Bug 510953 - AVC violations by stock fc11 mysqld_safe_t
AVC violations by stock fc11 mysqld_safe_t
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: mysql (Show other bugs)
11
All Linux
low Severity high
: ---
: ---
Assigned To: Tom Lane
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-07-12 16:01 EDT by Scott Maines
Modified: 2013-07-02 23:23 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-07-21 11:35:56 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
tgz containing list of rpms, list of avc messages, and resultant te file (2.97 KB, application/x-compressed-tar)
2009-07-12 16:01 EDT, Scott Maines
no flags Details
te file representing additional avc violations against mysql_safe_t (1.91 KB, text/plain)
2009-07-12 17:13 EDT, Scott Maines
no flags Details

  None (edit)
Description Scott Maines 2009-07-12 16:01:15 EDT
Created attachment 351403 [details]
tgz containing list of rpms, list of avc messages, and resultant te file

Description of problem:

* I have installed mysql and related components from stock Fedora 11 install (mysql-rpms.lst attached). 

* In the course of working with this problem, I have upgraded selinux-policy and selinux-targeted-policy and relabled on restart.

* On starting mysqld service, and in the course of database operation (validation suites against known component using only one fresh created database) encounter various AVC violations against mysqld_safe_t (mysql-avc.lst, attached).

* On gathering AVC violations from SETroubleshoot browser and generating policy source (mysqldsm.te,attached) with audit2allow, I have a policy representing capabilities which are either 

- missing from the distributed policy, or 
- should not be sought by mysqld_safe_t


Version-Release number of selected component (if applicable):

(slightly longer list attached, mysql-rpms.lst)

mysql-5.1.35-1.fc11.i586
mysql-connector-java-3.1.12-7.fc11.i586
mysql-libs-5.1.35-1.fc11.i586
mysql-server-5.1.35-1.fc11.i586
libdbi-dbd-mysql-0.8.3-4.fc11.i586

selinux-policy-3.6.12-62.fc11.noarch
selinux-policy-targeted-3.6.12-62.fc11.noarch

libselinux-2.0.80-1.fc11.i586


How reproducible:

* Not certain, though this installation is very out-of-the-box fc11.

Steps to Reproduce:

1. Install fc11 with mysql
2. Start mysqld service
3. Use database
  
Actual results:

* AVC audit messeges similar to attached (mysql_avc.lst)
* possibly inapropriate access

Expected results:

* no AVC errors
* no inappropriate access

Additional info:

* See attachments

- mysql-rpms.lst
- mysql-avc.lst
- mysqlsm.te (generated from mysql-avc.lst)
Comment 1 Scott Maines 2009-07-12 17:13:58 EDT
Created attachment 351406 [details]
te file representing additional avc violations against mysql_safe_t

Created semodule mysqlsm from (previously attached) mysqlsm.te

On rebooting and checking to see that mysqldsm was installed, I ran my regression again, and got a wave of new avc violations, which I've distilled into (here attached) mysqlsm2.te, which contains all new permissions. I am skeptical as to whether these are in fact needed by mysql.
Comment 2 Tom Lane 2009-07-13 19:28:24 EDT
I tried to reproduce this on up2date F-11 and couldn't see any problem in a simple test (just doing a few basic SQL commands in "mysql").  One thing to try before assuming there's a real bug is to run "restorecon" on /var/lib/mysql/ contents, as well as the mysql executables (actually you might as well just do it over the whole /usr/ filesystem to be sure).  If you still have a problem after doing that, I'll need a more specific reproducer sequence.
Comment 3 Scott Maines 2009-07-14 19:43:59 EDT
(In reply to comment #2)

Fair enough, though I expect you have a fuller regression suite to try against the reproducer sequence I submitted (I haven't either yet tried the full set regressions I assume is in the MySQL installation package).  Re running restorecon, I did 'touch /.autolabel;shutdown -r now' (point two of the initial description), that is the same thing, right?

Also, in the attached .te files, which seem to grant new permissions to mysql_safe_t, the permissions sought seemed more about permission to do something other than simply read a (mislabeled?) file, but I am just getting the hang of SELinux at this level. Since having installed the modules from these te files (o! what have unleashed?!), I have gotten no more AVC violations. One of my questions then was whether MySQL is supposed to have them, and if so why those granted on installation did not suffice). Examining these te files would help help determine which question(s) are relevant. 

Please Advise, Thanks in Advance,

-SM
Comment 4 Tom Lane 2009-07-15 12:35:39 EDT
Well, I repeat my comment that the standard policy works fine for me.

As best I can tell from a desultory scan of the avc messages, these bleats are about mysqld_safe's usage of ps and rm commands, both of which it should be allowed to do.  I notice that on my F-10 system, mysqld_safe has context mysqld_safe_exec_t:

$ ls -Z /usr/bin/mysqld_safe
-rwxr-xr-x  root root system_u:object_r:mysqld_safe_exec_t:s0 /usr/bin/mysqld_safe

The messages you're showing are about context mysqld_safe_t.  So I'm still wondering if your problem is a mislabeling of that script.
Comment 5 Scott Maines 2009-07-21 11:35:56 EDT
I am at a loss to explain why previous, numerous and broad relabeling efforts have not sufficed (with mysql_safe showing as you say it should).

I've gotten back to where things function correctly without AVC complaints or supplemental permissions.  I am writing it off to hardware issues (overheating) I've been having, which I have corrected.  

Please close this bug, and thanks for the sanity check.
Comment 6 Runwalsoft 2009-11-16 02:30:21 EST
Hello. even on latest updates I am still getting this message. will you please help me how to remove this problem ?
Comment 7 Tom Lane 2009-11-16 09:56:07 EST
Try restorecon as per the discussion.

Note You need to log in before you can comment on or make changes to this bug.