Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 48772

Summary: mysql policy files
Product: Gentoo Linux Reporter: petre rodan (RETIRED) <kaiowas>
Component: HardenedAssignee: Chris PeBenito (RETIRED) <pebenito>
Status: RESOLVED TEST-REQUEST    
Severity: normal CC: method
Priority: High    
Version: unspecified   
Hardware: All   
OS: All   
Whiteboard:
Package list:
Runtime testing required: ---
Attachments: file contexts
type enforcement

Description petre rodan (RETIRED) gentoo-dev 2004-04-23 03:05:01 UTC 
mysql related selinux policy files
tested for about 1 month using mysql-4.0.x
Comment 1 petre rodan (RETIRED) gentoo-dev 2004-04-23 03:05:28 UTC 
Created attachment 29889 [details]
file contexts
Comment 2 petre rodan (RETIRED) gentoo-dev 2004-04-23 03:05:48 UTC 
Created attachment 29890 [details]
type enforcement
Comment 3 Chris PeBenito (RETIRED) gentoo-dev 2004-04-23 07:41:42 UTC 
Hmm, looks about the same as the one we have in policy cvs (http://www.gentoo.org/cgi-bin/viewcvs.cgi/selinux/mysql/?root=gentoo-projects).  It looks like you removed the etcdir_domain(mysqld), and typealiases.  These should now work.  Otherwise it looks like the only things you've added is the tmp_t and the daemontools stuff.  The tmp_t stuff should be replaced with tmp_domain(mysqld), so the files it creates are mysqld_tmp_t, rather then tmp_t.
Comment 4 Joshua Brindle (RETIRED) gentoo-dev 2004-04-27 21:57:31 UTC 
When does mysql do anything in tmp_t? I haven't experienced this with mine..
Comment 5 petre rodan (RETIRED) gentoo-dev 2004-04-28 00:12:39 UTC 
This happens every 20 minutes or so on a quite busy server that has a deadly combination of apache, mysql, postgresql, mod_php, php, adodb and about 4 different web projects. Unfortunately I'm not sure what does the #sql_202c_0.MYI file contain. 

My mysql was compiled using the following USE flags: -berkdb -debug +innodb -perl +readline +ssl -static -tcpd. We don't use innodb just yet. Mysqld is configured with default values with the small extra from http://bugs.gentoo.org/show_bug.cgi?id=46340#c3 but i guess it has nothing to do with the tmp_t issue.


avc:  denied  { getattr } for  pid=9291 exe=/usr/sbin/mysqld dev=08:07 ino=2 scontext=system_u:system_r:mysqld_t tcontext=system_u:object_r:tmp_t tclass=dir
avc:  denied  { search } for  pid=9291 exe=/usr/sbin/mysqld dev=08:07 ino=2 scontext=system_u:system_r:mysqld_t tcontext=system_u:object_r:tmp_t tclass=dir
avc:  denied  { write } for  pid=9291 exe=/usr/sbin/mysqld dev=08:07 ino=2 scontext=system_u:system_r:mysqld_t tcontext=system_u:object_r:tmp_t tclass=dir
avc:  denied  { add_name } for  pid=9291 exe=/usr/sbin/mysqld name=#sql_202c_0.MYI scontext=system_u:system_r:mysqld_t tcontext=system_u:object_r:tmp_t tclass=dir
avc:  denied  { create } for  pid=9291 exe=/usr/sbin/mysqld name=#sql_202c_0.MYI scontext=system_u:system_r:mysqld_t tcontext=system_u:object_r:tmp_t tclass=file
avc:  denied  { write } for  pid=9291 exe=/usr/sbin/mysqld path=/tmp/#sql_202c_0.MYI dev=08:07 ino=12 scontext=system_u:system_r:mysqld_t tcontext=system_u:object_r:tmp_t tclass=file
avc:  denied  { getattr } for  pid=9291 exe=/usr/sbin/mysqld name=#sql_202c_0.MYI dev=08:07 ino=12 scontext=system_u:system_r:mysqld_t tcontext=system_u:object_r:tmp_t tclass=file
avc:  denied  { read } for  pid=9291 exe=/usr/sbin/mysqld name=#sql_202c_0.MYI dev=08:07 ino=12 scontext=system_u:system_r:mysqld_t tcontext=system_u:object_r:tmp_t tclass=file
avc:  denied  { remove_name } for  pid=9291 exe=/usr/sbin/mysqld name=#sql_202c_0.MYI dev=08:07 ino=12 scontext=system_u:system_r:mysqld_t tcontext=system_u:object_r:tmp_t tclass=dir
avc:  denied  { unlink } for  pid=9291 exe=/usr/sbin/mysqld name=#sql_202c_0.MYI dev=08:07 ino=12 scontext=system_u:system_r:mysqld_t tcontext=system_u:object_r:tmp_t tclass=file

I haven't made the move to mysqld_tmp_t yet.
Comment 6 Joshua Brindle (RETIRED) gentoo-dev 2004-04-28 01:32:42 UTC 
interesting, do you know what the server is doing when it does this? making temporary tables or a large import/export or something?
Comment 7 petre rodan (RETIRED) gentoo-dev 2004-04-28 02:42:14 UTC 
yup, they are temporary tables. details hereunder:

Docs/manual.txt
[..]
Changes in release 3.23.6
* Temporary table names now start with `#sql'.

sql/mysql_priv.h
[..]
#define tmp_file_prefix "#sql"    /* Prefix for tmp tables */

the function that creates those files is most probably

TABLE * 
create_tmp_table(THD *thd,TMP_TABLE_PARAM *param,List<Item> &fields,
                 ORDER *group, bool distinct, bool save_sum_fields,
                 bool allow_distinct_limit, ulong select_options)

and the most used function (mysql_select) is using it when JOIN mysql command are given (which is our case).

quod erat demonstrandum :)
Comment 8 Chris PeBenito (RETIRED) gentoo-dev 2004-04-29 11:41:22 UTC 
Can you doublecheck that replacing the tmp_t rules you added with tmp_domain(mysqld) works?  Then I'll commit to portage.
Comment 9 petre rodan (RETIRED) gentoo-dev 2004-05-03 00:22:26 UTC 
tmp_domain(mysqld) works as expected
mysql policy status updated to 'flawless' :)

bye,
peter
Comment 10 Chris PeBenito (RETIRED) gentoo-dev 2004-05-14 18:34:01 UTC 
committed to portage
Comment 11 petre rodan (RETIRED) gentoo-dev 2004-05-17 04:15:16 UTC 
you have removed the dac_override capability from my '.te' :(

this is received immediately after starting the mysqld process:

avc:  denied  { dac_override } for  pid=20637 exe=/usr/sbin/mysqld capability=1 scontext=system_u:system_r:mysqld_t tcontext=system_u:system_r:mysqld_t tclass=capability

# uname -a
Linux passage 2.4.24-hardened-r1 #11 SMP Tue Apr 6 12:49:43 EEST 2004 i686 Intel(R) Xeon(TM) CPU 3.06GHz GenuineIntel GNU/Linux

the rest looks good.