FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 01-07-2012, 04:26 AM
"Marcio B. Jr."
 
Default MySQL's LOAD DATA INFILE statement

Hi,
I'm incurring some problems with MySQL and SELinux, and I need help.

Running a 64-bit Fedora 12 with mysql-server-5.1.47-2.fc12.x86_64.

$ ps -eZ | grep mysqld
system_u:system_r:mysqld_safe_t:s0 1321 ? 00:00:00 mysqld_safe
system_u:system_r:mysqld_t:s0 1410 ? 00:00:01 mysqld

My problem is:
it is only possible to use "LOAD DATA INFILE" statement if SELinux is
in its permissive state.

Strangely, logs below show no avc denial (all I can tell from them is
Chinese tried to break into, and last line probably refers to when I
added mysql user to some group I created). But statement won't work in
enforcing state. Nothing gives me any tip concerning the referred
MySQL statement issue.

# cat /var/log/audit/audit.log | grep mysql
type=USER_LOGIN msg=audit(1305401554.802:34): user pid=2229 uid=0
auid=4294967295 ses=4294967295
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login
acct="mysql" exe="/usr/sbin/sshd" hostname=? addr=218.241.236.69
terminal=sshd res=failed'
type=USER_LOGIN msg=audit(1305401556.759:36): user pid=2229 uid=0
auid=4294967295 ses=4294967295
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login
acct="mysql" exe="/usr/sbin/sshd" hostname=? addr=218.241.236.69
terminal=sshd res=failed'
type=USER_LOGIN msg=audit(1305404558.850:1653): user pid=3709 uid=0
auid=4294967295 ses=4294967295
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login
acct="mysql" exe="/usr/sbin/sshd" hostname=? addr=218.241.236.69
terminal=sshd res=failed'
type=USER_LOGIN msg=audit(1305404560.536:1655): user pid=3709 uid=0
auid=4294967295 ses=4294967295
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login
acct="mysql" exe="/usr/sbin/sshd" hostname=? addr=218.241.236.69
terminal=sshd res=failed'
type=USER_LOGIN msg=audit(1305404563.834:1656): user pid=3711 uid=0
auid=4294967295 ses=4294967295
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login
acct="mysql" exe="/usr/sbin/sshd" hostname=? addr=218.241.236.69
terminal=sshd res=failed'
type=USER_LOGIN msg=audit(1305404566.207:1658): user pid=3711 uid=0
auid=4294967295 ses=4294967295
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login
acct="mysql" exe="/usr/sbin/sshd" hostname=? addr=218.241.236.69
terminal=sshd res=failed'
type=ADD_GROUP msg=audit(1322849937.081:18): user pid=1989 uid=0
auid=4294967295 ses=4294967295
subj=system_u:system_r:useradd_t:s0-s0:c0.c1023 msg='op=adding group
acct="mysql" exe="/usr/sbin/useradd" hostname=? addr=? terminal=?
res=success'

Firstly, where could that avc denial be in?

And, well, I want to keep SELinux enforcing its policies, except for
what is needed in order to make "LOAD DATA INFILE" work.

So, what would be the proper way to achieve that?


Marcio Barbado, Jr.
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 01-07-2012, 10:01 AM
Dominick Grift
 
Default MySQL's LOAD DATA INFILE statement

On Sat, 2012-01-07 at 02:26 -0300, Marcio B. Jr. wrote:
> Hi,
> I'm incurring some problems with MySQL and SELinux, and I need help.
>
> Running a 64-bit Fedora 12 with mysql-server-5.1.47-2.fc12.x86_64.
>
> $ ps -eZ | grep mysqld
> system_u:system_r:mysqld_safe_t:s0 1321 ? 00:00:00 mysqld_safe
> system_u:system_r:mysqld_t:s0 1410 ? 00:00:01 mysqld
>
> My problem is:
> it is only possible to use "LOAD DATA INFILE" statement if SELinux is
> in its permissive state.

This event may have been silently denied.
To reproduce the issue and expose silent denials:

run: semodule -DB
reproduce the issue
see if there is now an AVC denial displayed that is related to your
issue
run: semodule -B


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 01-09-2012, 03:39 AM
"Marcio B. Jr."
 
Default MySQL's LOAD DATA INFILE statement

Hi Dominick, thanks for answering.

This is a really unusual situation. So far I cannot explain why but
after re-enabling enforcement for more tests, statement happened to
work just as it did with permissive state.

I've used "semodule -DB" and reproduced issue in both states. Still no
logs. Testing will continue.


Regards,



On Sat, Jan 7, 2012 at 8:01 AM, Dominick Grift <dominick.grift@gmail.com> wrote:
> On Sat, 2012-01-07 at 02:26 -0300, Marcio B. Jr. wrote:
>> Hi,
>> I'm incurring some problems with MySQL and SELinux, and I need help.
>>
>> Running a 64-bit Fedora 12 with mysql-server-5.1.47-2.fc12.x86_64.
>>
>> $ ps -eZ | grep mysqld
>> system_u:system_r:mysqld_safe_t:s0 1321 ? * * *00:00:00 mysqld_safe
>> system_u:system_r:mysqld_t:s0 * *1410 ? * * * *00:00:01 mysqld
>>
>> My problem is:
>> it is only possible to use "LOAD DATA INFILE" statement if SELinux is
>> in its permissive state.
>
> This event may have been silently denied.
> To reproduce the issue and expose silent denials:
>
> run: semodule -DB
> reproduce the issue
> see if there is now an AVC denial displayed that is related to your
> issue
> run: semodule -B
>
>
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux



Marcio Barbado, Jr.
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 01-09-2012, 09:17 AM
Miroslav Grepl
 
Default MySQL's LOAD DATA INFILE statement

On 01/09/2012 04:39 AM, Marcio B. Jr. wrote:

Hi Dominick, thanks for answering.

This is a really unusual situation. So far I cannot explain why but
after re-enabling enforcement for more tests, statement happened to
work just as it did with permissive state.

I've used "semodule -DB" and reproduced issue in both states. Still no
logs. Testing will continue.


Regards,



Make sure auditd is running.

# service auditd status

You should see AVC msgs in /var/log/audit/audit.log or you can use the
ausearch tool


# ausearch -m avc -ts recent



Also you should use a newer version of Fedora which is supported
(Fedora15+).

On Sat, Jan 7, 2012 at 8:01 AM, Dominick Grift<dominick.grift@gmail.com> wrote:

On Sat, 2012-01-07 at 02:26 -0300, Marcio B. Jr. wrote:

Hi,
I'm incurring some problems with MySQL and SELinux, and I need help.

Running a 64-bit Fedora 12 with mysql-server-5.1.47-2.fc12.x86_64.

$ ps -eZ | grep mysqld
system_u:system_r:mysqld_safe_t:s0 1321 ? 00:00:00 mysqld_safe
system_u:system_r:mysqld_t:s0 1410 ? 00:00:01 mysqld

My problem is:
it is only possible to use "LOAD DATA INFILE" statement if SELinux is
in its permissive state.

This event may have been silently denied.
To reproduce the issue and expose silent denials:

run: semodule -DB
reproduce the issue
see if there is now an AVC denial displayed that is related to your
issue
run: semodule -B


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux



Marcio Barbado, Jr.
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 01-09-2012, 04:17 PM
Daniel J Walsh
 
Default MySQL's LOAD DATA INFILE statement

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/07/2012 12:26 AM, Marcio B. Jr. wrote:
> Hi, I'm incurring some problems with MySQL and SELinux, and I need
> help.
>
> Running a 64-bit Fedora 12 with mysql-server-5.1.47-2.fc12.x86_64.
>
> $ ps -eZ | grep mysqld system_u:system_r:mysqld_safe_t:s0 1321 ?
> 00:00:00 mysqld_safe system_u:system_r:mysqld_t:s0 1410 ?
> 00:00:01 mysqld
>
> My problem is: it is only possible to use "LOAD DATA INFILE"
> statement if SELinux is in its permissive state.
>
> Strangely, logs below show no avc denial (all I can tell from them
> is Chinese tried to break into, and last line probably refers to
> when I added mysql user to some group I created). But statement
> won't work in enforcing state. Nothing gives me any tip concerning
> the referred MySQL statement issue.
>
> # cat /var/log/audit/audit.log | grep mysql type=USER_LOGIN
> msg=audit(1305401554.802:34): user pid=2229 uid=0 auid=4294967295
> ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
> msg='op=login acct="mysql" exe="/usr/sbin/sshd" hostname=?
> addr=218.241.236.69 terminal=sshd res=failed' type=USER_LOGIN
> msg=audit(1305401556.759:36): user pid=2229 uid=0 auid=4294967295
> ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
> msg='op=login acct="mysql" exe="/usr/sbin/sshd" hostname=?
> addr=218.241.236.69 terminal=sshd res=failed' type=USER_LOGIN
> msg=audit(1305404558.850:1653): user pid=3709 uid=0 auid=4294967295
> ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
> msg='op=login acct="mysql" exe="/usr/sbin/sshd" hostname=?
> addr=218.241.236.69 terminal=sshd res=failed' type=USER_LOGIN
> msg=audit(1305404560.536:1655): user pid=3709 uid=0 auid=4294967295
> ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
> msg='op=login acct="mysql" exe="/usr/sbin/sshd" hostname=?
> addr=218.241.236.69 terminal=sshd res=failed' type=USER_LOGIN
> msg=audit(1305404563.834:1656): user pid=3711 uid=0 auid=4294967295
> ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
> msg='op=login acct="mysql" exe="/usr/sbin/sshd" hostname=?
> addr=218.241.236.69 terminal=sshd res=failed' type=USER_LOGIN
> msg=audit(1305404566.207:1658): user pid=3711 uid=0 auid=4294967295
> ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
> msg='op=login acct="mysql" exe="/usr/sbin/sshd" hostname=?
> addr=218.241.236.69 terminal=sshd res=failed' type=ADD_GROUP
> msg=audit(1322849937.081:18): user pid=1989 uid=0 auid=4294967295
> ses=4294967295 subj=system_u:system_r:useradd_t:s0-s0:c0.c1023
> msg='op=adding group acct="mysql" exe="/usr/sbin/useradd"
> hostname=? addr=? terminal=? res=success'
>
> Firstly, where could that avc denial be in?
>
> And, well, I want to keep SELinux enforcing its policies, except
> for what is needed in order to make "LOAD DATA INFILE" work.
>
> So, what would be the proper way to achieve that?
>
>
> Marcio Barbado, Jr. -- selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>



Please update to a supported OS, F15 or 16. 12 is way out of date.
Nothing in your log indicates SELinux is blocking anything.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk8LISQACgkQrlYvE4MpobNWuACgli4K9/DQnQ7rCrw4qblL1jty
vvIAnAyQ4YEW1kbHU0j+MWCXao5ggBvR
=Bbnw
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 02:05 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org