1 |
Hello everyone, |
2 |
I have set up a machine (amd64) with the hardened stage3 and SELinux |
3 |
strict. |
4 |
|
5 |
I'm now having issues with mysql and its /var/run/mysqld being marked as |
6 |
initrc_var_run_t. |
7 |
|
8 |
If I unmerge and remerge mysql it works fine, the /var/run/mysqld is |
9 |
marked as mysqld_var_run_t, but after rebooting, it is back to |
10 |
initrc_var_run_t again: |
11 |
|
12 |
# ls -lZ /var/run/ |
13 |
total 24 |
14 |
drwxr-xr-x. 2 root uucp system_u:object_r:var_lock_t 40 Aug 25 |
15 |
17:44 lock |
16 |
drwxr-xr-x. 2 mysql root system_u:object_r:initrc_var_run_t 80 Aug 26 |
17 |
00:44 mysqld |
18 |
[snip] |
19 |
|
20 |
Intersting to note that on the first install the group ID for |
21 |
/var/run/mysqld is set to "mysql", but after reboot it becomes "root", why? |
22 |
|
23 |
This is causing mysql to stall on bootup. I get these denials: |
24 |
#============= mysqld_t ============== |
25 |
#!!!! The source type 'mysqld_t' can write to a 'dir' of the following |
26 |
types: |
27 |
# var_log_t, mysqld_db_t, tmp_t, mysqld_var_run_t, mysqld_tmp_t, |
28 |
var_lib_t, var_run_t |
29 |
|
30 |
allow mysqld_t initrc_var_run_t:dir { write search add_name }; |
31 |
#!!!! The source type 'mysqld_t' can write to a 'file' of the following |
32 |
types: |
33 |
# mysqld_log_t, mysqld_db_t, mysqld_var_run_t, mysqld_tmp_t |
34 |
|
35 |
allow mysqld_t initrc_var_run_t:file { write create open }; |
36 |
allow mysqld_t initrc_var_run_t:sock_file create; |
37 |
allow mysqld_t portage_log_t:file { getattr open append }; |
38 |
|
39 |
|
40 |
semanage fcontext shows the files are supported to be marked |
41 |
mysqld_var_run_t: |
42 |
|
43 |
/etc/my\.cnf regular file |
44 |
system_u:object_r:mysqld_etc_t |
45 |
/etc/mysql(/.*)? all files |
46 |
system_u:object_r:mysqld_etc_t |
47 |
/etc/rc\.d/init\.d/mysqld regular file |
48 |
system_u:object_r:mysqld_initrc_exec_t |
49 |
/etc/rc\.d/init\.d/mysqlmanager regular file |
50 |
system_u:object_r:mysqlmanagerd_initrc_exec_t |
51 |
/usr/bin/mysql_upgrade regular file |
52 |
system_u:object_r:mysqld_exec_t |
53 |
/usr/bin/mysqld_safe regular file |
54 |
system_u:object_r:mysqld_safe_exec_t |
55 |
/usr/libexec/mysqld regular file |
56 |
system_u:object_r:mysqld_exec_t |
57 |
/usr/sbin/mysqld(-max)? regular file |
58 |
system_u:object_r:mysqld_exec_t |
59 |
/usr/sbin/mysqlmanager regular file |
60 |
system_u:object_r:mysqlmanagerd_exec_t |
61 |
/usr/sbin/ndbd regular file |
62 |
system_u:object_r:mysqld_exec_t |
63 |
/var/lib/mysql(/.*)? all files |
64 |
system_u:object_r:mysqld_db_t |
65 |
/var/lib/mysql/mysql\.sock socket |
66 |
system_u:object_r:mysqld_var_run_t |
67 |
/var/log/mysql.* regular file |
68 |
system_u:object_r:mysqld_log_t |
69 |
/var/run/mysqld(/.*)? all files |
70 |
system_u:object_r:mysqld_var_run_t |
71 |
/var/run/mysqld/mysqlmanager.* regular file |
72 |
system_u:object_r:mysqlmanagerd_var_run_t |
73 |
|
74 |
I've tried creating my own mysql.te module with type_transition |
75 |
statements to have /var/run/mysqld marked as mysqld_var_run_t, but to no |
76 |
avail there. |
77 |
|
78 |
I'm running selinux base policy r15, same for sec-policy/selinux-mysql |
79 |
|
80 |
Any suggestions? |
81 |
|
82 |
- Mathew |