Hi Linux Gurus
I am trying to investigate a specific issue with the some of our mysql installations. They all appear to be working fine until, I restart them. If I restart the service, the selinux is stopping me from doing so. I can disable selinux or semange the data folders to make them work, but I was wondering how they worked before. Running systems have selinux enforced and targeted, but the mysql daemons are running in unconfined domain
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 21559 ? 00:00:00 mysqld_safe
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 21929 ? 11:36:56 mysqld

So how did these running mysql daemons start on a system with selinux configured and running in unconfined domains(ie, that's until I restart them)? Did the old sysadmin use some commands to temporarily exclude mysql daemons from selinux until next reload?

Thank you!

Joe

If you want to make this work and you have installed a stock Selinux policy and RPM packages then you 'grep mysql /var/log/audit/audit.log|audit2allow;' and build your local policy. If you OTOH want to mimick behaviour as configured by previous admins you have to investigate a combination of documentation, shell history, audit log, booleans usage, local Selinux policy and init script modifications where applicable and if sufficient records were kept.

1 members found this post helpful.

Thanks unSpawn.

I figured out how they did it. Not the best or secured way, i guess

They created an unconfined daemon from the original mysql startup script so the process will start without the selinux protection.

ls -lZ mysql*

-rwx------. 1 unconfined_uobject_r:etc_t:s0 root root 10815 Dec 11 2013 mysqld (sysadmins created)
-rwxr-xr-x. 1 system_uobject_r:initrc_exec_t:s0 root root 10815 Mar 25 13:01 mysql

I will semanage the new folders for to make this right as explained here.. (http://crashmag.net/change-the-defau...elinux-enabled

dba

1 members found this post helpful.