Additional info: libreport version: 2.0.18 kernel: 3.6.3-1.fc17.x86_64 description: :SELinux is preventing /usr/sbin/sshd from 'search' accesses on the directory /var/lib/mysql. : :***** Plugin catchall (100. confidence) suggests *************************** : :If you believe that sshd should be allowed search access on the mysql directory by default. :Then you should report this as a bug. :You can generate a local policy module to allow this access. :Do :allow this access for now by executing: :# grep sshd /var/log/audit/audit.log | audit2allow -M mypol :# semodule -i mypol.pp : :Additional Information: :Source Context system_u:system_r:sshd_t:s0-s0:c0.c1023 :Target Context system_u:object_r:mysqld_db_t:s0 :Target Objects /var/lib/mysql [ dir ] :Source sshd :Source Path /usr/sbin/sshd :Port <Unknown> :Host (removed) :Source RPM Packages openssh-server-5.9p1-27.fc17.x86_64 :Target RPM Packages mysql-server-5.5.28-1.fc17.x86_64 :Policy RPM selinux-policy-3.10.0-156.fc17.noarch :Selinux Enabled True :Policy Type targeted :Enforcing Mode Enforcing :Host Name (removed) :Platform Linux (removed) 3.6.3-1.fc17.x86_64 #1 SMP Mon Oct : 22 15:32:35 UTC 2012 x86_64 x86_64 :Alert Count 132 :First Seen 2012-06-25 20:56:14 BST :Last Seen 2012-11-07 21:48:31 GMT :Local ID 33d664d5-1171-490e-8f14-615b92b76787 : :Raw Audit Messages :type=AVC msg=audit(1352324911.592:8941): avc: denied { search } for pid=21070 comm="sshd" name="mysql" dev="dm-5" ino=262319 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mysqld_db_t:s0 tclass=dir : : :type=SYSCALL msg=audit(1352324911.592:8941): arch=x86_64 syscall=stat success=no exit=EACCES a0=7fe3f3a51870 a1=7ffff64248b0 a2=7ffff64248b0 a3=6e6970706172772f items=0 ppid=1635 pid=21070 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=sshd exe=/usr/sbin/sshd subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null) : :Hash: sshd,sshd_t,mysqld_db_t,dir,search : :audit2allow : :#============= sshd_t ============== :allow sshd_t mysqld_db_t:dir search; : :audit2allow -R : :#============= sshd_t ============== :allow sshd_t mysqld_db_t:dir search; :
Created attachment 640415 [details] File: type
Created attachment 640416 [details] File: hashmarkername
Did you configure sshd+MySQL together. If so, could you execute # setenforce 0 re-test it and execute # ausearch -m avc -ts recent # setenforce 1
(In reply to comment #3) > Did you configure sshd+MySQL together. I don't really understand the question. Both are configured and active, but there isn't any explicit configuration tying them together. > If so, could you execute > > # setenforce 0 > > re-test it and execute > > # ausearch -m avc -ts recent > # setenforce 1 I'm not sure whether I am keen on this, because it's an intermittent and unpredictable fault, and turning off SELinux indefinitely (until either it happens again or I give up) seems a bit of a dangerous game. Is there an alternative? James
Miroslav, I think this is caused because of mysql listing /var/lib/mysql as its home dir in /etc/passwd. And I think sshd is checking if the homedirs exists, which is causing this AVC. James you don't need to do the suggested commands.
That would make sense. I had a similar thing with postgresql (installed but probably not even enabled) recently. I presume sshd has to check if the homedir exists in order to look for secret keys and the like. Maybe it needs to check whether it can access the homedir (without upsetting SELinux--presumably that can be done) and then not attempt to read from it if it can't access it.
(In reply to comment #5) > Miroslav, I think this is caused because of mysql listing /var/lib/mysql as > its home dir in /etc/passwd. And I think sshd is checking if the homedirs > exists, which is causing this AVC. > Yes, you are right.
This message is a reminder that Fedora 17 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 17. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '17'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 17's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 17 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior to Fedora 17's end of life. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.