Bug 430192 - Enforce level prevents mysqld from running
Summary: Enforce level prevents mysqld from running
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 8
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On: 430195
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-01-25 04:06 UTC by David Highley
Modified: 2008-01-30 15:26 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-01-30 15:26:19 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description David Highley 2008-01-25 04:06:39 UTC 
Description of problem:
In enforce mode the service mysqld will not start. Looks like it tries to create
a test in the the directory /var/lib/mysql/test to see if it has dropped
privleges but get blocked.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.0.8-76.fc8
mysql-5.0.45-6.fc8

How reproducible:
service mysqld start

Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Worked until relabeled /var/lib directory.
Comment 1 Daniel Walsh 2008-01-25 14:48:47 UTC 
What avc messages are you seeing?
Comment 2 David Highley 2008-01-26 04:43:40 UTC 
type=AVC msg=audit(1201309200.360:626): avc:  denied  { unlink } for  pid=13640
comm="mysqld" name="#sql_95c_0.MYI" dev=dm-0 ino=27001804
scontext=system_u:system_r:mysqld_t:s0
tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file
type=SYSCALL msg=audit(1201309200.360:626): arch=c000003e syscall=87 success=yes
exit=0 a0=451097d0 a1=10 a2=451095ae a3=0 items=0 ppid=2339 pid=13640
auid=4294967295 uid=27 gid=27 euid=27 suid=27 fsuid=27 egid=27 sgid=27 fsgid=27
tty=(none) comm="mysqld" exe="/usr/libexec/mysqld"
subj=system_u:system_r:mysqld_t:s0 key=(null)
type=AVC msg=audit(1201309782.935:636): avc:  denied  { write } for  pid=6524
comm="mysqld" name="housekeeping.MYI" dev=dm-0 ino=27067325
scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:user_home_t:s0
tclass=file
type=SYSCALL msg=audit(1201309782.935:636): arch=c000003e syscall=2 success=yes
exit=105 a0=45148e90 a1=2 a2=0 a3=4513e75b items=0 ppid=2339 pid=6524
auid=4294967295 uid=27 gid=27 euid=27 suid=27 fsuid=27 egid=27 sgid=27 fsgid=27
tty=(none) comm="mysqld" exe="/usr/libexec/mysqld"
subj=system_u:system_r:mysqld_t:s0 key=(null)
type=AVC msg=audit(1201316463.604:679): avc:  denied  { write } for  pid=6524
comm="mysqld" name="housekeeping.MYI" dev=dm-0 ino=27067325
scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:user_home_t:s0
tclass=file
type=SYSCALL msg=audit(1201316463.604:679): arch=c000003e syscall=2 success=yes
exit=105 a0=45148e90 a1=2 a2=0 a3=4513e75b items=0 ppid=2339 pid=6524
auid=4294967295 uid=27 gid=27 euid=27 suid=27 fsuid=27 egid=27 sgid=27 fsgid=27
tty=(none) comm="mysqld" exe="/usr/libexec/mysqld"
subj=system_u:system_r:mysqld_t:s0 key=(null)
Comment 3 Daniel Walsh 2008-01-28 19:53:19 UTC 
You have files mislabeled in /var/lib

restorecon -R -F -v /var/lib

Should fix the labeling.  If you create files in your home dir and then move
them to a system directory, make sure you label the correctly.  restorecon will
set the file context to the system defaults.
Comment 4 David Highley 2008-01-29 04:25:30 UTC 
OK, I did the command above and find that several things get relabeled. At the
time I reported the issue I had done a relabel of /var/lib and found that some
labels needed to be changed. I then did a touch /.autorelabel and did a reboot.
The only thing that has been done since that time is patch updates and clamav
auto updates its data files. So how does one keep the labels correct?
Comment 5 David Highley 2008-01-30 15:26:19 UTC 
Changed a passwd file shell entry to /sbin/nologin  and relabel /var/lib fixed
this issue.
Note You need to log in before you can comment on or make changes to this bug.