From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6 Description of problem: When installing MySQL rpm, it gives avc: denied messages in /var/log/messages file. Version-Release number of selected component (if applicable): Any MySQL rpm from MySQL web site, at least versions 4.1 and 5.0 How reproducible: Always Steps to Reproduce: 1. Load MySQL rpm from http://dev.mysql.com/downloads/mysql/4.1.html 2. Choose the server package. 3. Install with rpm -ivh or rpm -Uvh At the end of installation, it sais [failed]. This happens because grant tables are not being installed in the mysql database. Additional info: Here is a patch that fixes the problem: *** domains/program/mysqld.te 2005-09-03 20:07:32.028517426 +0200 --- domains/program/mysqld.te.fixed 2005-09-03 20:04:13.468426479 +0200 *************** *** 87,89 **** --- 87,93 ---- # because Fedora has the sock_file in the database directory file_type_auto_trans(mysqld_t, mysqld_db_t, mysqld_var_run_t, sock_file) ') + + allow mysqld_t var_lib_t:dir { write add_name remove_name }; + allow mysqld_t var_lib_t:file { append create lock read write getattr unlink}; + allow mysqld_t var_lib_t:sock_file create; You can apply the patch by: cd /etc/selinux/targeted/src/policy patch -p0 < mysql-selinux.patch make load Redhat also provides MySQL rpms, but they are probably built differently. MySQL own rpms require mysqld daemon to install the grant tables during rpm installation. That's why the extra privileges for mysqld executable is needed in this case. I believe applying the patch does not lessen security, because it is only the mysqld binary that needs extra privileges to it's own database directory and that should be ok.
How about file_type_auto_trans(mysqld_t, var_lib_t, mysqld_db_t, { dir file })
FIxed in selinux-policy-targeted-1.17.30-2.119.noarch.rpm
The new elinux-policy-targeted RPM doesn't seem available on RHN. Is there any way I can get a copy of it for beta testing? Thanks.
Updated u3 policy is available at ftp://people.redhat.com/dwalsh/SELinux/RHEL4/u3/noarch selinux-policy-targeted-1.17.30-2.122.noarch.rpm
When will this be in up2date?
Soon I hope. They are running U3 through regression testing right now, but one never knows what they are going to find, especially with the kernel.
OK, thanks. FWIW, (In reply to comment #4) > Updated u3 policy is available at > ftp://people.redhat.com/dwalsh/SELinux/RHEL4/u3/noarch > selinux-policy-targeted-1.17.30-2.122.noarch.rpm This doesn't install on a RHEL4 x86-64 system with all updates applied... it says: error: Failed dependencies: policycoreutils >= 1.18.1-4.9 is needed # rpm -q policycoreutils policycoreutils-1.18.1-4.7 Thanks, Barry
policycoreutils-1.18.1-4.9 is available on my people page for x86-64
One more problem? Every time I start MySQL (5.0.17 from MySQL AB's RPM), I get: Feb 10 14:37:58 inet-dev-mysql kernel: audit(1139611078.049:4): avc: denied { sys_resource } for pid=3134 comm="mysqld" capability=24 scontext=root:system_r:mysqld_t tcontext=root:system_r:mysqld_t tclass=capability Feb 10 14:37:58 inet-dev-mysql kernel: audit(1139611078.049:5): avc: denied { setrlimit } for pid=3134 comm="mysqld" scontext=root:system_r:mysqld_t tcontext=root:system_r:mysqld_t tclass=process Feb 10 14:37:59 inet-dev-mysql lsb_log_message: succeeded Thanks, Barry
Please attach the actual avc messages.
This looks like a labeling problem. restorecon -R -v /var/lib And then try to start mysql again.
The mis-labeling is the result of the Mysql-server rpm scripts. If I run restorecon after installing the packages the service starts as expected. Considering the fact that our stock RHEL packages initialize the database via the initscript, I tend to think this is an issue with the the packages from dev.mysql.com. If they want to initialize the DB as part of %post, then they should add something like the following to their scripts: if [ -x /sbin/restorecon ]; then # # Restore selinux file_context # /sbin/restorecon -R /var/lib/mysql fi If this makes sense to you, I'll move on. Thanks. Additional info: preinstall scriptlet (using /bin/sh): # Shut down a previously installed server first if test -x /etc/init.d/mysql then /etc/init.d/mysql stop > /dev/null 2>&1 echo "Giving mysqld a couple of seconds to exit nicely" sleep 5 elif test -x /etc/rc.d/init.d/mysql then /etc/rc.d/init.d/mysql stop > /dev/null 2>&1 echo "Giving mysqld a couple of seconds to exit nicely" sleep 5 fi postinstall scriptlet (using /bin/sh): mysql_datadir=/var/lib/mysql # Create data directory if needed if test ! -d $mysql_datadir; then mkdir -m755 $mysql_datadir; fi if test ! -d $mysql_datadir/mysql; then mkdir $mysql_datadir/mysql; fi if test ! -d $mysql_datadir/test; then mkdir $mysql_datadir/test; fi # Make MySQL start/shutdown automatically when the machine does it. # use insserv for older SuSE Linux versions if test -x /sbin/insserv then /sbin/insserv /etc/init.d/mysql # use chkconfig on Red Hat and newer SuSE releases elif test -x /sbin/chkconfig then /sbin/chkconfig --add mysql fi # Create a MySQL user and group. Do not report any problems if it already # exists. groupadd -r mysql 2> /dev/null || true useradd -M -r -d $mysql_datadir -s /bin/bash -c "MySQL server" -g mysql mysql 2> /dev/null || true # The user may already exist, make sure it has the proper group nevertheless (BUG#12823) usermod -g mysql mysql 2> /dev/null || true # Change permissions so that the user that will run the MySQL daemon # owns all database files. chown -R mysql:mysql $mysql_datadir # Initiate databases /usr/bin/mysql_install_db --rpm --user=mysql # Change permissions again to fix any new files. chown -R mysql:mysql $mysql_datadir # Fix permissions for the permission database so that only the user # can read them. chmod -R og-rw $mysql_datadir/mysql # Restart in the same way that mysqld will be started normally. /etc/init.d/mysql start # Allow safe_mysqld to start mysqld and print a message before we exit sleep 2 preuninstall scriptlet (using /bin/sh): if test $1 = 0 then # Stop MySQL before uninstalling it if test -x /etc/init.d/mysql then /etc/init.d/mysql stop > /dev/null # Remove autostart of mysql # for older SuSE Linux versions if test -x /sbin/insserv then /sbin/insserv -r /etc/init.d/mysql # use chkconfig on Red Hat and newer SuSE releases elif test -x /sbin/chkconfig then /sbin/chkconfig --del mysql fi fi fi # We do not remove the mysql user since it may still own a lot of # database files. # Clean up the BuildRoot ----- # fixfiles check /var/lib/mysql/ /sbin/restorecon reset context /var/lib/mysql:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t /sbin/restorecon reset context /var/lib/mysql/mysql:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t /sbin/restorecon reset context /var/lib/mysql/mysql/help_category.MYI:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t /sbin/restorecon reset context /var/lib/mysql/mysql/help_keyword.frm:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t /sbin/restorecon reset context /var/lib/mysql/mysql/help_topic.MYD:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t /sbin/restorecon reset context /var/lib/mysql/mysql/tables_priv.MYD:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t /sbin/restorecon reset context /var/lib/mysql/mysql/time_zone_transition.MYI:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t /sbin/restorecon reset context /var/lib/mysql/mysql/time_zone.MYD:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t /sbin/restorecon reset context /var/lib/mysql/mysql/help_keyword.MYI:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t /sbin/restorecon reset context /var/lib/mysql/mysql/func.MYD:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t /sbin/restorecon reset context /var/lib/mysql/mysql/help_topic.frm:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t /sbin/restorecon reset context /var/lib/mysql/mysql/columns_priv.MYI:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t /sbin/restorecon reset context /var/lib/mysql/mysql/host.MYI:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t /sbin/restorecon reset context /var/lib/mysql/mysql/time_zone_transition_type.frm:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t /sbin/restorecon reset context /var/lib/mysql/mysql/db.MYI:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t /sbin/restorecon reset context /var/lib/mysql/mysql/time_zone_leap_second.frm:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t /sbin/restorecon reset context /var/lib/mysql/mysql/time_zone_transition_type.MYD:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t /sbin/restorecon reset context /var/lib/mysql/mysql/user.frm:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t /sbin/restorecon reset context /var/lib/mysql/mysql/columns_priv.frm:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t /sbin/restorecon reset context /var/lib/mysql/mysql/host.MYD:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t /sbin/restorecon reset context /var/lib/mysql/mysql/time_zone_leap_second.MYD:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t /sbin/restorecon reset context /var/lib/mysql/mysql/db.MYD:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t /sbin/restorecon reset context /var/lib/mysql/mysql/time_zone_name.frm:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t/sbin/restorecon reset context /var/lib/mysql/mysql/tables_priv.frm:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t /sbin/restorecon reset context /var/lib/mysql/mysql/help_relation.MYI:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t /sbin/restorecon reset context /var/lib/mysql/mysql/help_topic.MYI:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t /sbin/restorecon reset context /var/lib/mysql/mysql/time_zone_name.MYI:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t/sbin/restorecon reset context /var/lib/mysql/mysql/time_zone_leap_second.MYI:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t /sbin/restorecon reset context /var/lib/mysql/mysql/time_zone.frm:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t /sbin/restorecon reset context /var/lib/mysql/mysql/help_relation.frm:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t /sbin/restorecon reset context /var/lib/mysql/mysql/help_category.frm:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t /sbin/restorecon reset context /var/lib/mysql/mysql/time_zone_transition.MYD:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t /sbin/restorecon reset context /var/lib/mysql/mysql/time_zone.MYI:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t /sbin/restorecon reset context /var/lib/mysql/mysql/db.frm:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t /sbin/restorecon reset context /var/lib/mysql/mysql/func.frm:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t /sbin/restorecon reset context /var/lib/mysql/mysql/help_category.MYD:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t /sbin/restorecon reset context /var/lib/mysql/mysql/columns_priv.MYD:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t /sbin/restorecon reset context /var/lib/mysql/mysql/tables_priv.MYI:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t /sbin/restorecon reset context /var/lib/mysql/mysql/func.MYI:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t /sbin/restorecon reset context /var/lib/mysql/mysql/help_relation.MYD:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t /sbin/restorecon reset context /var/lib/mysql/mysql/user.MYI:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t /sbin/restorecon reset context /var/lib/mysql/mysql/time_zone_name.MYD:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t/sbin/restorecon reset context /var/lib/mysql/mysql/host.frm:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t /sbin/restorecon reset context /var/lib/mysql/mysql/help_keyword.MYD:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t /sbin/restorecon reset context /var/lib/mysql/mysql/time_zone_transition_type.MYI:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t /sbin/restorecon reset context /var/lib/mysql/mysql/time_zone_transition.frm:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t /sbin/restorecon reset context /var/lib/mysql/mysql/user.MYD:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t /sbin/restorecon reset context /var/lib/mysql/test:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t /sbin/restorecon reset context /var/lib/mysql/test1203.test.redhat.com.err:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t Comment #42 from Daniel Walsh (dwalsh) on 2006-02-20 13:40 prev | next | top [reply] Yes but there should be a bugzilla for this. Comment #43 from Ben Levenson (benl) on 2006-02-21 09:54 prev | next | top [reply] State changed from ON_QA to NEED_DEV by Ben Levenson (benl). Comment #44 from Ben Levenson (benl) on 2006-02-21 09:54 prev | top [reply] Not sure what you mean by the previous comment. There is a bugzilla for this: bug 167551. Is it not sufficient to close that bug with a final comment reading "run 'restorecon -R /var/lib/mysql' after installing the packages from dev.mysql.com to fix the broken file contexts created by the Mysql-server post-install script"
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2006-0049.html
I'm still getting messages like this: kernel: audit(1143485553.255:2): avc: denied { sys_resource } for pid=2260 comm="mysqld" capability=24 scontext=user_u:system_r:mysqld_t tcontext=user_u:system_r:mysqld_t tclass=capability when restarting MySQL, with all up2dates installed on RHEL4 # rpm -q selinux-policy-targeted selinux-policy-targeted-1.17.30-2.126 MySQL-client-pro-gpl-cert-5.0.17a-0.rhel4 MySQL-server-pro-gpl-cert-5.0.17a-0.rhel4 Daniel, you asked for "the actual AVC messages"... where does one find those? there are no files in /var/log/audit and 'ausearch -m avc' has no output... (from http://fedoraproject.org/wiki/SELinux/Troubleshooting) Thanks, Barry
MySQL is working, btw; I just am a little concerned about these messages. Thanks
Running restorecon (again) seems to have helped. Perhaps that needs to be mentioned in the errata?? Thanks
From our perspective, this is a bug in MySQL AB's RPMs. You should either use our RPMs or file a bug report at www.mysql.com.