Comments on: The unexpected consequences of SELinux

By: Arjen Lentz

Arjen Lentz — Thu, 16 Oct 2008 23:44:40 +0000

Ye SElinux is very finicky.

By: Antonio

Antonio — Thu, 16 Oct 2008 23:35:40 +0000

@dan walsh – I suggested putting selinux into permissive mode, tuning the ruleset after starting, excericising, and shutting mysql down, figuring out what rules need to be added, then putting selinux back into enforcing mode. Just putting mysql into permissive mode in perpituity negates the security benefits of selinux WRT mysql. In the case of RHEL or CentOS – the native mysql packages should come with a ruleset designed/written by the mysql developers. Probably not the case with rpms provided directly from mysql. Should be able to borrow the selinux rules and with some slight tweaks port it over though.

By: Xaprb

Xaprb — Thu, 16 Oct 2008 23:24:26 +0000

Thanks very much for the suggestions. If I had seen that the issue was selinux *before* I killed and restarted mysql I would have known to do this, but I didn’t think the failures of strace and gdb were selinux — it did not occur to me, since they occasionally fail anyway to give the desired information. I only saw that later when I checked /var/log/messages again.

By: dan walsh

dan walsh — Thu, 16 Oct 2008 21:43:03 +0000

If this is running on Fedora 9 or 10 you can simply put the mysql daemon in permissive mode

# semanage permissive -a mysqld_t

(semanage permissive -d mysqld_t to remove )

Or you can put the machine in permissive mode

# setenforce 0
(setenforce 1 to put back in enforcing)

Or you can run mysql without using the initrc script so it will not transition to mysqld_t, running mysqld directory from unconfined_t will stay in the current mode.

By: Antonio

Antonio — Thu, 16 Oct 2008 21:00:41 +0000

setenforce permissive

watch logs for deny messages from selinux

update selinux ruleset

setenforce enforcing