Package: mysql-server-5.5 Version: 5.5.37-1 Severity: normal Tags: patch For some reason mysqld_safe tests if the root directory is writable. I can't work out why this is and in any case it's reundant as the other test (for USER being root) passes in the normal Debian configuration.
type=AVC msg=audit(1403622580.061:96): avc: denied { write } for pid=1331 comm="mysqld_safe" name="/" dev="dm-0" ino=256 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir type=SYSCALL msg=audit(1403622580.061:96): arch=c000003e syscall=269 success=yes exit=0 a0=ffffffffffffff9c a1=7f5e09bfe798 a2=2 a3=2 items=0 ppid=1109 pid=1331 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mysqld_safe" exe="/bin/dash" subj=system_u:system_r:mysqld_safe_t:s0 key=(null) On a SE Linux system the above messages are logged every time mysqld is started. I could put in a dontaudit rule for that but I prefer not to do that because if mysqld_safe tries any other form of writing to the root directory then it would be a bug that we should know about (and prevent). The following patch makes no change to the functionality of mysqld startup on a default Debian configuration while avoiding this problem. It's probably worth considering whether the test even makes sense, but if it does make sense then it's best to have it after the UID test. --- mysqld_safe.orig 2014-06-25 11:37:02.394406559 +1000 +++ mysqld_safe 2014-06-25 11:37:24.442599244 +1000 @@ -585,7 +585,7 @@ fi USER_OPTION="" -if test -w / -o "$USER" = "root" +if "$USER" = "root" -o test -w / then if test "$user" != "root" -o $SET_USER = 1 then -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.14-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages mysql-server-5.5 depends on: ii adduser 3.113+nmu3 ii debconf [debconf-2.0] 1.5.53 ii initscripts 2.88dsf-53.2 ii libc6 2.19-4 ii libdbi-perl 1.631-3 ii libgcc1 1:4.9.0-7 ii libstdc++6 4.9.0-7 ii lsb-base 4.1+Debian13 ii mysql-client-5.5 5.5.37-1 ii mysql-common 5.5.37-1 ii mysql-server-core-5.5 5.5.37-1 ii passwd 1:4.2-2 ii perl 5.18.2-4 ii psmisc 22.21-2 ii zlib1g 1:1.2.8.dfsg-1 Versions of packages mysql-server-5.5 recommends: pn libhtml-template-perl <none> Versions of packages mysql-server-5.5 suggests: ii bsd-mailx [mailx] 8.1.2-0.20131005cvs-1 pn tinyca <none> -- debconf information: mysql-server/root_password_again: (password omitted) mysql-server/root_password: (password omitted) mysql-server/no_upgrade_when_using_ndb: mysql-server/error_setting_password: mysql-server/password_mismatch: mysql-server-5.5/postrm_remove_databases: false mysql-server-5.5/start_on_boot: true mysql-server-5.5/nis_warning: mysql-server-5.5/really_downgrade: false -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org