MySQL Policy Patch

MySQL Policy Patch

[Alex Ackerman]

[-- Attachment #1.1: Type: text/plain, Size: 1816 bytes --]

While working on my system, I found the strict policy was inhibiting the
creation of the initial MySQL database files on the system. Because of
this, it was unable to start. I captured the following in my log files:

 

Oct 18 11:20:09 baal kernel: audit(1098112809.602:0): avc:  denied  {
read } for  pid=5150 exe=/usr/libexec/mysqld path=/tmp/sh-thd-1098096392
(deleted) dev=hda3 ino=1827940 scontext=root:system_r:mysqld_t
tcontext=root:object_r:sysadm_tmp_t tclass=file

Oct 18 11:20:09 baal kernel: audit(1098112809.611:0): avc:  denied  {
search } for  pid=5150 exe=/usr/libexec/mysqld name=root dev=hda3
ino=1044481 scontext=root:system_r:mysqld_t
tcontext=root:object_r:staff_home_dir_t tclass=dir

Oct 18 11:20:09 baal kernel: audit(1098112809.615:0): avc:  denied  {
getattr } for  pid=5152 exe=/usr/libexec/mysqld
path=/tmp/sh-thd-1098096392 (deleted) dev=hda3 ino=1827940
scontext=root:system_r:mysqld_t tcontext=root:object_r:sysadm_tmp_t
tclass=file

 

I set the enforcing to 0 and retried the /usr/bin/mysql_install_db
script and everything worked as expected. With enforcing = 1, nothing
was created in /var/lib/mysql/mysql. Running audit2allow on these
messages, it suggested the fixes included in this patch. Basically, add
the following lines to the mysqld.te file:

 

allow mysqld_t staff_home_dir_t:dir { search };

allow mysqld_t sysadm_tmp_t:file { getattr read };

 

For some reason, MySQL is still trying to access staff home directories
in the search for my.cnf. The second rule is for trying to read tmp
files.  After reloading the policy with these changes, running
/usr/bin/mysql_install_db works while in enforcing mode.  

 

Comments?

Alex

 

Sorry if the patch isn't in the right format, I'm still learning how to
do this.


[-- Attachment #1.2: Type: text/html, Size: 5227 bytes --]

[-- Attachment #2: diff --]
[-- Type: application/octet-stream, Size: 475 bytes --]

--- /etc/selinux/strict/src/policy/domains/program/mysqld.te	2004-10-12 11:31:49.955167184 -0400
+++ mysqld.te	2004-10-18 11:26:30.073796544 -0400
@@ -61,6 +61,8 @@
 # for /root/.my.cnf - should not be needed
 allow mysqld_t sysadm_home_dir_t:dir search;
 allow mysqld_t sysadm_home_t:file { read getattr };
+allow mysqld_t staff_home_dir_t:dir { search };
+allow mysqld_t sysadm_tmp_t:file { getattr read };
 
 ifdef(`logrotate.te', `
 r_dir_file(logrotate_t, mysqld_etc_t)

Re: MySQL Policy Patch

[Stephen Smalley]

On Mon, 2004-10-18 at 11:49, Alex Ackerman wrote:
> allow mysqld_t staff_home_dir_t:dir { search };
> 
> allow mysqld_t sysadm_tmp_t:file { getattr read };
> 
>  
> 
> For some reason, MySQL is still trying to access staff home
> directories in the search for my.cnf. The second rule is for trying to
> read tmp files.  After reloading the policy with these changes,
> running /usr/bin/mysql_install_db works while in enforcing mode.  
> 
>  
> 
> Comments?

Think about the security implications:  Do you want a compromised mysqld
to be able to read arbitrary admin temporary files?  Not likely.  So
what you likely truly want is to run the installation procedure in a
different domain than the daemon itself.  Questions for Russell or
others who worked on this policy:
1) Is mysqld_exec_t the right type for /usr/libexec/mysqld?  Or should
it only be applied to /usr/sbin/mysqld?  Are they different programs on
your system?  If so, then one could avoid entering the domain via the
/usr/libexec helper by putting it into a different type.
2) Should mysqld.te use the nosysadm option to the daemon_domain macro
to preclude automatic transitions from sysadm_t?  That would avoid the
transition on the install script, but requires use of run_init on manual
restart of the daemon by the admin.
3) Should the install script be modified to use runcon or similar to
explictly override the domain transition?
 
-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: MySQL Policy Patch

[Russell Coker]

On Tue, 19 Oct 2004 02:34, Stephen Smalley <sds@epoch.ncsc.mil> wrote:
> Think about the security implications:  Do you want a compromised mysqld
> to be able to read arbitrary admin temporary files?  Not likely.  So

 allow mysqld_t sysadm_home_dir_t:dir search;
 allow mysqld_t sysadm_home_t:file { read getattr };

The above rules which are already in the policy are worse.

The mysql situation needs improvement.  Firstly I think that the temporary 
file should be created under /var/lib/mysql to remove the need for /tmp 
access.  Then we need to do something about /root/.my.conf, maybe move it to 
some place under /etc.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: MySQL Policy Patch

[Jiann-Ming Su]

I'm new to SE Linux.  Where can I download the mysql policy?  I'm
using Fedora Core 2, if that helps.  Thanks for any tips.
-- 
Jiann-Ming Su
"I have to decide between two equally frightening options.  
                                            If I wanted to do that,
I'd vote." --Duckman

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: MySQL Policy Patch

[Stephen Smalley]

On Tue, 2004-10-19 at 12:56, Jiann-Ming Su wrote:
> I'm new to SE Linux.  Where can I download the mysql policy?  I'm
> using Fedora Core 2, if that helps.  Thanks for any tips.

IIRC, on FC2, you would do:
yum install policy-sources
cd /etc/security/selinux/src/policy
vi domains/program/mysqld.te

to look at the mysqld policy that shipped with FC2.  But you would
likely do better to update to FC3T3 if using SELinux, as much has
changed and FC2 policy hasn't had any updates AFAIK.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: MySQL Policy Patch

[Jiann-Ming Su]

On Tue, 19 Oct 2004 13:02:54 -0400, Stephen Smalley <sds@epoch.ncsc.mil> wrote:
> 
> IIRC, on FC2, you would do:
> yum install policy-sources
> cd /etc/security/selinux/src/policy
> vi domains/program/mysqld.te
> 
> to look at the mysqld policy that shipped with FC2.  But you would
> likely do better to update to FC3T3 if using SELinux, as much has
> changed and FC2 policy hasn't had any updates AFAIK.
> 
FC3T3 wouldn't install on my system, so I'm having to work through
FC2.  When I try to run "/etc/init.d/mysql start" as root, I get the
following in dmesg:

audit(1099684144.872:0): avc:  denied  { read } for  pid=5099
exe=/bin/su name=.default_contexts dev=sda5 ino=213003
scontext=jms:user_r:user_su_t tcontext=root:object_r:staff_home_dir_t
tclass=file
inode_doinit_with_dentry: 
context_to_sid(system_u:object_r:mysql_home_dir_t) returned 22 for
dev=sda8 ino=1107617
audit(1099684153.056:0): avc:  denied  { associate } for  pid=5163
exe=/usr/sbin/mysqld-max name=booboo.lower-test
scontext=root:object_r:unlabeled_t tcontext=system_u:object_r:fs_t
tclass=filesystem
audit(1099684153.094:0): avc:  denied  { associate } for  pid=5163
exe=/usr/sbin/mysqld-max name=mysql.sock
scontext=root:object_r:unlabeled_t tcontext=system_u:object_r:fs_t
tclass=filesystem

What do I need to do so that mysql will start on my system, and users
can access the mysql database?  I've tried adding mysqld_r to the
users file, but mysqld_r is not a role.  Sorry for being so slow with
this.  Thanks for any info.

-- 
Jiann-Ming Su
"I have to decide between two equally frightening options. 
 If I wanted to do that, I'd vote." --Duckman

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: MySQL Policy Patch

[Russell Coker]

On Saturday 06 November 2004 06:53, Jiann-Ming Su <sujiannming@gmail.com> 
wrote:
> FC3T3 wouldn't install on my system, so I'm having to work through
> FC2.  When I try to run "/etc/init.d/mysql start" as root, I get the
> following in dmesg:
>
> audit(1099684144.872:0): avc:  denied  { read } for  pid=5099
> exe=/bin/su name=.default_contexts dev=sda5 ino=213003
> scontext=jms:user_r:user_su_t tcontext=root:object_r:staff_home_dir_t
> tclass=file

It was never possible to get correct operation when su is used for starting 
daemons.

FC3 has a new program "runuser" for starting daemons in this situation, 
hopefully the mysql packages for FC3 will use runuser instead of su (if not 
it's a bug).

> inode_doinit_with_dentry:
> What do I need to do so that mysql will start on my system, and users
> can access the mysql database?  I've tried adding mysqld_r to the
> users file, but mysqld_r is not a role.  Sorry for being so slow with
> this.  Thanks for any info.

If you install the policy from FC3 and compile runuser on FC3 then you can 
modify the init.d script to use runuser instead of su and things should work.

But it may be easier to fix the problem with installing FC3.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.