mysqld_safe selinux root_dir_t
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Percona Server moved to https://jira.percona.com/projects/PS |
Expired
|
Undecided
|
Unassigned |
Bug Description
Getting the following on Fedora 19 (Before it's suggested Fedora is not supported, it's more than likely the configuration of selinux in fedora will end up on redhat; and as such Fedora should be considered as the "edge" distribution).
---
type=AVC msg=audit(
---
Why would mysqld_safe be trying to write to / ?
setenforce 0 (permissive) && Lsof:
---
mysqld_safe
9607 mysqld
[root@phantasos etc]# lsof -p 9427
lsof: WARNING: can't stat() fuse.gvfsd-fuse file system /run/user/1000/gvfs
Output information may be incomplete.
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
mysqld_sa 9427 root cwd DIR 253,1 4096 5505025 /usr
mysqld_sa 9427 root rtd DIR 253,1 4096 2 /
mysqld_sa 9427 root txt REG 253,1 982296 5512636 /usr/bin/bash
mysqld_sa 9427 root mem REG 253,1 162472 5505141 /usr/lib64/
mysqld_sa 9427 root mem REG 253,1 2104376 5505142 /usr/lib64/
mysqld_sa 9427 root mem REG 253,1 22440 5505424 /usr/lib64/
mysqld_sa 9427 root mem REG 253,1 171464 5512005 /usr/lib64/
mysqld_sa 9427 root mem REG 253,1 62368 5514609 /usr/lib64/
mysqld_sa 9427 root 0r CHR 1,3 0t0 1028 /dev/null
mysqld_sa 9427 root 1w CHR 1,3 0t0 1028 /dev/null
mysqld_sa 9427 root 2w CHR 1,3 0t0 1028 /dev/null
mysqld_sa 9427 root 255r REG 253,1 26520 5505607 /usr/bin/
---
Audit2allow
---
#============= mysqld_safe_t ==============
#!!!! This avc can be allowed using the boolean 'daemons_dump_core'
allow mysqld_safe_t root_t:dir write;
---
This doesn't seem right to me at all I can't think of a valid reason why mysqld_safe would need to write to / ?
esp given no reference to root_dir_t in : http://
Affects: https:/
Thoughts?
Cheers
David
affects: | percona-xtradb-cluster → percona-server |
Changed in percona-server: | |
assignee: | Raghavendra D Prabhu (raghavendra-prabhu) → nobody |
tags: | added: pkg |
dbusby@ icleus- oneiroi- co-uk ~/Downloads$ sealert -l 9debc518- 425f-46a8- bdae-0a7cc2c01e 62
SELinux is preventing /usr/bin/bash from write access on the directory /.
***** Plugin catchall_boolean (89.3 confidence) suggests *******************
If you want to allow all daemons to write corefiles to /
Then you must tell SELinux about this by enabling the 'daemons_dump_core' boolean.
You can read 'None' man page for more details.
Do
setsebool -P daemons_dump_core 1
***** Plugin catchall (11.6 confidence) suggests ******* ******* ******* ******
If you believe that bash should be allowed write access on the directory by default. audit/audit. log | audit2allow -M mypol
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep mysqld_safe /var/log/
# semodule -i mypol.pp
Additional Information: u:system_ r:mysqld_ safe_t: s0 u:object_ r:root_ t:s0 oneiroi- co-uk 2.45-1. fc18.x86_ 64 3.1-2.fc18. x86_64 policy- 3.11.1- 97.fc18. noarch oneiroi- co-uk oneiroi- co-uk 3.9.9-201. fc18.x86_ 64
#1 SMP Fri Jul 5 16:42:02 UTC 2013 x86_64 x86_64 425f-46a8- bdae-0a7cc2c01e 62
Source Context unconfined_
Target Context system_
Target Objects / [ dir ]
Source mysqld_safe
Source Path /usr/bin/bash
Port <Unknown>
Host icleus-
Source RPM Packages bash-4.
Target RPM Packages filesystem-
Policy RPM selinux-
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name icleus-
Platform Linux icleus-
Alert Count 70
First Seen 2013-05-13 12:25:17 BST
Last Seen 2013-07-22 10:02:10 BST
Local ID 9debc518-
Raw Audit Messages 1374483730. 171:461) : avc: denied { write } for pid=30153 comm="mysqld_safe" name="/" dev="dm-2" ino=2 scontext= unconfined_ u:system_ r:mysqld_ safe_t: s0 tcontext= system_ u:object_ r:root_ t:s0 tclass=dir
type=AVC msg=audit(
type=SYSCALL msg=audit( 1374483730. 171:461) : arch=x86_64 syscall=faccessat success=no exit=EACCES a0=ffffffffffffff9c a1=1330280 a2=2 a3=1335ce0 items=0 ppid=30144 pid=30153 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=2 tty=(none) comm=mysqld_safe exe=/usr/bin/bash subj=unconfined _u:system_ r:mysqld_ safe_t: s0 key=(null)
Hash: mysqld_ safe,mysqld_ safe_t, root_t, dir,write
audit2allow
#============= mysqld_safe_t ==============
#!!!! This avc can be allowed using the boolean 'daemons_dump_core'
allow mysqld_safe_t root_t:dir write;
audit2allow -R
require {
type mysqld_safe_t;
}
#============= mysqld_safe_t ==============