FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Gentoo > Gentoo Hardened

 
 
LinkBack Thread Tools
 
Old 08-26-2012, 01:34 AM
Mathew McBride
 
Default MySQL /var/run/mysqld created as initrc_var_run_t

Hello everyone,
I have set up a machine (amd64) with the hardened stage3 and SELinux
strict.


I'm now having issues with mysql and its /var/run/mysqld being marked as
initrc_var_run_t.


If I unmerge and remerge mysql it works fine, the /var/run/mysqld is
marked as mysqld_var_run_t, but after rebooting, it is back to
initrc_var_run_t again:


# ls -lZ /var/run/
total 24
drwxr-xr-x. 2 root uucp system_ubject_r:var_lock_t 40 Aug 25
17:44 lock
drwxr-xr-x. 2 mysql root system_ubject_r:initrc_var_run_t 80 Aug 26
00:44 mysqld

[snip]

Intersting to note that on the first install the group ID for
/var/run/mysqld is set to "mysql", but after reboot it becomes "root", why?


This is causing mysql to stall on bootup. I get these denials:
#============= mysqld_t ==============
#!!!! The source type 'mysqld_t' can write to a 'dir' of the following
types:
# var_log_t, mysqld_db_t, tmp_t, mysqld_var_run_t, mysqld_tmp_t,
var_lib_t, var_run_t


allow mysqld_t initrc_var_run_t:dir { write search add_name };
#!!!! The source type 'mysqld_t' can write to a 'file' of the following
types:

# mysqld_log_t, mysqld_db_t, mysqld_var_run_t, mysqld_tmp_t

allow mysqld_t initrc_var_run_t:file { write create open };
allow mysqld_t initrc_var_run_t:sock_file create;
allow mysqld_t portage_log_t:file { getattr open append };


semanage fcontext shows the files are supported to be marked
mysqld_var_run_t:


/etc/my.cnf regular file
system_ubject_r:mysqld_etc_t
/etc/mysql(/.*)? all files
system_ubject_r:mysqld_etc_t
/etc/rc.d/init.d/mysqld regular file
system_ubject_r:mysqld_initrc_exec_t
/etc/rc.d/init.d/mysqlmanager regular file
system_ubject_r:mysqlmanagerd_initrc_exec_t
/usr/bin/mysql_upgrade regular file
system_ubject_r:mysqld_exec_t
/usr/bin/mysqld_safe regular file
system_ubject_r:mysqld_safe_exec_t
/usr/libexec/mysqld regular file
system_ubject_r:mysqld_exec_t
/usr/sbin/mysqld(-max)? regular file
system_ubject_r:mysqld_exec_t
/usr/sbin/mysqlmanager regular file
system_ubject_r:mysqlmanagerd_exec_t
/usr/sbin/ndbd regular file
system_ubject_r:mysqld_exec_t
/var/lib/mysql(/.*)? all files
system_ubject_r:mysqld_db_t
/var/lib/mysql/mysql.sock socket
system_ubject_r:mysqld_var_run_t
/var/log/mysql.* regular file
system_ubject_r:mysqld_log_t
/var/run/mysqld(/.*)? all files
system_ubject_r:mysqld_var_run_t
/var/run/mysqld/mysqlmanager.* regular file
system_ubject_r:mysqlmanagerd_var_run_t


I've tried creating my own mysql.te module with type_transition
statements to have /var/run/mysqld marked as mysqld_var_run_t, but to no
avail there.


I'm running selinux base policy r15, same for sec-policy/selinux-mysql

Any suggestions?

- Mathew
 
Old 08-26-2012, 03:10 AM
Mathew McBride
 
Default MySQL /var/run/mysqld created as initrc_var_run_t

On 26/08/12 11:34 AM, Mathew McBride wrote:

Hello everyone,
I have set up a machine (amd64) with the hardened stage3 and SELinux
strict.

Spoke too soon. Policy packages from hardened-dev overlay fixed it
(specifically bug #427750)


- Mathew
 
Old 08-26-2012, 08:47 AM
Sven Vermeulen
 
Default MySQL /var/run/mysqld created as initrc_var_run_t

On Sun, Aug 26, 2012 at 01:10:59PM +1000, Mathew McBride wrote:
> Spoke too soon. Policy packages from hardened-dev overlay fixed it
> (specifically bug #427750)

Yes, I need to push out one to ~arch soon. There's just many updates still
coming (especially with the /run stuff) and I wanted to tackle that first.

Rev5 will be made soon too, already contains fixes for nscd, ConsoleKit and
asterisk (/run support) and ntp, bind and openvpn (be able to execute their
init scripts).

Wkr,
Sven Vermeulen
 

Thread Tools




All times are GMT. The time now is 03:05 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org