Bug 306351
| Summary: | mysqld is unable to use tmpfs filesystem because of selinux-policy | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 4 | Reporter: | Roger Pena-Escobio <orkcu> |
| Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED NOTABUG | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | 4.5 | CC: | dwalsh |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | noarch | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2007-09-26 13:38:21 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
A better solution might be to just label the tmpfs file system as tmp_t. chcon -R -t tmp_t /var/tmp4mysql Or just mount it on /var/tmp/mysql And relabel with a restorecon. well, the fist solution only works until next reboot (or umount/mount /var/tmp4linux) the second one do not work at all, it should work if /var/tmp/mysql would be a normal directory and not a mount point to a tmpfs but that is not the case any way, I could use the first solution and add: chcon -R -t tmp_t /var/tmp4mysql to mysqld init script, and it will work for mysql anytime but, do you agree that adding this line to mysql init script is just a workaround to the problem? My scenario is a mysql HA cluster, using RHCS, so any time the service is moved to another node of the cluster (recovering procedure) I will face the problem if I do not modify the mysql init script so, is there any good point to not modify the selinux-policy the way I propose? because I am doing it myseft and it looks to work but I am just a very beginer to the selinux world so I may be making a big mistake. I will leave the bug closed but I think it should not be A better solution would be to use a mount context mount -o fscontext="system_u:object_r:tmp_t" tmpfs /var/tmp4mysql Not sure if you would use context= or fscontext= or defcontext= Never quite grasped the difference. that works, but I was caution about what Stephen Smalley say in this email: http://www.redhat.com/archives/fedora-selinux-list/2005-March/msg00124.html if you say it is ok with using fscontext as a mount option, I will go with that still don't know why not to change the policy ;-) You can change the policy, it is just more difficult. Then you have to worry about policy upgrades also. |
Description of problem: SELinux policy do not give support to mysqld_t to use tmpfs_t. so if I want to use a tmpfs for the tmp dir in mysql, selinux don't let mysql create,search any file in the tmp directory Version-Release number of selected component (if applicable): selinux-policy-targeted-1.17.30-2.145 How reproducible: always Steps to Reproduce: 1. create a tmpfs filesystem and mount it somewhere, for example in /var/tmp4mysql 2. define the tmp dir in my.cfn to point to that directory 3. try to start mysqld Actual results: get this selinux errors: kernel: audit(1190749151.616:2): avc: denied { read } for pid=2425 comm="mysqld" name="/" dev=tmpfs ino=101876 scontext=root:system_r:mysqld_t tcontext=root:object_r:tmpfs_t tclass=dir kernel: audit(1190749151.676:3): avc: denied { search } for pid=2425 comm="mysqld" name="/" dev=tmp fs ino=101876 scontext=root:system_r:mysqld_t tcontext=root:object_r:tmpfs_t tclass=dir mysqld: Starting MySQL: failed Expected results: MySQL start succefull Additional info: the following patch to selinux-policy-targeted fix this problem: -------------- --- policy-1.17.30-ori/domains/program/unused/mysqld.te 2007-09-25 21:35:40.000000000 -0400 +++ policy-1.17.30/domains/program/unused/mysqld.te 2007-09-25 16:30:40.000000000 -0400 @@ -25,6 +25,8 @@ # for temporary tables tmp_domain(mysqld) +# for temporary filesystem +tmpfs_domain(mysqld) allow mysqld_t usr_t:file { getattr read }; ----