Uploaded image for project: 'Percona Server'
  1. Percona Server
  2. PS-2993

LP #1203278: mysqld_safe selinux root_dir_t

    XMLWordPrintable

    Details

      Description

      **Reported in Launchpad by David Busby last update 24-05-2016 04:17:51

      Getting the following on Fedora 19 (Before it's suggested Fedora is not supported, it's more than likely the configuration of selinux in fedora will end up on redhat; and as such Fedora should be considered as the "edge" distribution).

      type=AVC msg=audit(1374317650.000:680): avc: denied

      { write }

      for pid=9163 comm="mysqld_safe" name="/" dev="dm-1" ino=2 scontext=unconfined_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir

      Why would mysqld_safe be trying to write to / ?

      setenforce 0 (permissive) && Lsof:


      mysqld_safe
      9607 mysqld
      [root@phantasos etc]# lsof -p 9427
      lsof: WARNING: can't stat() fuse.gvfsd-fuse file system /run/user/1000/gvfs
      Output information may be incomplete.
      COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
      mysqld_sa 9427 root cwd DIR 253,1 4096 5505025 /usr
      mysqld_sa 9427 root rtd DIR 253,1 4096 2 /
      mysqld_sa 9427 root txt REG 253,1 982296 5512636 /usr/bin/bash
      mysqld_sa 9427 root mem REG 253,1 162472 5505141 /usr/lib64/ld-2.17.so
      mysqld_sa 9427 root mem REG 253,1 2104376 5505142 /usr/lib64/libc-2.17.so
      mysqld_sa 9427 root mem REG 253,1 22440 5505424 /usr/lib64/libdl-2.17.so
      mysqld_sa 9427 root mem REG 253,1 171464 5512005 /usr/lib64/libtinfo.so.5.9
      mysqld_sa 9427 root mem REG 253,1 62368 5514609 /usr/lib64/libnss_files-2.17.so
      mysqld_sa 9427 root 0r CHR 1,3 0t0 1028 /dev/null
      mysqld_sa 9427 root 1w CHR 1,3 0t0 1028 /dev/null
      mysqld_sa 9427 root 2w CHR 1,3 0t0 1028 /dev/null
      mysqld_sa 9427 root 255r REG 253,1 26520 5505607 /usr/bin/mysqld_safe

      Audit2allow

      #============= mysqld_safe_t ==============

      #!!!! This avc can be allowed using the boolean 'daemons_dump_core'
      allow mysqld_safe_t root_t:dir write;

      This doesn't seem right to me at all I can't think of a valid reason why mysqld_safe would need to write to / ?

      esp given no reference to root_dir_t in : http://bazaar.launchpad.net/~percona-core/percona-server/5.6/view/head:/policy/selinux/percona-server.te

      Affects: https://bugs.launchpad.net/percona-xtradb-cluster/+bug/1131102

      Thoughts?

      Cheers

      David

        Smart Checklist

          Attachments

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                lpjirasync lpjirasync (Inactive)
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: