Bug 813585 - SELinux is preventing rm from 'unlink' accesses on the lnk_file /var/lib/mysql/mysql.sock.
Summary: SELinux is preventing rm from 'unlink' accesses on the lnk_file /var/lib/mysq...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 16
Hardware: i686
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:9b9953c071da2fc20ced0c866d0...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-04-18 00:07 UTC by Aleksey
Modified: 2012-06-22 13:37 UTC (History)
3 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2012-06-22 13:37:59 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Aleksey 2012-04-18 00:07:39 UTC
libreport version: 2.0.8
executable:     /usr/bin/python
hashmarkername: setroubleshoot
kernel:         3.3.0-4.fc16.i686
reason:         SELinux is preventing rm from 'unlink' accesses on the lnk_file /var/lib/mysql/mysql.sock.
time:           Ср. 18 апр. 2012 04:43:14

description:
:SELinux is preventing rm from 'unlink' accesses on the lnk_file /var/lib/mysql/mysql.sock.
:
:*****  Plugin catchall (100. confidence) suggests  ***************************
:
:If you believe that rm should be allowed unlink access on the mysql.sock lnk_file by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:Do
:allow this access for now by executing:
:# grep rm /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                system_u:system_r:mysqld_safe_t:s0
:Target Context                unconfined_u:object_r:mysqld_db_t:s0
:Target Objects                /var/lib/mysql/mysql.sock [ lnk_file ]
:Source                        rm
:Source Path                   rm
:Port                          <Неизвестно>
:Host                          (removed)
:Source RPM Packages           
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.10.0-75.fc16
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed) 3.3.0-4.fc16.i686 #1
:                              SMP Tue Mar 20 18:45:14 UTC 2012 i686 i686
:Alert Count                   90
:First Seen                    Ср. 18 апр. 2012 02:09:13
:Last Seen                     Ср. 18 апр. 2012 04:39:59
:Local ID                      85413a16-e96f-4d2a-857a-8dd960829946
:
:Raw Audit Messages
:type=AVC msg=audit(1334709599.658:522): avc:  denied  { unlink } for  pid=32525 comm="rm" name="mysql.sock" dev="sda2" ino=183350 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=unconfined_u:object_r:mysqld_db_t:s0 tclass=lnk_file
:
:
:Hash: rm,mysqld_safe_t,mysqld_db_t,lnk_file,unlink
:
:audit2allow
:
:#============= mysqld_safe_t ==============
:allow mysqld_safe_t mysqld_db_t:lnk_file unlink;
:
:audit2allow -R
:
:#============= mysqld_safe_t ==============
:allow mysqld_safe_t mysqld_db_t:lnk_file unlink;
:

Comment 1 Miroslav Grepl 2012-04-18 08:51:33 UTC
How did you get this?

I see

$ ls -lZ /var/lib/mysql/
srwxrwxrwx. mysql mysql system_u:object_r:mysqld_var_run_t:s0 mysql.sock

Comment 2 Aleksey 2012-04-18 17:04:38 UTC
[root@localhost mysql]# ls -lZ /var/lib/mysql
-rw-rw----. mysql mysql unconfined_u:object_r:mysqld_db_t:s0 ibdata1
-rw-rw----. mysql mysql unconfined_u:object_r:mysqld_db_t:s0 ib_logfile0
-rw-rw----. mysql mysql unconfined_u:object_r:mysqld_db_t:s0 ib_logfile1
-rw-rw----. mysql mysql system_u:object_r:mysqld_db_t:s0 localhost.localdomain.err
-rw-rw----. mysql mysql unconfined_u:object_r:mysqld_db_t:s0 localhost.pid
-rw-r--r--. root  root  unconfined_u:object_r:mysqld_db_t:s0 mypol.mod
-rw-r--r--. root  root  unconfined_u:object_r:mysqld_db_t:s0 mypol.te
drwx------. mysql root  unconfined_u:object_r:mysqld_db_t:s0 mysql
-rw-r--r--. root  root  unconfined_u:object_r:mysqld_db_t:s0 mysql.sock
drwx------. root  root  unconfined_u:object_r:mysqld_db_t:s0 performance_schema
drwx------. mysql root  unconfined_u:object_r:mysqld_db_t:s0 test

problem is kept!

ERROR 2002 (HY000): Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (111)

Comment 3 Miroslav Grepl 2012-04-20 12:10:14 UTC
Ok, could you try to run

$ systemctl stop mysqld.service

then the socket should not exist and then run

$ systemctl start mysqld.service

Comment 4 Miroslav Grepl 2012-06-22 13:37:59 UTC
Please reopen if this is still issue.


Note You need to log in before you can comment on or make changes to this bug.