[gentoo-hardened] MySQL /var/run/mysqld created as initrc_var_run_t

Sat, 25 Aug 2012 18:45:39 -0700 

Hello everyone,
I have set up a machine (amd64) with the hardened stage3 and SELinux strict. 


I'm now having issues with mysql and its /var/run/mysqld being marked as 
initrc_var_run_t.



If I unmerge and remerge mysql it works fine, the /var/run/mysqld is 
marked as mysqld_var_run_t, but after rebooting, it is back to 
initrc_var_run_t again:


# ls -lZ /var/run/
total 24

drwxr-xr-x. 2 root  uucp system_u:object_r:var_lock_t          40 Aug 25 
17:44 lock
drwxr-xr-x. 2 mysql root system_u:object_r:initrc_var_run_t    80 Aug 26 
00:44 mysqld

[snip]


Intersting to note that on the first install the group ID for 
/var/run/mysqld is set to "mysql", but after reboot it becomes "root", why?


This is causing mysql to stall on bootup. I get these denials:
#============= mysqld_t ==============

#!!!! The source type 'mysqld_t' can write to a 'dir' of the following 
types:
# var_log_t, mysqld_db_t, tmp_t, mysqld_var_run_t, mysqld_tmp_t, 
var_lib_t, var_run_t


allow mysqld_t initrc_var_run_t:dir { write search add_name };

#!!!! The source type 'mysqld_t' can write to a 'file' of the following 
types:

# mysqld_log_t, mysqld_db_t, mysqld_var_run_t, mysqld_tmp_t

allow mysqld_t initrc_var_run_t:file { write create open };
allow mysqld_t initrc_var_run_t:sock_file create;
allow mysqld_t portage_log_t:file { getattr open append };



semanage fcontext shows the files are supported to be marked 
mysqld_var_run_t:



/etc/my\.cnf                                       regular file 
system_u:object_r:mysqld_etc_t
/etc/mysql(/.*)?                                   all files 
system_u:object_r:mysqld_etc_t
/etc/rc\.d/init\.d/mysqld                          regular file 
system_u:object_r:mysqld_initrc_exec_t
/etc/rc\.d/init\.d/mysqlmanager                    regular file 
system_u:object_r:mysqlmanagerd_initrc_exec_t
/usr/bin/mysql_upgrade                             regular file 
system_u:object_r:mysqld_exec_t
/usr/bin/mysqld_safe                               regular file 
system_u:object_r:mysqld_safe_exec_t
/usr/libexec/mysqld                                regular file 
system_u:object_r:mysqld_exec_t
/usr/sbin/mysqld(-max)?                            regular file 
system_u:object_r:mysqld_exec_t
/usr/sbin/mysqlmanager                             regular file 
system_u:object_r:mysqlmanagerd_exec_t
/usr/sbin/ndbd                                     regular file 
system_u:object_r:mysqld_exec_t
/var/lib/mysql(/.*)?                               all files 
system_u:object_r:mysqld_db_t
/var/lib/mysql/mysql\.sock                         socket 
system_u:object_r:mysqld_var_run_t
/var/log/mysql.*                                   regular file 
system_u:object_r:mysqld_log_t
/var/run/mysqld(/.*)?                              all files 
system_u:object_r:mysqld_var_run_t
/var/run/mysqld/mysqlmanager.*                     regular file 
system_u:object_r:mysqlmanagerd_var_run_t



I've tried creating my own mysql.te module with type_transition 
statements to have /var/run/mysqld marked as mysqld_var_run_t, but to no 
avail there.


I'm running selinux base policy r15, same for sec-policy/selinux-mysql

Any suggestions?

- Mathew
























					Reply via email to