Bug 498053
Summary: | Monitoring, mysql can not get mysql probe to connect to mysql server on rhel4/5 w/ selinux Enforcing | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Product: | Red Hat Satellite 5 | Reporter: | wes hayutin <whayutin> | ||||||||
Component: | Monitoring | Assignee: | Jan Pazdziora <jpazdziora> | ||||||||
Status: | CLOSED CURRENTRELEASE | QA Contact: | wes hayutin <whayutin> | ||||||||
Severity: | medium | Docs Contact: | |||||||||
Priority: | low | ||||||||||
Version: | 530 | CC: | bperkins, mzazrivec | ||||||||
Target Milestone: | --- | ||||||||||
Target Release: | --- | ||||||||||
Hardware: | All | ||||||||||
OS: | Linux | ||||||||||
URL: | https://riverraid.rhndev.redhat.com/rhn/systems/details/probes/ProbesList.do?sid=1000010020 | ||||||||||
Whiteboard: | |||||||||||
Fixed In Version: | sat530 | Doc Type: | Bug Fix | ||||||||
Doc Text: | Story Points: | --- | |||||||||
Clone Of: | Environment: | ||||||||||
Last Closed: | 2009-09-10 19:12:41 UTC | Type: | --- | ||||||||
Regression: | --- | Mount Type: | --- | ||||||||
Documentation: | --- | CRM: | |||||||||
Verified Versions: | Category: | --- | |||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||
Embargoed: | |||||||||||
Bug Depends On: | |||||||||||
Bug Blocks: | 457079 | ||||||||||
Attachments: |
|
Description
wes hayutin
2009-04-28 16:31:03 UTC
Created attachment 341602 [details]
spacewalk-debug
Created attachment 341603 [details]
sosreport from sat server
Created attachment 341605 [details]
sosreport from client
I'm an idiot, selinux was on.. and I found errors selinux for monitoring and mysql here.. type=MAC_STATUS msg=audit(1240937469.177:1342): enforcing=0 old_enforcing=1 auid=0 ses=148 type=SYSCALL msg=audit(1240937469.177:1342): arch=40000003 syscall=4 success=yes exit=1 a0=3 a1=bf94ab04 a2=1 a3=bf94ab04 items=0 ppid=4804 pid=15274 auid=0 uid=0 gid=0 eui d=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts4 ses=148 comm="setenforce" exe="/usr/sbin/setenforce" subj=root:system_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1240937500.386:1343): avc: denied { getattr } for pid=15473 comm="mysql" path="/etc/my.cnf" dev=dm-0 ino=1345384 scontext=system_u:system_r:spacewalk_ monitoring_t:s0 tcontext=system_u:object_r:mysqld_etc_t:s0 tclass=file type=SYSCALL msg=audit(1240937500.386:1343): arch=40000003 syscall=195 success=yes exit=0 a0=bf8845ae a1=bf88154c a2=53aff4 a3=bf88154c items=0 ppid=15459 pid=15473 auid=42 94967295 uid=103 gid=105 euid=103 suid=103 fsuid=103 egid=105 sgid=105 fsgid=105 tty=(none) ses=4294967295 comm="mysql" exe="/usr/bin/mysql" subj=system_u:system_r:spacewal k_monitoring_t:s0 key=(null) type=AVC msg=audit(1240937500.386:1344): avc: denied { read } for pid=15473 comm="mysql" name="my.cnf" dev=dm-0 ino=1345384 scontext=system_u:system_r:spacewalk_monitori ng_t:s0 tcontext=system_u:object_r:mysqld_etc_t:s0 tclass=file type=SYSCALL msg=audit(1240937500.386:1344): arch=40000003 syscall=5 success=yes exit=3 a0=bf8845ae a1=8000 a2=1b6 a3=9808520 items=0 ppid=15459 pid=15473 auid=4294967295 u id=103 gid=105 euid=103 suid=103 fsuid=103 egid=105 sgid=105 fsgid=105 tty=(none) ses=4294967295 comm="mysql" exe="/usr/bin/mysql" subj=system_u:system_r:spacewalk_monitori ng_t:s0 key=(null) type=AVC msg=audit(1240937500.418:1345): avc: denied { getattr } for pid=15473 comm="mysql" path="/usr/share/mysql/charsets/Index.xml" dev=dm-0 ino=2000682 scontext=syst em_u:system_r:spacewalk_monitoring_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file type=SYSCALL msg=audit(1240937500.418:1345): arch=40000003 syscall=195 success=yes exit=0 a0=bf8839be a1=bf88392c a2=53aff4 a3=bf88392c items=0 ppid=15459 pid=15473 auid=42 94967295 uid=103 gid=105 euid=103 suid=103 fsuid=103 egid=105 sgid=105 fsgid=105 tty=(none) ses=4294967295 comm="mysql" exe="/usr/bin/mysql" subj=system_u:system_r:spacewal k_monitoring_t:s0 key=(null) type=AVC msg=audit(1240937500.418:1346): avc: denied { read } for pid=15473 comm="mysql" name="Index.xml" dev=dm-0 ino=2000682 scontext=system_u:system_r:spacewalk_monit oring_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file type=SYSCALL msg=audit(1240937500.418:1346): arch=40000003 syscall=5 success=yes exit=4 a0=bf8839be a1=8000 a2=0 a3=8000 items=0 ppid=15459 pid=15473 auid=4294967295 uid=10 3 gid=105 euid=103 suid=103 fsuid=103 egid=105 sgid=105 fsgid=105 tty=(none) ses=4294967295 comm="mysql" exe="/usr/bin/mysql" subj=system_u:system_r:spacewalk_monitoring_t: s0 key=(null) the probe works just fine w/ selinux in permissive the above selinux errors are on the rhn-satellite server riverraid. Jan can you do this one, please? Note to self: The AVCs are type=AVC msg=audit(1240937500.386:1343): avc: denied { getattr } for pid=15473 comm="mysql" path="/etc/my.cnf" dev=dm-0 ino=1345384 scontext=system_u:system_r:spacewalk_monitoring_t:s0 tcontext=system_u:object_r:mysqld_etc_t:s0 tclass=file type=AVC msg=audit(1240937500.386:1344): avc: denied { read } for pid=15473 comm="mysql" name="my.cnf" dev=dm-0 ino=1345384 scontext=system_u:system_r:spacewalk_monitoring_t:s0 tcontext=system_u:object_r:mysqld_etc_t:s0 tclass=file type=AVC msg=audit(1240937500.418:1345): avc: denied { getattr } for pid=15473 comm="mysql" path="/usr/share/mysql/charsets/Index.xml" dev=dm-0 ino=2000682 scontext=system_u:system_r:spacewalk_monitoring_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file type=AVC msg=audit(1240937500.418:1346): avc: denied { read } for pid=15473 comm="mysql" name="Index.xml" dev=dm-0 ino=2000682 scontext=system_u:system_r:spacewalk_monitoring_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file The /usr/bin/mysql is bin_t, nothing special: # ls -laZ /usr/bin/mysql -rwxr-xr-x root root system_u:object_r:bin_t /usr/bin/mysql Fix in Spacewalk master f00ef6f06308869c2125ed4a848c51fc061ca1ca and VADER b3db1b234a682f5a43df9ee3c016489a23698541. Tagged as spacewalk-monitoring-selinux-0.6.6-1 (master). With compose Satellite-5.3.0-RHEL5-re20090520.0 available, moving ON_QA. verified.. [root@grandprix ~]# setenforce 1 [root@grandprix ~]# su - nocpulse -bash-3.2$ rhn-runprobe --debug 2 --probe 93 2009-06-02 08:55:09 No items changed 2009-06-02 08:55:09 Notification not required 2009-06-02 08:55:09 NOTE: Running in test mode; no changes saved, nothing enqueued 2009-06-02 08:55:09 ============================================================ OK: Client connectivity for user sattest to database test successful 5.3.0 final iso: $ rhn-runprobe --live 21 2009-09-09 11:52:34 No items changed 2009-09-09 11:52:34 Notification not required 2009-09-09 11:52:34 ============================================================ OK: Client connectivity for user testuser to database mysql successful ============================================================ No selinux denials, RELEASE_PENDING. An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHEA-2009-1434.html |