Bug 1584643

Summary: Unconfined /usr/bin/mysqld
Product: [Fedora] Fedora Reporter: Honza Horak <hhorak>
Component: community-mysqlAssignee: Jakub Jančo <jjanco>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 29CC: hhorak, jstanek, louzaoh, mschorm
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1616258 (view as bug list) Environment:
Last Closed: 2018-09-13 19:41:35 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1616258    

Description Honza Horak 2018-05-31 11:24:44 UTC 
Description of problem:
After moving /usr/libexec/mysqld to /usr/bin/mysqld, the selinux of this file is wrong:

# ls -lZ /usr/bin/mysqld
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 55830272 May 23 04:51 /usr/bin/mysqld

This can be either fixed by providing the fixed selinux rules for this package together with community-mysql (bug #1577199), or in selinux-policy package, or by reverting this particular change.
Comment 1 Honza Horak 2018-07-17 14:41:34 UTC 
Fixed by this commit:
https://src.fedoraproject.org/cgit/rpms/community-mysql.git/commit/?id=d9f9c9c58e04b0386ec9d6af8362c7eb9a4cfea8
Comment 2 Jan Kurik 2018-08-14 11:18:58 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 29 development cycle.
Changing version to '29'.
Comment 3 Jakub Jančo 2018-08-20 13:37:07 UTC 
Currently selinux policy defines type "mysqld_exec_t" for link.
# ls -Z /usr/sbin/mysqld 
system_u:object_r:mysqld_exec_t:s0 /usr/sbin/mysqld

This leads to more selinux denials for systemd service. As seen below.

time->Mon Aug 20 09:25:46 2018
type=AVC msg=audit(1534771546.671:542): avc:  denied  { read } for  pid=4542 comm="(mysqld)" name="mysqld" dev="vda1" ino=177756 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:mysqld_exec_t:s0 tclass=lnk_file permissive=0

I will revert label to previous "system_u:object_r:bin_t:s0", this "model" is followed by all links in OS and also systemd service works.
Comment 4 Jakub Jančo 2018-09-13 19:41:35 UTC 
Fixed since selinux-policy-3.14.2-33