Bug 573605

Summary: Possibly a missing mysql related policy setting.
Product: [Fedora] Fedora Reporter: Maciej Żenczykowski <zenczykowski>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 12CC: dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.6.32-103.fc12 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-03-20 03:32:46 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Maciej Żenczykowski 2010-03-15 09:37:29 UTC 
# rpm -qa | egrep selinux
libselinux-2.0.90-5.fc12.i686
selinux-policy-3.6.32-99.fc12.noarch
libselinux-python-2.0.90-5.fc12.x86_64
libselinux-devel-2.0.90-5.fc12.x86_64
selinux-policy-targeted-3.6.32-99.fc12.noarch
libselinux-2.0.90-5.fc12.x86_64
libselinux-utils-2.0.90-5.fc12.x86_64

I can't seem to run Logitech/SlimDevices SqueezeBoxServer from http://repos.slimdevices.com/yum/squeezecenter/release/

# rpm -qa | egrep squeeze
squeezeboxserver-7.4.2-1.noarch
squeezecenter-repo-1-6.noarch

without the following:

allow mysqld_t mysqld_db_t:sock_file unlink;

I'm unsure whether this is a mysql misconfiguration or a problem with squeezeboxserver, but since squeezeboxserver is just a perl script... I'm thinking that maybe this is just missing from the policy?
Comment 1 Daniel Walsh 2010-03-15 13:45:14 UTC 
Miroslav,


Add

manage_sock_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
Comment 2 Miroslav Grepl 2010-03-15 16:21:13 UTC 
Fixed in selinux-policy-3.6.32-102.fc12
Comment 3 Maciej Żenczykowski 2010-03-15 19:11:41 UTC 
Buganizer went down immediately after I posted this last night, and I wasn't able to post a follow up.

When I now run:

$ ls -alZ /var/lib/mysql/*.sock /var/lib/squeezeboxserver/cache/*.sock
srwxrwxrwx. mysql            mysql            unconfined_u:object_r:mysqld_var_run_t:s0 /var/lib/mysql/mysql.sock
srwxrwxrwx. squeezeboxserver squeezeboxserver unconfined_u:object_r:mysqld_var_run_t:s0 /var/lib/squeezeboxserver/cache/squeezebox-mysql.sock

note the mysqld_var_run_t, it used to be mysqld_db_t.

Is it possible that the context of these files is now being set differently, and once the files were deleted (which required the ACL change) they got created with the new context (and hence the ACL change is no longer needed - ie. it is only needed for the transition)?

I've modified my squeezebox.te, commented out the allow statement, and recompiled/reloaded it.  Am I correct in understanding it replaces the previous policy I had loaded?  If such, that means that this change is actually not needed, you just have to manually delete the sockets the first time, and on future mysqld/squeezeboxserver invocations they come up with a different context and everything works.
Comment 4 Fedora Update System 2010-03-15 22:18:59 UTC 
selinux-policy-3.6.32-103.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-103.fc12
Comment 5 Fedora Update System 2010-03-16 23:25:11 UTC 
selinux-policy-3.6.32-103.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-103.fc12
Comment 6 Fedora Update System 2010-03-20 03:31:08 UTC 
selinux-policy-3.6.32-103.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.