Bug 697002

Summary: SELinux is preventing /usr/libexec/mysqld from read, write, open access on the file ibdATW7I.
Product: [Fedora] Fedora Reporter: John Obbele <john.obbele>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 15CC: dwalsh, eparis, john.obbele, mgrepl, sdsmall, tgl
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:55bc1b56d23190bf98984d2c7bd02a5bb2ec036360796d6a1bf63c78053c844d
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-04-18 14:53:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description John Obbele 2011-04-15 14:52:07 UTC 
SELinux is preventing /usr/libexec/mysqld from read, write, open access on the file ibdATW7I.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that mysqld should be allowed read write open access on the ibdATW7I file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep mysqld /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:mysqld_t:s0
Target Context                system_u:object_r:tmp_t:s0
Target Objects                ibdATW7I [ file ]
Source                        mysqld
Source Path                   /usr/libexec/mysqld
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           mysql-server-5.5.10-2.fc15
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.16-13.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 2.6.38.2-9.fc15.x86_64 #1
                              SMP Wed Mar 30 16:55:57 UTC 2011 x86_64 x86_64
Alert Count                   1
First Seen                    Fri 15 Apr 2011 04:49:19 PM CEST
Last Seen                     Fri 15 Apr 2011 04:49:19 PM CEST
Local ID                      c20e1ea2-22db-4a14-82d8-14995eea5cf5

Raw Audit Messages
type=AVC msg=audit(1302878959.949:78): avc:  denied  { read write open } for  pid=2991 comm="mysqld" name="ibdATW7I" dev=tmpfs ino=49479 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file


type=SYSCALL msg=audit(1302878959.949:78): arch=x86_64 syscall=open success=no exit=EACCES a0=7fff1f8f4dc0 a1=c2 a2=180 a3=0 items=0 ppid=2795 pid=2991 auid=4294967295 uid=27 gid=27 euid=27 suid=27 fsuid=27 egid=27 sgid=27 fsgid=27 tty=(none) ses=4294967295 comm=mysqld exe=/usr/libexec/mysqld subj=system_u:system_r:mysqld_t:s0 key=(null)

Hash: mysqld,mysqld_t,tmp_t,file,read,write,open

audit2allow

#============= mysqld_t ==============
#!!!! The source type 'mysqld_t' can write to a 'file' of the following types:
# mysqld_var_run_t, mysqld_db_t, hugetlbfs_t, mysqld_tmp_t, mysqld_log_t, root_t

allow mysqld_t tmp_t:file { read write open };

audit2allow -R

#============= mysqld_t ==============
#!!!! The source type 'mysqld_t' can write to a 'file' of the following types:
# mysqld_var_run_t, mysqld_db_t, hugetlbfs_t, mysqld_tmp_t, mysqld_log_t, root_t

allow mysqld_t tmp_t:file { read write open };
Comment 1 John Obbele 2011-04-15 14:59:16 UTC 
How to reproduce this bug :

1. yum install mysqld
2. su -c 'service mysqld start'
3. !! ERROR !!

It's a fresh install of mysqld on a Fedora 15 alpha system.

The log /var/log/mysqld.log gives the additional error message:
"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
110415 16:46:17 mysqld_safe mysqld from pid file /var/run/mysqld/mysqld.pid ended
110415 16:49:19 mysqld_safe Starting mysqld daemon with databases from /var/lib/mysql
110415 16:49:19 [Note] Plugin 'FEDERATED' is disabled.
110415 16:49:19 InnoDB: The InnoDB memory heap is disabled
110415 16:49:19 InnoDB: Mutexes and rw_locks use GCC atomic builtins
110415 16:49:19 InnoDB: Compressed tables use zlib 1.2.5
110415 16:49:19 InnoDB: Using Linux native AIO
/usr/libexec/mysqld: Can't create/write to file '/tmp/ibdATW7I' (Errcode: 13)
110415 16:49:19  InnoDB: Error: unable to create temporary file; errno: 13
110415 16:49:19 [ERROR] Plugin 'InnoDB' init function returned error.
110415 16:49:19 [ERROR] Plugin 'InnoDB' registration as a STORAGE ENGINE failed.
110415 16:49:19 [ERROR] Unknown/unsupported storage engine: InnoDB
110415 16:49:19 [ERROR] Aborting

110415 16:49:19 [Note] /usr/libexec/mysqld: Shutdown complete

110415 16:49:19 mysqld_safe mysqld from pid file /var/run/mysqld/mysqld.pid ended
"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
Comment 2 Daniel Walsh 2011-04-15 15:30:36 UTC 
Why is mysql creating files in /tmp rather then in /var/run?
Comment 3 Tom Lane 2011-04-15 16:30:54 UTC 
Hm, I don't see any such selinux complaint either on my F13 or F15 machines, but watching the timestamp of /tmp suggests that mysql does transiently create a file there during startup --- both 5.1 and 5.5 appear to do that.  The F15 machine isn't terribly up to date though.  Is this selinux restriction something you added recently?  If so it probably ought to be reverted.
Comment 4 Daniel Walsh 2011-04-15 17:31:03 UTC 
Strange since we have policy to allow this, if the file is labeled correctly.

grep tmp mysql.te 
type mysqld_tmp_t;
files_tmp_file(mysqld_tmp_t)
manage_dirs_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t)
manage_files_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t)
files_tmp_filetrans(mysqld_t, mysqld_tmp_t, { file dir })

So something strange is going on, mysqld did not create this file or it did not transition properly.

It would be better if the file was created in a location other then tmp.
Comment 5 Daniel Walsh 2011-04-17 09:24:58 UTC 
John can you get this to happen again?
Comment 6 John Obbele 2011-04-17 15:09:20 UTC 
No.

I mean, I've tested on a clean qemu-kvm x86_64 guest and mysqld was installed smoothly.

So the original bug may be due to a wrong configuration on my computer. I will test on a second VM to check it.
Comment 7 John Obbele 2011-04-18 14:53:59 UTC 
Ok so I double-checked this issue and the problem was due to an old hack in my /etc/fstab file:

|tail -n1 /etc/fstab|
#none   /tmp   tmpfs   defaults,size=50%,context=system_u:object_r:tmp_t:s0   0 0

Commenting this line about tmpfs and /tmp solved my problem with mysqld. I should definitely try to learn SELinux one day and stop randomly inserting se-context around :(

I wish someone could help me to get selinux, mysqld and tmpfs together but for the time being I will close this bug report since it does not appear in the default Fedora installation.

regards
Comment 8 Daniel Walsh 2011-04-18 15:45:06 UTC 
Come to #selinux or #fedora-selinux on FreeNode IRC, and ask questions there or send me an email if you have a problem.