fedora-selinux January 2012 archive
Main Archive Page > Month Archives  > fedora-selinux archives
fedora-selinux: Re: MySQL's LOAD DATA INFILE statement

Re: MySQL's LOAD DATA INFILE statement

From: Daniel J Walsh <dwalsh_at_nospam>
Date: Mon Jan 09 2012 - 17:17:24 GMT
To: "Marcio B. Jr." <marcio.barbado@gmail.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/07/2012 12:26 AM, Marcio B. Jr. wrote:
> Hi, I'm incurring some problems with MySQL and SELinux, and I need
> help.
>
> Running a 64-bit Fedora 12 with mysql-server-5.1.47-2.fc12.x86_64.
>
> $ ps -eZ | grep mysqld system_u:system_r:mysqld_safe_t:s0 1321 ?
> 00:00:00 mysqld_safe system_u:system_r:mysqld_t:s0 1410 ?
> 00:00:01 mysqld
>
> My problem is: it is only possible to use "LOAD DATA INFILE"
> statement if SELinux is in its permissive state.
>
> Strangely, logs below show no avc denial (all I can tell from them
> is Chinese tried to break into, and last line probably refers to
> when I added mysql user to some group I created). But statement
> won't work in enforcing state. Nothing gives me any tip concerning
> the referred MySQL statement issue.
>
> # cat /var/log/audit/audit.log | grep mysql type=USER_LOGIN
> msg=audit(1305401554.802:34): user pid=2229 uid=0 auid=4294967295
> ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
> msg='op=login acct="mysql" exe="/usr/sbin/sshd" hostname=?
> addr=218.241.236.69 terminal=sshd res=failed' type=USER_LOGIN
> msg=audit(1305401556.759:36): user pid=2229 uid=0 auid=4294967295
> ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
> msg='op=login acct="mysql" exe="/usr/sbin/sshd" hostname=?
> addr=218.241.236.69 terminal=sshd res=failed' type=USER_LOGIN
> msg=audit(1305404558.850:1653): user pid=3709 uid=0 auid=4294967295
> ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
> msg='op=login acct="mysql" exe="/usr/sbin/sshd" hostname=?
> addr=218.241.236.69 terminal=sshd res=failed' type=USER_LOGIN
> msg=audit(1305404560.536:1655): user pid=3709 uid=0 auid=4294967295
> ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
> msg='op=login acct="mysql" exe="/usr/sbin/sshd" hostname=?
> addr=218.241.236.69 terminal=sshd res=failed' type=USER_LOGIN
> msg=audit(1305404563.834:1656): user pid=3711 uid=0 auid=4294967295
> ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
> msg='op=login acct="mysql" exe="/usr/sbin/sshd" hostname=?
> addr=218.241.236.69 terminal=sshd res=failed' type=USER_LOGIN
> msg=audit(1305404566.207:1658): user pid=3711 uid=0 auid=4294967295
> ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
> msg='op=login acct="mysql" exe="/usr/sbin/sshd" hostname=?
> addr=218.241.236.69 terminal=sshd res=failed' type=ADD_GROUP
> msg=audit(1322849937.081:18): user pid=1989 uid=0 auid=4294967295
> ses=4294967295 subj=system_u:system_r:useradd_t:s0-s0:c0.c1023
> msg='op=adding group acct="mysql" exe="/usr/sbin/useradd"
> hostname=? addr=? terminal=? res=success'
>
> Firstly, where could that avc denial be in?
>
> And, well, I want to keep SELinux enforcing its policies, except
> for what is needed in order to make "LOAD DATA INFILE" work.
>
> So, what would be the proper way to achieve that?
>
>
> Marcio Barbado, Jr. -- selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>

Please update to a supported OS, F15 or 16. 12 is way out of date.
Nothing in your log indicates SELinux is blocking anything.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk8LISQACgkQrlYvE4MpobNWuACgli4K9/DQnQ7rCrw4qblL1jty
vvIAnAyQ4YEW1kbHU0j+MWCXao5ggBvR
=Bbnw
-----END PGP SIGNATURE-----
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux