Hello everyone,
I have set up a machine (amd64) with the hardened stage3 and SELinux
strict.
I'm now having issues with mysql and its /var/run/mysqld being marked as
initrc_var_run_t.
If I unmerge and remerge mysql it works fine, the /var/run/mysqld is
marked as mysqld_var_run_t, but after rebooting, it is back to
initrc_var_run_t again:
# ls -lZ /var/run/
total 24
drwxr-xr-x. 2 root uucp system_u:object_r:var_lock_t 40 Aug 25
17:44 lock
drwxr-xr-x. 2 mysql root system_u:object_r:initrc_var_run_t 80 Aug 26
00:44 mysqld
[snip]
Intersting to note that on the first install the group ID for
/var/run/mysqld is set to "mysql", but after reboot it becomes "root", why?
This is causing mysql to stall on bootup. I get these denials:
#============= mysqld_t ==============
#!!!! The source type 'mysqld_t' can write to a 'dir' of the following
types:
# var_log_t, mysqld_db_t, tmp_t, mysqld_var_run_t, mysqld_tmp_t,
var_lib_t, var_run_t
allow mysqld_t initrc_var_run_t:dir { write search add_name };
#!!!! The source type 'mysqld_t' can write to a 'file' of the following
types:
# mysqld_log_t, mysqld_db_t, mysqld_var_run_t, mysqld_tmp_t
allow mysqld_t initrc_var_run_t:file { write create open };
allow mysqld_t initrc_var_run_t:sock_file create;
allow mysqld_t portage_log_t:file { getattr open append };
semanage fcontext shows the files are supported to be marked
mysqld_var_run_t:
/etc/my\.cnf regular file
system_u:object_r:mysqld_etc_t
/etc/mysql(/.*)? all files
system_u:object_r:mysqld_etc_t
/etc/rc\.d/init\.d/mysqld regular file
system_u:object_r:mysqld_initrc_exec_t
/etc/rc\.d/init\.d/mysqlmanager regular file
system_u:object_r:mysqlmanagerd_initrc_exec_t
/usr/bin/mysql_upgrade regular file
system_u:object_r:mysqld_exec_t
/usr/bin/mysqld_safe regular file
system_u:object_r:mysqld_safe_exec_t
/usr/libexec/mysqld regular file
system_u:object_r:mysqld_exec_t
/usr/sbin/mysqld(-max)? regular file
system_u:object_r:mysqld_exec_t
/usr/sbin/mysqlmanager regular file
system_u:object_r:mysqlmanagerd_exec_t
/usr/sbin/ndbd regular file
system_u:object_r:mysqld_exec_t
/var/lib/mysql(/.*)? all files
system_u:object_r:mysqld_db_t
/var/lib/mysql/mysql\.sock socket
system_u:object_r:mysqld_var_run_t
/var/log/mysql.* regular file
system_u:object_r:mysqld_log_t
/var/run/mysqld(/.*)? all files
system_u:object_r:mysqld_var_run_t
/var/run/mysqld/mysqlmanager.* regular file
system_u:object_r:mysqlmanagerd_var_run_t
I've tried creating my own mysql.te module with type_transition
statements to have /var/run/mysqld marked as mysqld_var_run_t, but to no
avail there.
I'm running selinux base policy r15, same for sec-policy/selinux-mysql
Any suggestions?
- Mathew
I have set up a machine (amd64) with the hardened stage3 and SELinux
strict.
I'm now having issues with mysql and its /var/run/mysqld being marked as
initrc_var_run_t.
If I unmerge and remerge mysql it works fine, the /var/run/mysqld is
marked as mysqld_var_run_t, but after rebooting, it is back to
initrc_var_run_t again:
# ls -lZ /var/run/
total 24
drwxr-xr-x. 2 root uucp system_u:object_r:var_lock_t 40 Aug 25
17:44 lock
drwxr-xr-x. 2 mysql root system_u:object_r:initrc_var_run_t 80 Aug 26
00:44 mysqld
[snip]
Intersting to note that on the first install the group ID for
/var/run/mysqld is set to "mysql", but after reboot it becomes "root", why?
This is causing mysql to stall on bootup. I get these denials:
#============= mysqld_t ==============
#!!!! The source type 'mysqld_t' can write to a 'dir' of the following
types:
# var_log_t, mysqld_db_t, tmp_t, mysqld_var_run_t, mysqld_tmp_t,
var_lib_t, var_run_t
allow mysqld_t initrc_var_run_t:dir { write search add_name };
#!!!! The source type 'mysqld_t' can write to a 'file' of the following
types:
# mysqld_log_t, mysqld_db_t, mysqld_var_run_t, mysqld_tmp_t
allow mysqld_t initrc_var_run_t:file { write create open };
allow mysqld_t initrc_var_run_t:sock_file create;
allow mysqld_t portage_log_t:file { getattr open append };
semanage fcontext shows the files are supported to be marked
mysqld_var_run_t:
/etc/my\.cnf regular file
system_u:object_r:mysqld_etc_t
/etc/mysql(/.*)? all files
system_u:object_r:mysqld_etc_t
/etc/rc\.d/init\.d/mysqld regular file
system_u:object_r:mysqld_initrc_exec_t
/etc/rc\.d/init\.d/mysqlmanager regular file
system_u:object_r:mysqlmanagerd_initrc_exec_t
/usr/bin/mysql_upgrade regular file
system_u:object_r:mysqld_exec_t
/usr/bin/mysqld_safe regular file
system_u:object_r:mysqld_safe_exec_t
/usr/libexec/mysqld regular file
system_u:object_r:mysqld_exec_t
/usr/sbin/mysqld(-max)? regular file
system_u:object_r:mysqld_exec_t
/usr/sbin/mysqlmanager regular file
system_u:object_r:mysqlmanagerd_exec_t
/usr/sbin/ndbd regular file
system_u:object_r:mysqld_exec_t
/var/lib/mysql(/.*)? all files
system_u:object_r:mysqld_db_t
/var/lib/mysql/mysql\.sock socket
system_u:object_r:mysqld_var_run_t
/var/log/mysql.* regular file
system_u:object_r:mysqld_log_t
/var/run/mysqld(/.*)? all files
system_u:object_r:mysqld_var_run_t
/var/run/mysqld/mysqlmanager.* regular file
system_u:object_r:mysqlmanagerd_var_run_t
I've tried creating my own mysql.te module with type_transition
statements to have /var/run/mysqld marked as mysqld_var_run_t, but to no
avail there.
I'm running selinux base policy r15, same for sec-policy/selinux-mysql
Any suggestions?
- Mathew