mysql related selinux policy files tested for about 1 month using mysql-4.0.x
Created attachment 29889 [details] file contexts
Created attachment 29890 [details] type enforcement
Hmm, looks about the same as the one we have in policy cvs (http://www.gentoo.org/cgi-bin/viewcvs.cgi/selinux/mysql/?root=gentoo-projects). It looks like you removed the etcdir_domain(mysqld), and typealiases. These should now work. Otherwise it looks like the only things you've added is the tmp_t and the daemontools stuff. The tmp_t stuff should be replaced with tmp_domain(mysqld), so the files it creates are mysqld_tmp_t, rather then tmp_t.
When does mysql do anything in tmp_t? I haven't experienced this with mine..
This happens every 20 minutes or so on a quite busy server that has a deadly combination of apache, mysql, postgresql, mod_php, php, adodb and about 4 different web projects. Unfortunately I'm not sure what does the #sql_202c_0.MYI file contain. My mysql was compiled using the following USE flags: -berkdb -debug +innodb -perl +readline +ssl -static -tcpd. We don't use innodb just yet. Mysqld is configured with default values with the small extra from http://bugs.gentoo.org/show_bug.cgi?id=46340#c3 but i guess it has nothing to do with the tmp_t issue. avc: denied { getattr } for pid=9291 exe=/usr/sbin/mysqld dev=08:07 ino=2 scontext=system_u:system_r:mysqld_t tcontext=system_u:object_r:tmp_t tclass=dir avc: denied { search } for pid=9291 exe=/usr/sbin/mysqld dev=08:07 ino=2 scontext=system_u:system_r:mysqld_t tcontext=system_u:object_r:tmp_t tclass=dir avc: denied { write } for pid=9291 exe=/usr/sbin/mysqld dev=08:07 ino=2 scontext=system_u:system_r:mysqld_t tcontext=system_u:object_r:tmp_t tclass=dir avc: denied { add_name } for pid=9291 exe=/usr/sbin/mysqld name=#sql_202c_0.MYI scontext=system_u:system_r:mysqld_t tcontext=system_u:object_r:tmp_t tclass=dir avc: denied { create } for pid=9291 exe=/usr/sbin/mysqld name=#sql_202c_0.MYI scontext=system_u:system_r:mysqld_t tcontext=system_u:object_r:tmp_t tclass=file avc: denied { write } for pid=9291 exe=/usr/sbin/mysqld path=/tmp/#sql_202c_0.MYI dev=08:07 ino=12 scontext=system_u:system_r:mysqld_t tcontext=system_u:object_r:tmp_t tclass=file avc: denied { getattr } for pid=9291 exe=/usr/sbin/mysqld name=#sql_202c_0.MYI dev=08:07 ino=12 scontext=system_u:system_r:mysqld_t tcontext=system_u:object_r:tmp_t tclass=file avc: denied { read } for pid=9291 exe=/usr/sbin/mysqld name=#sql_202c_0.MYI dev=08:07 ino=12 scontext=system_u:system_r:mysqld_t tcontext=system_u:object_r:tmp_t tclass=file avc: denied { remove_name } for pid=9291 exe=/usr/sbin/mysqld name=#sql_202c_0.MYI dev=08:07 ino=12 scontext=system_u:system_r:mysqld_t tcontext=system_u:object_r:tmp_t tclass=dir avc: denied { unlink } for pid=9291 exe=/usr/sbin/mysqld name=#sql_202c_0.MYI dev=08:07 ino=12 scontext=system_u:system_r:mysqld_t tcontext=system_u:object_r:tmp_t tclass=file I haven't made the move to mysqld_tmp_t yet.
interesting, do you know what the server is doing when it does this? making temporary tables or a large import/export or something?
yup, they are temporary tables. details hereunder: Docs/manual.txt [..] Changes in release 3.23.6 * Temporary table names now start with `#sql'. sql/mysql_priv.h [..] #define tmp_file_prefix "#sql" /* Prefix for tmp tables */ the function that creates those files is most probably TABLE * create_tmp_table(THD *thd,TMP_TABLE_PARAM *param,List<Item> &fields, ORDER *group, bool distinct, bool save_sum_fields, bool allow_distinct_limit, ulong select_options) and the most used function (mysql_select) is using it when JOIN mysql command are given (which is our case). quod erat demonstrandum :)
Can you doublecheck that replacing the tmp_t rules you added with tmp_domain(mysqld) works? Then I'll commit to portage.
tmp_domain(mysqld) works as expected mysql policy status updated to 'flawless' :) bye, peter
committed to portage
you have removed the dac_override capability from my '.te' :( this is received immediately after starting the mysqld process: avc: denied { dac_override } for pid=20637 exe=/usr/sbin/mysqld capability=1 scontext=system_u:system_r:mysqld_t tcontext=system_u:system_r:mysqld_t tclass=capability # uname -a Linux passage 2.4.24-hardened-r1 #11 SMP Tue Apr 6 12:49:43 EEST 2004 i686 Intel(R) Xeon(TM) CPU 3.06GHz GenuineIntel GNU/Linux the rest looks good.
