/var/log/messages - kernel: audit(1107868785.573:0): avc: denied { getattr }

[lothario]

Just did a fresh install of Fedora Core 3 including Apache, PHP and MySQL.
The system is current using up2date.

Noticed this message in /var/log/messages

Quote:

Feb 8 05:19:45 localhost kernel: audit(1107868785.573:0): avc: denied { getattr } for pid=4126 exe=/usr/bin/mysql path=/etc/my.cnf dev=hda1 ino=136043 scontext=user_u:system_r:httpd_sys_script_t tcontext=system_u : object_r:mysqld_etc_t tclass=file

The above entry shows up in /var/log/messages
everytime this shell script is executed

Code:

mysql -h hostNAME  -u UserNAME    databaseNAME  <  input.txt   >    output.txt

What does the log message mean?
What needs to be fixed?

[jim]

Do you have Selinux turned on?

Read the release notes at http://fedora.redhat.com/docs/

I think there is something in there about selinux. If in doubt, Turn off Selinux and see if you still get the error message.

Remember the "Reputation" button is there for you to tell me if I helped you....

[lothario]

Yes, I have Selinux turned on.
I have it working for one web site under /var/www/html/redd with the proper chcon settings.

I read the material at http://fedora.redhat.com/docs/

But it is not clear to me how I deal with the above var log message.
So far Selinux is working for me with this one exception.
I would like to avoid turning off Selinux given the security benefits.

Any other thoughts?

[macemoneta]

Follow the instructions in this post

[lothario]

I read the post.

I do not have the folders
/etc/selinux/targeted/src/policy/domains/misc/
/etc/selinux/targeted/src/policy/domains/
/etc/selinux/targeted/src/policy/
/etc/selinux/targeted/src/

All I have is

Quote:

ls -al /etc/selinux/targeted/
total 40
drwxr-xr-x 4 root root 4096 Feb 3 05:44 .
drwxr-xr-x 3 root root 4096 Jan 28 10:44 ..
-rwx------ 1 root root 120 Jan 28 10:44 booleans
drwxr-xr-x 4 root root 4096 Feb 3 05:44 contexts
drwxr-xr-x 2 root root 4096 Feb 3 05:44 policy

[macemoneta]

Quote:

Originally Posted by lothario

I read the post.

I do not have the folders
/etc/selinux/targeted/src/policy/domains/misc/
/etc/selinux/targeted/src/policy/domains/
/etc/selinux/targeted/src/policy/
/etc/selinux/targeted/src/

Then you didn't install the sources in the second step.

[lothario]

You are correct.
I read your post. Thats all.
Before making the changes (as root) I wanted to get this clarification.

Before following your steps, do I need to stop Apache or MySQL.
Or reboot after the steps?

[macemoneta]

No; changes to SELinux policy are dynamic. As soon as you issue the "make" command, the new policy will be in effect. Likewise, if you are unhappy with any changes you have made, simply remove the local.te file, and reissue the make command to re-establish the default targeted policy.

[lothario]

To repeat the process, do I have to do
yum -y install selinux-policy-targeted-sources
again?

[lothario]

Ok, I did all that.

But I still get this message in /var/log/messages

Quote:

Feb 8 11:32:46 localhost kernel:
audit(1107891166.219:0):
avc: denied { read } for
pid=3896
exe=/usr/bin/mysql
name=my.cnf
dev=hda1
ino=136043
scontext=user_u:system_r:httpd_sys_script_t
tcontext=system_u:object_r:mysqld_etc_t
tclass=file

Under the same circumstances.

[macemoneta]

To repeat the process, simply update the local.te and re-issue the make.

The selinux-policy-targeted-sources package contains the base set of policies that make up the Fedora "targeted" policy definition. By creating/modifying local.te, you are augmenting that policy.

The make command converts the source form of that policy into a binary which is loaded and used by the kernel. When you issue the make, you will see messages in /var/log/messages indicating that the new policy has been loaded. Since you have additional policy statements in local.te, the created binary will include your policy changes.

If you remove local.te, or modify it again, then re-issuing the make repeats the process of combining the base policies with your local changes (if any).

[macemoneta]

Quote:

Originally Posted by lothario

Ok, I did all that.

But I still get this message in /var/log/messages


Under the same circumstances.

If you look closely, you'll see that the first message was for a "{ getattr }" operation, and the second was for a "{ read }" operation. You will need to iteratively repeat the process until there are no further avc denied messages.

What's happening is that SELinux is preventing the software from performing an operation, so the software doesn't proceed. When you allow the first operation, the software proceeds further, until it encounters another prohibited operation.

You can find all the operations needed to complete the process by issuing the command:

setenforce Permissive

In this mode, SELinux still logs all the avc denied messages, but doesn't prevent the operations from completing. However, the protections afforded by SELinux in this mode are disabled.

Once you have all the avc denied messages handled by local.te policy, you can:

setenforce Enforcing

to return the system to normal operation. SELinux will prevent any operations prohibited by its policy in this mode.

[lothario]

Great. That helped. Thank you.
I repeated the process until there were no avc denied messages.
It helps to have a small /var/log/messages file so you can follow it slowly.
To get a small file I did reboot. I know reboot was not necessary.
But it helped me identify, isolate and remove the denied messages one-by-one.

[snick]

one thing i figured out the hard way is do the ls -Z on the dir also. I had created the public_html while root. Permissions didn't match so apache couldn't read the contents.