Red Hat Bugzilla – Bug 510953
AVC violations by stock fc11 mysqld_safe_t
Last modified: 2013-07-02 23:23:02 EDT
Created attachment 351403 [details]
tgz containing list of rpms, list of avc messages, and resultant te file
Description of problem:
* I have installed mysql and related components from stock Fedora 11 install (mysql-rpms.lst attached).
* In the course of working with this problem, I have upgraded selinux-policy and selinux-targeted-policy and relabled on restart.
* On starting mysqld service, and in the course of database operation (validation suites against known component using only one fresh created database) encounter various AVC violations against mysqld_safe_t (mysql-avc.lst, attached).
* On gathering AVC violations from SETroubleshoot browser and generating policy source (mysqldsm.te,attached) with audit2allow, I have a policy representing capabilities which are either
- missing from the distributed policy, or
- should not be sought by mysqld_safe_t
Version-Release number of selected component (if applicable):
(slightly longer list attached, mysql-rpms.lst)
* Not certain, though this installation is very out-of-the-box fc11.
Steps to Reproduce:
1. Install fc11 with mysql
2. Start mysqld service
3. Use database
* AVC audit messeges similar to attached (mysql_avc.lst)
* possibly inapropriate access
* no AVC errors
* no inappropriate access
* See attachments
- mysqlsm.te (generated from mysql-avc.lst)
Created attachment 351406 [details]
te file representing additional avc violations against mysql_safe_t
Created semodule mysqlsm from (previously attached) mysqlsm.te
On rebooting and checking to see that mysqldsm was installed, I ran my regression again, and got a wave of new avc violations, which I've distilled into (here attached) mysqlsm2.te, which contains all new permissions. I am skeptical as to whether these are in fact needed by mysql.
I tried to reproduce this on up2date F-11 and couldn't see any problem in a simple test (just doing a few basic SQL commands in "mysql"). One thing to try before assuming there's a real bug is to run "restorecon" on /var/lib/mysql/ contents, as well as the mysql executables (actually you might as well just do it over the whole /usr/ filesystem to be sure). If you still have a problem after doing that, I'll need a more specific reproducer sequence.
(In reply to comment #2)
Fair enough, though I expect you have a fuller regression suite to try against the reproducer sequence I submitted (I haven't either yet tried the full set regressions I assume is in the MySQL installation package). Re running restorecon, I did 'touch /.autolabel;shutdown -r now' (point two of the initial description), that is the same thing, right?
Also, in the attached .te files, which seem to grant new permissions to mysql_safe_t, the permissions sought seemed more about permission to do something other than simply read a (mislabeled?) file, but I am just getting the hang of SELinux at this level. Since having installed the modules from these te files (o! what have unleashed?!), I have gotten no more AVC violations. One of my questions then was whether MySQL is supposed to have them, and if so why those granted on installation did not suffice). Examining these te files would help help determine which question(s) are relevant.
Please Advise, Thanks in Advance,
Well, I repeat my comment that the standard policy works fine for me.
As best I can tell from a desultory scan of the avc messages, these bleats are about mysqld_safe's usage of ps and rm commands, both of which it should be allowed to do. I notice that on my F-10 system, mysqld_safe has context mysqld_safe_exec_t:
$ ls -Z /usr/bin/mysqld_safe
-rwxr-xr-x root root system_u:object_r:mysqld_safe_exec_t:s0 /usr/bin/mysqld_safe
The messages you're showing are about context mysqld_safe_t. So I'm still wondering if your problem is a mislabeling of that script.
I am at a loss to explain why previous, numerous and broad relabeling efforts have not sufficed (with mysql_safe showing as you say it should).
I've gotten back to where things function correctly without AVC complaints or supplemental permissions. I am writing it off to hardware issues (overheating) I've been having, which I have corrected.
Please close this bug, and thanks for the sanity check.
Hello. even on latest updates I am still getting this message. will you please help me how to remove this problem ?
Try restorecon as per the discussion.