XtraDB SELinux

Asked by David Busby on 2012-09-14

I'm trying to make XtraDB and SELinux "play nice",

A resulting policy of my work so far:

---
module xtradb 1.0;

require {
        type ifconfig_exec_t;
        type mysqld_safe_t;
        type mysqld_t;
        type var_lib_t;
        type sysctl_net_t;
        class file { write ioctl read open execute setattr write getattr append execute_no_trans };
        class dir search;
        class unix_stream_socket connectto;
        class sock_file unlink;
}

#============= mysqld_safe_t ==============
allow mysqld_safe_t var_lib_t:file { ioctl open setattr write getattr append };
allow mysqld_t ifconfig_exec_t:file { read open execute getattr execute_no_trans };
allow mysqld_t var_lib_t:file { read write append getattr open };
allow mysqld_t var_lib_t:sock_file unlink;
allow mysqld_t sysctl_net_t:dir search;
allow mysqld_t self:unix_stream_socket connectto;
---

There is however still a large number of avc denials, due to on startup attempting to invoke "ps", as this requires access to various /proc/[0-9]+/ files it's causing a lot of AVC denials; and a policy allowing access for the process to walk all of these files seems somewhat insecure, and I'd rather not do that if ay all avoidable.

Could someone please shed some light on what this process is trying to achieve? perhaps this could be written in a cleaner manner?

Question information

Language:
English Edit question
Status:
Solved
For:
Percona Server Edit question
Assignee:
No assignee Edit question
Solved by:
Alexey Kopytov
Solved:
2013-02-15
Last query:
2013-02-15
Last reply:
2012-09-17
Best Alexey Kopytov (akopytov) said : #1

David,

mysqld_safe uses ps to:

1) make sure an existing process with the PID stored in the <hostname>.pid is not already running (or it's not a mysqld process) on startup
2) make sure there are no hung mysqld processes left on shutdown.

I'm not sure if there's any way to achieve that other than iterating the list of running processes, which involves either ps or its variants.

David Busby (d-busby) said : #2

Thanks Alexey Kopytov, that solved my question.