Bug 167551
| Summary: | MySQL rpm installation fails when SELinux is enabled | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 4 | Reporter: | Jani Tolonen <jani> | ||||
| Component: | mysql | Assignee: | Tom Lane <tgl> | ||||
| Status: | CLOSED ERRATA | QA Contact: | David Lawrence <dkl> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | 4.0 | CC: | benl, byte, hhorak, marco | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | i386 | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | RHBA-2006-0049 | Doc Type: | Bug Fix | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2006-03-07 18:10:23 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 168429 | ||||||
| Attachments: |
|
||||||
|
Description
Jani Tolonen
2005-09-05 07:37:54 UTC
How about
file_type_auto_trans(mysqld_t, var_lib_t, mysqld_db_t, { dir file })
FIxed in selinux-policy-targeted-1.17.30-2.119.noarch.rpm The new elinux-policy-targeted RPM doesn't seem available on RHN. Is there any way I can get a copy of it for beta testing? Thanks. Updated u3 policy is available at ftp://people.redhat.com/dwalsh/SELinux/RHEL4/u3/noarch selinux-policy-targeted-1.17.30-2.122.noarch.rpm When will this be in up2date? Soon I hope. They are running U3 through regression testing right now, but one never knows what they are going to find, especially with the kernel. OK, thanks. FWIW, (In reply to comment #4) > Updated u3 policy is available at > ftp://people.redhat.com/dwalsh/SELinux/RHEL4/u3/noarch > selinux-policy-targeted-1.17.30-2.122.noarch.rpm This doesn't install on a RHEL4 x86-64 system with all updates applied... it says: error: Failed dependencies: policycoreutils >= 1.18.1-4.9 is needed # rpm -q policycoreutils policycoreutils-1.18.1-4.7 Thanks, Barry policycoreutils-1.18.1-4.9 is available on my people page for x86-64 One more problem?
Every time I start MySQL (5.0.17 from MySQL AB's RPM), I get:
Feb 10 14:37:58 inet-dev-mysql kernel: audit(1139611078.049:4): avc: denied {
sys_resource } for pid=3134 comm="mysqld" capability=24
scontext=root:system_r:mysqld_t tcontext=root:system_r:mysqld_t tclass=capability
Feb 10 14:37:58 inet-dev-mysql kernel: audit(1139611078.049:5): avc: denied {
setrlimit } for pid=3134 comm="mysqld" scontext=root:system_r:mysqld_t
tcontext=root:system_r:mysqld_t tclass=process
Feb 10 14:37:59 inet-dev-mysql lsb_log_message: succeeded
Thanks,
Barry
Please attach the actual avc messages. This looks like a labeling problem. restorecon -R -v /var/lib And then try to start mysql again. The mis-labeling is the result of the Mysql-server rpm scripts. If I run
restorecon after installing the packages the service starts as expected.
Considering the fact that our stock RHEL packages initialize the database via
the initscript, I tend to think this is an issue with the the packages from
dev.mysql.com. If they want to initialize the DB as part of %post, then they
should add something like the following to their scripts:
if [ -x /sbin/restorecon ]; then
#
# Restore selinux file_context
#
/sbin/restorecon -R /var/lib/mysql
fi
If this makes sense to you, I'll move on. Thanks.
Additional info:
preinstall scriptlet (using /bin/sh):
# Shut down a previously installed server first
if test -x /etc/init.d/mysql
then
/etc/init.d/mysql stop > /dev/null 2>&1
echo "Giving mysqld a couple of seconds to exit nicely"
sleep 5
elif test -x /etc/rc.d/init.d/mysql
then
/etc/rc.d/init.d/mysql stop > /dev/null 2>&1
echo "Giving mysqld a couple of seconds to exit nicely"
sleep 5
fi
postinstall scriptlet (using /bin/sh):
mysql_datadir=/var/lib/mysql
# Create data directory if needed
if test ! -d $mysql_datadir; then mkdir -m755 $mysql_datadir; fi
if test ! -d $mysql_datadir/mysql; then mkdir $mysql_datadir/mysql; fi
if test ! -d $mysql_datadir/test; then mkdir $mysql_datadir/test; fi
# Make MySQL start/shutdown automatically when the machine does it.
# use insserv for older SuSE Linux versions
if test -x /sbin/insserv
then
/sbin/insserv /etc/init.d/mysql
# use chkconfig on Red Hat and newer SuSE releases
elif test -x /sbin/chkconfig
then
/sbin/chkconfig --add mysql
fi
# Create a MySQL user and group. Do not report any problems if it already
# exists.
groupadd -r mysql 2> /dev/null || true
useradd -M -r -d $mysql_datadir -s /bin/bash -c "MySQL server" -g mysql mysql 2>
/dev/null || true
# The user may already exist, make sure it has the proper group nevertheless
(BUG#12823)
usermod -g mysql mysql 2> /dev/null || true
# Change permissions so that the user that will run the MySQL daemon
# owns all database files.
chown -R mysql:mysql $mysql_datadir
# Initiate databases
/usr/bin/mysql_install_db --rpm --user=mysql
# Change permissions again to fix any new files.
chown -R mysql:mysql $mysql_datadir
# Fix permissions for the permission database so that only the user
# can read them.
chmod -R og-rw $mysql_datadir/mysql
# Restart in the same way that mysqld will be started normally.
/etc/init.d/mysql start
# Allow safe_mysqld to start mysqld and print a message before we exit
sleep 2
preuninstall scriptlet (using /bin/sh):
if test $1 = 0
then
# Stop MySQL before uninstalling it
if test -x /etc/init.d/mysql
then
/etc/init.d/mysql stop > /dev/null
# Remove autostart of mysql
# for older SuSE Linux versions
if test -x /sbin/insserv
then
/sbin/insserv -r /etc/init.d/mysql
# use chkconfig on Red Hat and newer SuSE releases
elif test -x /sbin/chkconfig
then
/sbin/chkconfig --del mysql
fi
fi
fi
# We do not remove the mysql user since it may still own a lot of
# database files.
# Clean up the BuildRoot
-----
# fixfiles check /var/lib/mysql/
/sbin/restorecon reset context
/var/lib/mysql:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t
/sbin/restorecon reset context
/var/lib/mysql/mysql:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t
/sbin/restorecon reset context
/var/lib/mysql/mysql/help_category.MYI:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t
/sbin/restorecon reset context
/var/lib/mysql/mysql/help_keyword.frm:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t
/sbin/restorecon reset context
/var/lib/mysql/mysql/help_topic.MYD:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t
/sbin/restorecon reset context
/var/lib/mysql/mysql/tables_priv.MYD:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t
/sbin/restorecon reset context
/var/lib/mysql/mysql/time_zone_transition.MYI:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t
/sbin/restorecon reset context
/var/lib/mysql/mysql/time_zone.MYD:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t
/sbin/restorecon reset context
/var/lib/mysql/mysql/help_keyword.MYI:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t
/sbin/restorecon reset context
/var/lib/mysql/mysql/func.MYD:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t
/sbin/restorecon reset context
/var/lib/mysql/mysql/help_topic.frm:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t
/sbin/restorecon reset context
/var/lib/mysql/mysql/columns_priv.MYI:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t
/sbin/restorecon reset context
/var/lib/mysql/mysql/host.MYI:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t
/sbin/restorecon reset context
/var/lib/mysql/mysql/time_zone_transition_type.frm:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t
/sbin/restorecon reset context
/var/lib/mysql/mysql/db.MYI:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t
/sbin/restorecon reset context
/var/lib/mysql/mysql/time_zone_leap_second.frm:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t
/sbin/restorecon reset context
/var/lib/mysql/mysql/time_zone_transition_type.MYD:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t
/sbin/restorecon reset context
/var/lib/mysql/mysql/user.frm:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t
/sbin/restorecon reset context
/var/lib/mysql/mysql/columns_priv.frm:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t
/sbin/restorecon reset context
/var/lib/mysql/mysql/host.MYD:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t
/sbin/restorecon reset context
/var/lib/mysql/mysql/time_zone_leap_second.MYD:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t
/sbin/restorecon reset context
/var/lib/mysql/mysql/db.MYD:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t
/sbin/restorecon reset context
/var/lib/mysql/mysql/time_zone_name.frm:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t/sbin/restorecon
reset context
/var/lib/mysql/mysql/tables_priv.frm:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t
/sbin/restorecon reset context
/var/lib/mysql/mysql/help_relation.MYI:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t
/sbin/restorecon reset context
/var/lib/mysql/mysql/help_topic.MYI:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t
/sbin/restorecon reset context
/var/lib/mysql/mysql/time_zone_name.MYI:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t/sbin/restorecon
reset context
/var/lib/mysql/mysql/time_zone_leap_second.MYI:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t
/sbin/restorecon reset context
/var/lib/mysql/mysql/time_zone.frm:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t
/sbin/restorecon reset context
/var/lib/mysql/mysql/help_relation.frm:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t
/sbin/restorecon reset context
/var/lib/mysql/mysql/help_category.frm:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t
/sbin/restorecon reset context
/var/lib/mysql/mysql/time_zone_transition.MYD:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t
/sbin/restorecon reset context
/var/lib/mysql/mysql/time_zone.MYI:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t
/sbin/restorecon reset context
/var/lib/mysql/mysql/db.frm:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t
/sbin/restorecon reset context
/var/lib/mysql/mysql/func.frm:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t
/sbin/restorecon reset context
/var/lib/mysql/mysql/help_category.MYD:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t
/sbin/restorecon reset context
/var/lib/mysql/mysql/columns_priv.MYD:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t
/sbin/restorecon reset context
/var/lib/mysql/mysql/tables_priv.MYI:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t
/sbin/restorecon reset context
/var/lib/mysql/mysql/func.MYI:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t
/sbin/restorecon reset context
/var/lib/mysql/mysql/help_relation.MYD:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t
/sbin/restorecon reset context
/var/lib/mysql/mysql/user.MYI:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t
/sbin/restorecon reset context
/var/lib/mysql/mysql/time_zone_name.MYD:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t/sbin/restorecon
reset context
/var/lib/mysql/mysql/host.frm:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t
/sbin/restorecon reset context
/var/lib/mysql/mysql/help_keyword.MYD:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t
/sbin/restorecon reset context
/var/lib/mysql/mysql/time_zone_transition_type.MYI:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t
/sbin/restorecon reset context
/var/lib/mysql/mysql/time_zone_transition.frm:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t
/sbin/restorecon reset context
/var/lib/mysql/mysql/user.MYD:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t
/sbin/restorecon reset context
/var/lib/mysql/test:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t
/sbin/restorecon reset context
/var/lib/mysql/test1203.test.redhat.com.err:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t
Comment #42 from Daniel Walsh (dwalsh) on 2006-02-20 13:40 prev |
next | top [reply]
Yes but there should be a bugzilla for this.
Comment #43 from Ben Levenson (benl) on 2006-02-21 09:54 prev | next
| top [reply]
State changed from ON_QA to NEED_DEV by Ben Levenson (benl).
Comment #44 from Ben Levenson (benl) on 2006-02-21 09:54 prev | top
[reply]
Not sure what you mean by the previous comment. There is a bugzilla for this:
bug 167551. Is it not sufficient to close that bug with a final comment reading
"run 'restorecon -R /var/lib/mysql' after installing the packages from
dev.mysql.com to fix the broken file contexts created by the Mysql-server
post-install script"
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2006-0049.html I'm still getting messages like this:
kernel: audit(1143485553.255:2): avc: denied { sys_resource } for pid=2260
comm="mysqld" capability=24 scontext=user_u:system_r:mysqld_t
tcontext=user_u:system_r:mysqld_t tclass=capability
when restarting MySQL, with all up2dates installed on RHEL4
# rpm -q selinux-policy-targeted
selinux-policy-targeted-1.17.30-2.126
MySQL-client-pro-gpl-cert-5.0.17a-0.rhel4
MySQL-server-pro-gpl-cert-5.0.17a-0.rhel4
Daniel, you asked for "the actual AVC messages"... where does one find those?
there are no files in /var/log/audit and 'ausearch -m avc' has no output...
(from http://fedoraproject.org/wiki/SELinux/Troubleshooting)
Thanks,
Barry
MySQL is working, btw; I just am a little concerned about these messages. Thanks Running restorecon (again) seems to have helped. Perhaps that needs to be mentioned in the errata?? Thanks From our perspective, this is a bug in MySQL AB's RPMs. You should either use our RPMs or file a bug report at www.mysql.com. |