Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-hardened

From: Mathew McBride <matt@×××××××××××××.net>
To: gentoo-hardened@l.g.o
Subject: [gentoo-hardened] MySQL /var/run/mysqld created as initrc_var_run_t
Date: Sun, 26 Aug 2012 03:02:29
Message-Id: k1buem$hoe$1@ger.gmane.org
1 Hello everyone,
2 I have set up a machine (amd64) with the hardened stage3 and SELinux
3 strict.
4
5 I'm now having issues with mysql and its /var/run/mysqld being marked as
6 initrc_var_run_t.
7
8 If I unmerge and remerge mysql it works fine, the /var/run/mysqld is
9 marked as mysqld_var_run_t, but after rebooting, it is back to
10 initrc_var_run_t again:
11
12 # ls -lZ /var/run/
13 total 24
14 drwxr-xr-x. 2 root uucp system_u:object_r:var_lock_t 40 Aug 25
15 17:44 lock
16 drwxr-xr-x. 2 mysql root system_u:object_r:initrc_var_run_t 80 Aug 26
17 00:44 mysqld
18 [snip]
19
20 Intersting to note that on the first install the group ID for
21 /var/run/mysqld is set to "mysql", but after reboot it becomes "root", why?
22
23 This is causing mysql to stall on bootup. I get these denials:
24 #============= mysqld_t ==============
25 #!!!! The source type 'mysqld_t' can write to a 'dir' of the following
26 types:
27 # var_log_t, mysqld_db_t, tmp_t, mysqld_var_run_t, mysqld_tmp_t,
28 var_lib_t, var_run_t
29
30 allow mysqld_t initrc_var_run_t:dir { write search add_name };
31 #!!!! The source type 'mysqld_t' can write to a 'file' of the following
32 types:
33 # mysqld_log_t, mysqld_db_t, mysqld_var_run_t, mysqld_tmp_t
34
35 allow mysqld_t initrc_var_run_t:file { write create open };
36 allow mysqld_t initrc_var_run_t:sock_file create;
37 allow mysqld_t portage_log_t:file { getattr open append };
38
39
40 semanage fcontext shows the files are supported to be marked
41 mysqld_var_run_t:
42
43 /etc/my\.cnf regular file
44 system_u:object_r:mysqld_etc_t
45 /etc/mysql(/.*)? all files
46 system_u:object_r:mysqld_etc_t
47 /etc/rc\.d/init\.d/mysqld regular file
48 system_u:object_r:mysqld_initrc_exec_t
49 /etc/rc\.d/init\.d/mysqlmanager regular file
50 system_u:object_r:mysqlmanagerd_initrc_exec_t
51 /usr/bin/mysql_upgrade regular file
52 system_u:object_r:mysqld_exec_t
53 /usr/bin/mysqld_safe regular file
54 system_u:object_r:mysqld_safe_exec_t
55 /usr/libexec/mysqld regular file
56 system_u:object_r:mysqld_exec_t
57 /usr/sbin/mysqld(-max)? regular file
58 system_u:object_r:mysqld_exec_t
59 /usr/sbin/mysqlmanager regular file
60 system_u:object_r:mysqlmanagerd_exec_t
61 /usr/sbin/ndbd regular file
62 system_u:object_r:mysqld_exec_t
63 /var/lib/mysql(/.*)? all files
64 system_u:object_r:mysqld_db_t
65 /var/lib/mysql/mysql\.sock socket
66 system_u:object_r:mysqld_var_run_t
67 /var/log/mysql.* regular file
68 system_u:object_r:mysqld_log_t
69 /var/run/mysqld(/.*)? all files
70 system_u:object_r:mysqld_var_run_t
71 /var/run/mysqld/mysqlmanager.* regular file
72 system_u:object_r:mysqlmanagerd_var_run_t
73
74 I've tried creating my own mysql.te module with type_transition
75 statements to have /var/run/mysqld marked as mysqld_var_run_t, but to no
76 avail there.
77
78 I'm running selinux base policy r15, same for sec-policy/selinux-mysql
79
80 Any suggestions?
81
82 - Mathew

Replies

Subject Author
[gentoo-hardened] Re: MySQL /var/run/mysqld created as initrc_var_run_t Mathew McBride <matt@×××××××××××××.net>
Report Message
Find on MARC Find on Google Groups