MySQL /var/run/mysqld created as initrc_var_run_t
Hello everyone,
I have set up a machine (amd64) with the hardened stage3 and SELinux strict. I'm now having issues with mysql and its /var/run/mysqld being marked as initrc_var_run_t. If I unmerge and remerge mysql it works fine, the /var/run/mysqld is marked as mysqld_var_run_t, but after rebooting, it is back to initrc_var_run_t again: # ls -lZ /var/run/ total 24 drwxr-xr-x. 2 root uucp system_u:object_r:var_lock_t 40 Aug 25 17:44 lock drwxr-xr-x. 2 mysql root system_u:object_r:initrc_var_run_t 80 Aug 26 00:44 mysqld [snip] Intersting to note that on the first install the group ID for /var/run/mysqld is set to "mysql", but after reboot it becomes "root", why? This is causing mysql to stall on bootup. I get these denials: #============= mysqld_t ============== #!!!! The source type 'mysqld_t' can write to a 'dir' of the following types: # var_log_t, mysqld_db_t, tmp_t, mysqld_var_run_t, mysqld_tmp_t, var_lib_t, var_run_t allow mysqld_t initrc_var_run_t:dir { write search add_name }; #!!!! The source type 'mysqld_t' can write to a 'file' of the following types: # mysqld_log_t, mysqld_db_t, mysqld_var_run_t, mysqld_tmp_t allow mysqld_t initrc_var_run_t:file { write create open }; allow mysqld_t initrc_var_run_t:sock_file create; allow mysqld_t portage_log_t:file { getattr open append }; semanage fcontext shows the files are supported to be marked mysqld_var_run_t: /etc/my.cnf regular file system_u:object_r:mysqld_etc_t /etc/mysql(/.*)? all files system_u:object_r:mysqld_etc_t /etc/rc.d/init.d/mysqld regular file system_u:object_r:mysqld_initrc_exec_t /etc/rc.d/init.d/mysqlmanager regular file system_u:object_r:mysqlmanagerd_initrc_exec_t /usr/bin/mysql_upgrade regular file system_u:object_r:mysqld_exec_t /usr/bin/mysqld_safe regular file system_u:object_r:mysqld_safe_exec_t /usr/libexec/mysqld regular file system_u:object_r:mysqld_exec_t /usr/sbin/mysqld(-max)? regular file system_u:object_r:mysqld_exec_t /usr/sbin/mysqlmanager regular file system_u:object_r:mysqlmanagerd_exec_t /usr/sbin/ndbd regular file system_u:object_r:mysqld_exec_t /var/lib/mysql(/.*)? all files system_u:object_r:mysqld_db_t /var/lib/mysql/mysql.sock socket system_u:object_r:mysqld_var_run_t /var/log/mysql.* regular file system_u:object_r:mysqld_log_t /var/run/mysqld(/.*)? all files system_u:object_r:mysqld_var_run_t /var/run/mysqld/mysqlmanager.* regular file system_u:object_r:mysqlmanagerd_var_run_t I've tried creating my own mysql.te module with type_transition statements to have /var/run/mysqld marked as mysqld_var_run_t, but to no avail there. I'm running selinux base policy r15, same for sec-policy/selinux-mysql Any suggestions? - Mathew |
MySQL /var/run/mysqld created as initrc_var_run_t
On 26/08/12 11:34 AM, Mathew McBride wrote:
Hello everyone, I have set up a machine (amd64) with the hardened stage3 and SELinux strict. Spoke too soon. Policy packages from hardened-dev overlay fixed it (specifically bug #427750) - Mathew |
MySQL /var/run/mysqld created as initrc_var_run_t
On Sun, Aug 26, 2012 at 01:10:59PM +1000, Mathew McBride wrote:
> Spoke too soon. Policy packages from hardened-dev overlay fixed it > (specifically bug #427750) Yes, I need to push out one to ~arch soon. There's just many updates still coming (especially with the /run stuff) and I wanted to tackle that first. Rev5 will be made soon too, already contains fixes for nscd, ConsoleKit and asterisk (/run support) and ntp, bind and openvpn (be able to execute their init scripts). Wkr, Sven Vermeulen |
| All times are GMT. The time now is 08:14 PM. |
VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.