Problems with SElinux and MySQL accessing file on /tmp

Problems with SElinux and MySQL accessing file on /tmp

[Jason]

I am having an error with selinux that I can't seem to fix.

 avc: denied { getattr } for pid=123 exe=/usr/libexec/mysqld

 I get that when I try to use a mysql query "load data concurrent infile 
'/tmp/filename' etc"

allow mysqld_t tmp_t:dir { getattr }; doesn't help. I need a way to give 
mysql  getattr globally, or at least in the tmp folder.  in 
filecontexts, /tmp/.* is listed as <<none>>

the file it's accessing in /tmp is user_u:object_r:tmp_t

audit2allow doesn't display anything since it's a denied { getattr } 
without any other info.

Does anyone have an idea what can be done?

TIA,

Jason

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Problems with SElinux and MySQL accessing file on /tmp

[Russell Coker]

On Tuesday 19 April 2005 12:11, Jason <jason@tyrannical.org> wrote:
>  I get that when I try to use a mysql query "load data concurrent infile
> '/tmp/filename' etc"
>
> allow mysqld_t tmp_t:dir { getattr }; doesn't help. I need a way to give
> mysql  getattr globally, or at least in the tmp folder.  in
> filecontexts, /tmp/.* is listed as <<none>>
>
> the file it's accessing in /tmp is user_u:object_r:tmp_t

The following policy should allow what you want:
allow mysqld_t tmp_t:file r_file_perms;

However this might not be ideal for security reasons, there may be data in 
files labeled as tmp_t.

Maybe a better option would be to create a directory named /var/lib/mysql/tmp 
for temporary files related to mysql (it will have type mysqld_db_t which 
grants full access to mysqld_t).  Then you won't be granting any extra access 
to mysqld_t and you won't need to change your policy.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Problems with SElinux and MySQL accessing file on /tmp

[Jason]

Russell,

You are my hero :)

I decided to go with your advice - simple and effective. I have my sql 
files written in the /var/lib/mysql/tmp directory. Now mysql has access, 
and selinux doesn't complain. Woo!

Thanks,

Jason

Russell Coker wrote:

>The following policy should allow what you want:
>allow mysqld_t tmp_t:file r_file_perms;
>
>However this might not be ideal for security reasons, there may be data in 
>files labeled as tmp_t.
>
>Maybe a better option would be to create a directory named /var/lib/mysql/tmp 
>for temporary files related to mysql (it will have type mysqld_db_t which 
>grants full access to mysqld_t).  Then you won't be granting any extra access 
>to mysqld_t and you won't need to change your policy.
>
>  
>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Problems with SElinux and MySQL accessing file on /tmp

[Daniel J Walsh]

Jason wrote:

> I am having an error with selinux that I can't seem to fix.
>
> avc: denied { getattr } for pid=123 exe=/usr/libexec/mysqld
>
> I get that when I try to use a mysql query "load data concurrent 
> infile '/tmp/filename' etc"
>
> allow mysqld_t tmp_t:dir { getattr }; doesn't help. I need a way to 
> give mysql  getattr globally, or at least in the tmp folder.  in 
> filecontexts, /tmp/.* is listed as <<none>>
>
> the file it's accessing in /tmp is user_u:object_r:tmp_t
>
> audit2allow doesn't display anything since it's a denied { getattr } 
> without any other info.
>
> Does anyone have an idea what can be done?
>
> TIA,
>
> Jason
>
> -- 
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to 
> majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.

What AVC messages are you seeing in /var/log/messages or 
/var/log/audit/audit.log?

Dan

-- 



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.