On Tue, 2007-08-21 at 09:31 +0200, [EMAIL PROTECTED] wrote:
> Hi.
>
> When the MySQL server is launched, I get the following AVC denial
>
> Aug 1 17:38:40 mv1 audit(1185982720.744:3): avc: denied { read }
> for pid=4663 comm="runscript.sh" name="my.cnf" dev=sda3 ino=620438
> scontext=system_u:system_r:initrc_t
> tcontext=system_u:object_r:mysqld_etc_t tclass=file
>
> Obviousy, audit2allow tells me to add the following autorisation :
> allow initrc_t mysqld_etc_t:file read
>
> I do not think that it generates any kind of weakness into the server
> as only starting services have the initrc_t state and thus it may be
> impossible (ar at least difficult) to corrupt theses services and then
> tell them to access my.cnf when they start.Yes, its just the init script that is doing something that reads your my.cnf. > However, I do not find any similar error on the web. > > Am I they only one wo get this AVC denial ? I guess the others that hit this just fixed it locally. I'll take a look at the Gentoo init script and fix it in the upstream policy as needed. -- Chris PeBenito <[EMAIL PROTECTED]> Developer, Hardened Gentoo Linux Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243 Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243
signature.asc
Description: This is a digitally signed message part
