement happened to
work just as it did with permissive state.
I've used "semodule -DB" and reproduced issue in both states. Still no
logs. Testing will continue.
Regards,
On Sat, Jan 7, 2012 at 8:01 AM, Dominick Grift <dominick.grift@gmail.com> wrote:
> On Sat, 2012-01-07 at 02:26 -0300, Marcio B. Jr. wrote:
>> Hi,
>> I'm incurring some problems with MySQL and SELinux, and I need help.
>>
>> Running a 64-bit Fedora 12 with mysql-server-5.1.47-2.fc12.x86_64.
>>
>> $ ps -eZ | grep mysqld
>> system_u:system_r:mysqld_safe_t:s0 1321 ? * * *00:00:00 mysqld_safe
>> system_u:system_r:mysqld_t:s0 * *1410 ? * * * *00:00:01 mysqld
>>
>> My problem is:
>> it is only possible to use "LOAD DATA INFILE" statement if SELinux is
>> in its permissive state.
>
> This event may have been silently denied.
> To reproduce the issue and expose silent denials:
>
> run: semodule -DB
> reproduce the issue
> see if there is now an AVC denial displayed that is related to your
> issue
> run: semodule -B
>
>
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
Marcio Barbado, Jr.
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
01-09-2012, 09:17 AM
Miroslav Grepl
MySQL's LOAD DATA INFILE statement
On 01/09/2012 04:39 AM, Marcio B. Jr. wrote:
Hi Dominick, thanks for answering.
This is a really unusual situation. So far I cannot explain why but
after re-enabling enforcement for more tests, statement happened to
work just as it did with permissive state.
I've used "semodule -DB" and reproduced issue in both states. Still no
logs. Testing will continue.
Regards,
Make sure auditd is running.
# service auditd status
You should see AVC msgs in /var/log/audit/audit.log or you can use the
ausearch tool
# ausearch -m avc -ts recent
Also you should use a newer version of Fedora which is supported
(Fedora15+).
On Sat, Jan 7, 2012 at 8:01 AM, Dominick Grift<dominick.grift@gmail.com> wrote:
On Sat, 2012-01-07 at 02:26 -0300, Marcio B. Jr. wrote:
Hi,
I'm incurring some problems with MySQL and SELinux, and I need help.
Running a 64-bit Fedora 12 with mysql-server-5.1.47-2.fc12.x86_64.
My problem is:
it is only possible to use "LOAD DATA INFILE" statement if SELinux is
in its permissive state.
This event may have been silently denied.
To reproduce the issue and expose silent denials:
run: semodule -DB
reproduce the issue
see if there is now an AVC denial displayed that is related to your
issue
run: semodule -B
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
Marcio Barbado, Jr.
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
01-09-2012, 04:17 PM
Daniel J Walsh
MySQL's LOAD DATA INFILE statement
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/07/2012 12:26 AM, Marcio B. Jr. wrote:
> Hi, I'm incurring some problems with MySQL and SELinux, and I need
> help.
>
> Running a 64-bit Fedora 12 with mysql-server-5.1.47-2.fc12.x86_64.
>
> $ ps -eZ | grep mysqld system_u:system_r:mysqld_safe_t:s0 1321 ?
> 00:00:00 mysqld_safe system_u:system_r:mysqld_t:s0 1410 ?
> 00:00:01 mysqld
>
> My problem is: it is only possible to use "LOAD DATA INFILE"
> statement if SELinux is in its permissive state.
>
> Strangely, logs below show no avc denial (all I can tell from them
> is Chinese tried to break into, and last line probably refers to
> when I added mysql user to some group I created). But statement
> won't work in enforcing state. Nothing gives me any tip concerning
> the referred MySQL statement issue.
>
> # cat /var/log/audit/audit.log | grep mysql type=USER_LOGIN
> msg=audit(1305401554.802:34): user pid=2229 uid=0 auid=4294967295
> ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
> msg='op=login acct="mysql" exe="/usr/sbin/sshd" hostname=?
> addr=218.241.236.69 terminal=sshd res=failed' type=USER_LOGIN
> msg=audit(1305401556.759:36): user pid=2229 uid=0 auid=4294967295
> ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
> msg='op=login acct="mysql" exe="/usr/sbin/sshd" hostname=?
> addr=218.241.236.69 terminal=sshd res=failed' type=USER_LOGIN
> msg=audit(1305404558.850:1653): user pid=3709 uid=0 auid=4294967295
> ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
> msg='op=login acct="mysql" exe="/usr/sbin/sshd" hostname=?
> addr=218.241.236.69 terminal=sshd res=failed' type=USER_LOGIN
> msg=audit(1305404560.536:1655): user pid=3709 uid=0 auid=4294967295
> ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
> msg='op=login acct="mysql" exe="/usr/sbin/sshd" hostname=?
> addr=218.241.236.69 terminal=sshd res=failed' type=USER_LOGIN
> msg=audit(1305404563.834:1656): user pid=3711 uid=0 auid=4294967295
> ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
> msg='op=login acct="mysql" exe="/usr/sbin/sshd" hostname=?
> addr=218.241.236.69 terminal=sshd res=failed' type=USER_LOGIN
> msg=audit(1305404566.207:1658): user pid=3711 uid=0 auid=4294967295
> ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
> msg='op=login acct="mysql" exe="/usr/sbin/sshd" hostname=?
> addr=218.241.236.69 terminal=sshd res=failed' type=ADD_GROUP
> msg=audit(1322849937.081:18): user pid=1989 uid=0 auid=4294967295
> ses=4294967295 subj=system_u:system_r:useradd_t:s0-s0:c0.c1023
> msg='op=adding group acct="mysql" exe="/usr/sbin/useradd"
> hostname=? addr=? terminal=? res=success'
>
> Firstly, where could that avc denial be in?
>
> And, well, I want to keep SELinux enforcing its policies, except
> for what is needed in order to make "LOAD DATA INFILE" work.
>
> So, what would be the proper way to achieve that?
>
>
> Marcio Barbado, Jr. -- selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
Please update to a supported OS, F15 or 16. 12 is way out of date.
Nothing in your log indicates SELinux is blocking anything.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
MySQL's LOAD DATA INFILE statement
