Fraud alert

If Jonathan Night calls you, leaving a blurry message in an Indian accent claiming you have unethical or illegal activity on your tax return and need to phone him? Yeah, that's fraud.

A simple Google search of the phone number will reveal this.


SELinux vs SphinxSE

It should be noted that SphinxSE wants to talk to searchd on port 9312. SELinux will prevent this. To enable it:

semanage port -a -t mysqld_port_t -p tcp 9312


SELinux vs mysql

I'm a strange kind of fool. I maintain my own mysql packages, which makes installing them annoying because everything wants to pull in mysql-libs from the mainline.

I also sometimes want to install mysql in /home/mysql, not /var/lib/mysql as in standard on CentOS. SElinux is set up to prevent just this sort of thing. The short version is that everyhing in /home is has the home_root_t security context, which mysqld and mysqld_safe aren't allowed to interact with.

The solution is the following:

# first we are setting up the directory
mkdir -p /home/mysql/{InnoDB,etc,log,data,tmp,bin,sbin}
mv /etc/my.cnf /home/mysql/etc
ln -s /home/mysql/etc/my.cnf /etc
for n in /usr/bin/my* ; do ln -s $n /home/mysql/bin ; done
for n in /usr/sbin/my* ; do ln -s $n /home/mysql/sbin ; done
chmod 1777 /home/mysql/tmp
chown mysql:mysql -R /home/mysql
joe /home/mysql/etc/my.cnf  # change datadir
joe /etc/init.d/mysql       # change datadir and basedir

# now comes the part where we fight with selinux
semanage fcontext -a -t mysqld_db_t "/home/mysql(/.*)?"
semanage fcontext -a -t etc_t "/home/mysql/etc(/.*)?"
semanage fcontext -a -t bin_t "/home/mysql/bin(/.*)?"
semanage fcontext -a -t bin_t "/home/mysql/sbin(/.*)?"
semanage fcontext -a -t mysqld_tmp_t "/home/mysql/tmp(/.*)?"
semanage fcontext -a -t mysqld_safe_exec_t "/home/mysql/bin/mysqld_safe" 
restorecon -R -v /home/mysql
service mysql start

But it's still failing, because /home/mysql/bin/mysqld_safe is a symlink. To fix this, I did

grep mysqld /var/log/audit/audit.log | audit2allow -M "mysqlhome"
semodule -i mysqlhome.pp 
service mysql start

Yay! Now it works



So I'm setting up SAMBA on a new machine, I can connect correctly but dir listings are failing. The problem is SELinux, because I tried setenable 0 and it worked.

So I ask on IRC and find out I need to do the following:

semodule -BD # turn off ignored AVCs
# redo the directory listing in another window
semodule -B # turn AVCs ignoring on
grep smb audit.log | audit2allow # parse those AVCs
#============= smbd_t ==============

#!!!! This avc can be allowed using one of the these booleans:
#     samba_export_all_ro, samba_enable_home_dirs, samba_export_all_rw
allow smbd_t user_home_t:dir read;
setsebool -PV samba_enable_home_dirs 1