{"id":1240,"date":"2016-07-24T15:24:05","date_gmt":"2016-07-24T23:24:05","guid":{"rendered":"https:\/\/www.cloudinsidr.com\/content\/?p=1240"},"modified":"2016-09-22T08:16:32","modified_gmt":"2016-09-22T16:16:32","slug":"how-to-build-a-selinux-module-for-mariadb","status":"publish","type":"post","link":"https:\/\/www.cloudinsidr.com\/content\/how-to-build-a-selinux-module-for-mariadb\/","title":{"rendered":"How to Build a SELinux Module for MariaDB"},"content":{"rendered":"

When updating\u00a0MariaDB, the popular successor to MySQL, you may, once upon a time,\u00a0hit a roadblock which you won’t be able to track down in the error log. Even though web visitors get to see the\u00a0plain text complaint\u00a0“Can’t connect to the database”, the MariaDB server will be running just fine. Silent errors\u00a0should be\u00a0reason enough to suspect SELinux, the oftentimes dreaded and despised\u00a0but equally popular Security-Enhanced Linux kernel module.<\/p>\n

<\/p>\n

\"imgres\"<\/a><\/p>\n

This happens\u00a0whenever the new release comes with additional\u00a0requirements for permissions that were\u00a0not covered in your prior\u00a0SELinux configuration, as was recently the case\u00a0with\u00a0MariaDB 10.1.16.<\/p>\n

Step 1. Switch\u00a0SELinux to the permissive mode temporarily and let MariaDB do its thing<\/h4>\n

Switch SELinux to the permissive mode using:<\/p>\n

setenforce 0<\/pre>\n
Restart MariaDB and make an attempt to use the web application which was previously throwing the unsightly error. If it works and your app connects to the server, you are well on your way to creating a permanent fix. While this is going on, SELinux is tracking the activity and logging permissions violations.<\/p>\n
Step 2. Save SELinux policy\u00a0violations<\/h4>\n
Save permissions violations pertaining to MariaDB using audit2allow\u00a0by extracting relevant warnings\u00a0from the log:<\/p>\n
grep mysql \/var\/log\/audit\/audit.log \u00a0| audit2allow -M mymariadb<\/pre>\n
Remember to\u00a0grep for\u00a0MariaDB’s\u00a0famously compatibility-friendly “mysql” identifier.<\/p>\n
Step 3. Verify if policy changes make sense<\/h4>\n
In order to verify, if proposed changes aren’t going to hurt server security, run this command:<\/p>\n
cat mymariadb.te<\/pre>\n
You should see something like this:<\/p>\n
module mymariadb 1.0;\r\n\r\nrequire {\r\n type httpd_t;\r\n type init_t;\r\n class unix_stream_socket connectto;\r\n }\r\n\r\n#============= httpd_t ==============\r\n allow httpd_t init_t:unix_stream_socket connectto;<\/pre>\n
If what you are seeing looks halfway reasonable, build the module.<\/p>\n
Step 3. Build the module<\/h4>\n
In order to build the new module, run this command:<\/p>\n
semodule -i mymariadb.pp<\/pre>\n
Step 4. Activate the SELinux enforcing mode<\/h4>\n
Activate enforcing:<\/p>\n
setenforce 1<\/pre>\n
Verify that SELinux is indeed enforcing:<\/p>\n
getenforce<\/pre>\n
Test your web application again. If everything looks the way it should, you have the right\u00a0policy in place.<\/p>\n
Step 5. Verify SELinux configuration<\/h4>\n
In order to\u00a0ensure that SELinux won’t forget to enforce its policies after a reboot, have a look at its configuration file:<\/p>\n
nano \/etc\/selinux\/config<\/pre>\n
These settings should\u00a0activate enforcing (or the permissive mode, at the least, but never deactivate SELinux! because in this case, you wouldn’t even have a track record of what went wrong and why).<\/p>\n","protected":false},"excerpt":{"rendered":"
When updating\u00a0MariaDB, the popular successor to MySQL, you may, once upon a time,\u00a0hit a roadblock which you won’t be able to track down in the error log. Even though web visitors get to see the\u00a0plain text complaint\u00a0“Can’t connect to the database”, the MariaDB server will be running just fine. Silent errors\u00a0should be\u00a0reason enough to suspect […]<\/p>\n","protected":false},"author":1,"featured_media":1290,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[16,17,33,155,143,154],"tags":[81,70],"yoast_head":"\nHow to Build a SELinux Module for MariaDB - CloudInsidr<\/title>\n<meta name=\"robots\" content=\"index, follow\" \/>\n<meta name=\"googlebot\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta name=\"bingbot\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.cloudinsidr.com\/content\/how-to-build-a-selinux-module-for-mariadb\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"How to Build a SELinux Module for MariaDB - CloudInsidr\" \/>\n<meta property=\"og:description\" content=\"When updating\u00a0MariaDB, the popular successor to MySQL, you may, once upon a time,\u00a0hit a roadblock which you won’t be able to track down in the error log. Even though web visitors get to see the\u00a0plain text complaint\u00a0“Can’t connect to the database”, the MariaDB server will be running just fine. Silent errors\u00a0should be\u00a0reason enough to suspect […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.cloudinsidr.com\/content\/how-to-build-a-selinux-module-for-mariadb\/\" \/>\n<meta property=\"og:site_name\" content=\"CloudInsidr\" \/>\n<meta property=\"article:published_time\" content=\"2016-07-24T23:24:05+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2016-09-22T16:16:32+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.cloudinsidr.com\/content\/wp-content\/uploads\/2016\/07\/MariaDB_logo.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1038\" \/>\n\t<meta property=\"og:image:height\" content=\"696\" \/>\n<meta name=\"twitter:card\" content=\"summary\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.cloudinsidr.com\/content\/#website\",\"url\":\"https:\/\/www.cloudinsidr.com\/content\/\",\"name\":\"CloudInsidr\",\"description\":\"Cyber security, infotech\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":\"https:\/\/www.cloudinsidr.com\/content\/?s={search_term_string}\",\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/www.cloudinsidr.com\/content\/how-to-build-a-selinux-module-for-mariadb\/#primaryimage\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/www.cloudinsidr.com\/content\/wp-content\/uploads\/2016\/07\/MariaDB_logo.png\",\"width\":1038,\"height\":696,\"caption\":\"MariaDB, the official logo\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.cloudinsidr.com\/content\/how-to-build-a-selinux-module-for-mariadb\/#webpage\",\"url\":\"https:\/\/www.cloudinsidr.com\/content\/how-to-build-a-selinux-module-for-mariadb\/\",\"name\":\"How to Build a SELinux Module for MariaDB - CloudInsidr\",\"isPartOf\":{\"@id\":\"https:\/\/www.cloudinsidr.com\/content\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.cloudinsidr.com\/content\/how-to-build-a-selinux-module-for-mariadb\/#primaryimage\"},\"datePublished\":\"2016-07-24T23:24:05+00:00\",\"dateModified\":\"2016-09-22T16:16:32+00:00\",\"author\":{\"@id\":\"https:\/\/www.cloudinsidr.com\/content\/#\/schema\/person\/dd6ee9cb21cf05763fd7cff3d6f11b2b\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.cloudinsidr.com\/content\/how-to-build-a-selinux-module-for-mariadb\/\"]}]},{\"@type\":[\"Person\"],\"@id\":\"https:\/\/www.cloudinsidr.com\/content\/#\/schema\/person\/dd6ee9cb21cf05763fd7cff3d6f11b2b\",\"name\":\"Cloud Insidr\",\"image\":{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/www.cloudinsidr.com\/content\/#personlogo\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/8b2fa1415b3d573b97d818b8f8f83b7c?s=96&d=mm&r=g\",\"caption\":\"Cloud Insidr\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","_links":{"self":[{"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/posts\/1240"}],"collection":[{"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/comments?post=1240"}],"version-history":[{"count":4,"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/posts\/1240\/revisions"}],"predecessor-version":[{"id":1318,"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/posts\/1240\/revisions\/1318"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/media\/1290"}],"wp:attachment":[{"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/media?parent=1240"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/categories?post=1240"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/tags?post=1240"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}