Hey guys, I've got a problem running the mysqld while selinux is turned on.

I have to setenforce 0 before the database is accessible.
I've looked at the selinux documentation but quite honestly I'm not on par with that stuff...

Anyways, i figured I would ask if there is an easy way to allow mysql to run with selinux turn on.

Oh and are there any significant risks of turning it off? The server is only used for FTP, web and couple other gaming apps... It's behind a router and has the linux firewall turned on.

Thanks,
Sam

Do you know what really annoys me???....they always suggest not to turn it off...although no proper documentation of SELinux exists. So if you ever faced a problem with samba, mysql,....you are forced to spend days looking for a solution.

yup, documentation is pretty nightmarish to be nice... this on paper is amazingly smart solution to public release should be accompanied with some serious support...
I just feel that selinux make linux more secure through obscurity... since no1 has a clue on how to configure it (or at least the commons) then the rigs are secured!
Anyways, still waiting for some input...

Are you running Fedora with the targetted policy? Generally the defaults do not have a problem between selinux and mysql in FC4. (At least in my experience)

In any case, you should be getting selinux error messages. In theory you can run one of those errors through audit2allow and figure out what you need to add to your policy to make it be ok. Alternatively, the problem may be in filesystem labelling. If mysqld runs as some user in some context, but the files it needs to access are in another context, you will have problems. In this case it should really be fixed by changing the context of the files, instead. I would check filesystem labeling first.

As far as turning it off goes, if you're using good security practices already, you should be ok. However, you do get benefits if you make use of selinux. The whole point of the selinux-targetted policy in FC4 is so that if a service facing the external network gets compromized, it only has as much access as it absolutely needs. (The logic here is that the network facing services are the ones that are more likely to be hacked.) So, in general, selinux allows you you enforce least privilege better than standard linux policy does. Without it, you're still doing ok. You're no worse than all those other linux systems without it, anyway.

That said, I think it's a good thing to learn and use. Documentation is out there, it's just very complex. At some point, I'd like to see good, free GUI interfaces for generating policy and auditing errors. Unfortunately, the ones I've seen so far have been almost as clunky as writing the policy files by hand.

Zathros;

Thanks for the comments. selinux looks amazing on paper and I truly wish I could use it (more secure is always better... at least if it works). The documentation is indeed insane... gave up on that a while back. The box is now sitting in a corner without anything hooked up to it. Logs are sent to my email on a daily basis so I know what is going on.

As far as policies, I installed FC4 with the firewall turned on and allowed HTTPD, FTP and SSH (during the install process). Everything else was untouched so it should be setup to defaults.

I've had problems with selinux since day one even trying to run apache (plain html pages wouldn't show). Went and changed the security labels and still no luck... turning it off would allow apache to work normally.
MySQL also seems to have the proper security settings (at least according to the complex documentation).
All the main partitions are EXT3 (split in /home, /var, /tmp, /boot, / and a swap file).

Besides that I've got nothing. My gaming server (UT2k4) runs perfect even with selinux turned on so I'm guessing there is something else weird.

I checked all the security logs and besides the usual intrusion detection stuff selinux doesn't report anything (or else it might be in a different log file god knows where)...

Anyways, IMO selinux is great but definitely not distro material or at least till they comes with understandable documentation for it. I'm sure it's perfect for the dude that wants a OS replacement for his desktop but if anyone wants to run a couple server apps from home this should be disabled by default.
I believe selinux would be perfect for all those morons running Windows without antivirus or firewall installed but not so much for people that at least know a bit or two on security...

Just my $.02.

Cheers,
Sam

Hey Sam,

I tend to agree with most of what you said, though I really have not had nearly as many problems with the default config. In my previous post I forgot to mention system-config-securitylevel. It is a GUI application specifically to configure the selinux-targetted policy on FC4. You should check it out, if you haven't already. It allows you to enable/disable specific things for services like http, ftp, ssh, etc. It's also A LOT easier to use than editing policy files. You can selectively disable all selinux just for httpd, for example. I'd recommend doing something like that before disabling all selinux completely.

Also, you can tell it to do a full filesystem relabel on next reboot. I've had that fix things, because I didn't really know what context to set for things in the targeted policy.

Concerning selinux logging, in FC4, you should look in /var/log/audit/audit.log. SELinux errors will be prefixed with avc: and include the process that was denied and permission and context.

Hope one of the above things can help. Glad you're at least trying to use it!