mysql_upgrade selinux problem

To: debian-user@lists.debian.org
Subject: mysql_upgrade selinux problem
From: Luciano Furtado <lrfurtado@yahoo.com.br>
Date: Sat, 08 Jan 2011 08:57:01 -0500
Message-id: <[🔎] 4D286D2D.2040308@yahoo.com.br>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Group,

I am seeing the errors (warning since I am on permissive mode) bellow
for mysql_upgrade after I enabled selinux.

Linux lrfurtado 2.6.26-2-xen-686 #1 SMP Thu Nov 25 02:32:31 UTC 2010
i686 GNU/Linux

cat /etc/debian_version
5.0.7


SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   permissive
Mode from config file:          permissive
Policy version:                 23
Policy from config file:        default

[   31.271298] type=1400 audit(1294223212.646:7): avc:  denied  {
search } for  pid=1372 comm="mysql_upgrade" name="bin" dev=xvda
ino=231661 scontext=system_u:system_r:mysqld_t:s0
tcontext=system_u:object_r:bin_t:s0 tclass=dir
[   31.285387] type=1400 audit(1294223212.662:8): avc:  denied  { read
} for  pid=1377 comm="mysql_upgrade" name="sh" dev=xvda ino=163914
scontext=system_u:system_r:mysqld_t:s0
tcontext=system_u:object_r:bin_t:s0 tclass=lnk_file
[   31.285413] type=1400 audit(1294223212.662:9): avc:  denied  {
execute } for  pid=1377 comm="mysql_upgrade" name="bash" dev=xvda
ino=163866 scontext=system_u:system_r:mysqld_t:s0
tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
[   31.285423] type=1400 audit(1294223212.662:10): avc:  denied  {
read } for  pid=1377 comm="mysql_upgrade" name="bash" dev=xvda
ino=163866 scontext=system_u:system_r:mysqld_t:s0
tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
[   31.285459] type=1400 audit(1294223212.662:11): avc:  denied  {
execute_no_trans } for  pid=1377 comm="mysql_upgrade" path="/bin/bash"
dev=xvda ino=163866 scontext=system_u:system_r:mysqld_t:s0
tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
[   31.286542] type=1400 audit(1294223212.662:12): avc:  denied  {
getattr } for  pid=1377 comm="sh" path="/bin/bash" dev=xvda ino=163866
scontext=system_u:system_r:mysqld_t:s0
tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
[   31.287663] type=1400 audit(1294223212.662:13): avc:  denied  {
execute } for  pid=1378 comm="sh" name="mysql" dev=xvda ino=231409
scontext=system_u:system_r:mysqld_t:s0
tcontext=system_u:object_r:bin_t:s0 tclass=file
[   31.287678] type=1400 audit(1294223212.662:14): avc:  denied  {
read } for  pid=1378 comm="sh" name="mysql" dev=xvda ino=231409
scontext=system_u:system_r:mysqld_t:s0
tcontext=system_u:object_r:bin_t:s0 tclass=file

when I run audit2allow I get the following:

#============= mysqld_t ==============
allow mysqld_t bin_t:dir search;
allow mysqld_t bin_t:file { read execute };
allow mysqld_t bin_t:lnk_file read;
allow mysqld_t shell_exec_t:file { read execute getattr
execute_no_trans };


What's the proper fix here? I dont want to give the mysqld_t
permission to execute arbitrary scripts.


Best Regards.
Luciano
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.14 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJNKG0sAAoJENgwSj9ZOOwrjQUH/Alw7elcmGJbxbe8BIjfLQ02
exCuZ9Vxj0wcQ4PnprHmQAy6qGkm/IkQe/5ZkfieIkww349TssL94UjxGJ4IpiJR
KZbGNvQuwpL5Yl8f9hs0dc6DGuLoBQpHOkxa0n/EBowTLu/eC67IMJnYm4FC6jbT
adIeSqg5ef+MidGf4UrFfsIgx9Bus4L3ZmB9+hZO41QisuCmOzmp/70ZW0hRNcKP
k99qPOtEc4HDoZEHh8n53dgk8c0mz09oA+Z5jK00W+/2N7FTbPcF+KWdoak/AtYx
qk15CfajRakoFfKDTCBVH8ix3xv713H0zJDRHsPBVYE4aFX/u8WSX3wIiVf4pZM=
=aI7P
-----END PGP SIGNATURE-----

Attachment: 0x5938EC2B.asc
Description: application/pgp-keys

Attachment: 0x5938EC2B.asc.sig
Description: Binary data

Reply to:

Prev by Date: Re: Debian (sid) painfully slow.
Next by Date: Re: Debian or Mint for Games?
Previous by thread: Re: Buffer Bloat, and what to do about it in Debian
Next by thread: Where Is the List of Installed Packages?
Index(es):
- Date
- Thread