Bug 167551 - MySQL rpm installation fails when SELinux is enabled
MySQL rpm installation fails when SELinux is enabled
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: mysql (Show other bugs)
4.0
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Tom Lane
David Lawrence
:
Depends On:
Blocks: 168429
  Show dependency treegraph
 
Reported: 2005-09-05 03:37 EDT by Jani Tolonen
Modified: 2013-07-02 23:06 EDT (History)
4 users (show)

See Also:
Fixed In Version: RHBA-2006-0049
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-03-07 13:10:23 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
avc messages from audit.log (862 bytes, text/plain)
2006-02-17 16:36 EST, Ben Levenson
no flags Details

  None (edit)
Description Jani Tolonen 2005-09-05 03:37:54 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6

Description of problem:
When installing MySQL rpm, it gives avc:  denied messages in
/var/log/messages file.

Version-Release number of selected component (if applicable):
Any MySQL rpm from MySQL web site, at least versions 4.1 and 5.0

How reproducible:
Always

Steps to Reproduce:
1. Load MySQL rpm from http://dev.mysql.com/downloads/mysql/4.1.html
2. Choose the server package.
3. Install with rpm -ivh or rpm -Uvh
At the end of installation, it sais [failed]. This happens because
grant tables are not being installed in the mysql database.
  

Additional info:

Here is a patch that fixes the problem:

*** domains/program/mysqld.te   2005-09-03 20:07:32.028517426 +0200
--- domains/program/mysqld.te.fixed     2005-09-03 20:04:13.468426479 +0200
***************
*** 87,89 ****
--- 87,93 ----
  # because Fedora has the sock_file in the database directory
  file_type_auto_trans(mysqld_t, mysqld_db_t, mysqld_var_run_t, sock_file)
  ')
+
+ allow mysqld_t var_lib_t:dir { write add_name remove_name };
+ allow mysqld_t var_lib_t:file { append create lock read write getattr unlink};
+ allow mysqld_t var_lib_t:sock_file create;

You can apply the patch by:

cd /etc/selinux/targeted/src/policy
patch -p0 < mysql-selinux.patch
make load

Redhat also provides MySQL rpms, but they are probably built differently.
MySQL own rpms require mysqld daemon to install the grant tables during
rpm installation. That's why the extra privileges for mysqld executable
is needed in this case. I believe applying the patch does not lessen security,
because it is only the mysqld binary that needs extra privileges to it's
own database directory and that should be ok.
Comment 1 Daniel Walsh 2005-09-06 16:59:31 EDT
How about

file_type_auto_trans(mysqld_t, var_lib_t, mysqld_db_t, { dir file })
Comment 2 Daniel Walsh 2005-11-21 14:25:56 EST
FIxed in selinux-policy-targeted-1.17.30-2.119.noarch.rpm
Comment 3 thewolf 2005-12-06 11:07:48 EST
The new elinux-policy-targeted RPM doesn't seem available on RHN.
Is there any way I can get a copy of it for beta testing?

Thanks.
Comment 4 Daniel Walsh 2005-12-06 12:42:39 EST
Updated u3 policy is available at 

ftp://people.redhat.com/dwalsh/SELinux/RHEL4/u3/noarch

selinux-policy-targeted-1.17.30-2.122.noarch.rpm
Comment 5 barry gould 2006-02-10 14:08:40 EST
When will this be in up2date?
Comment 6 Daniel Walsh 2006-02-10 14:11:58 EST
Soon I hope.  They are  running U3 through regression testing right now, but one
never knows what they are going to find, especially with the kernel.
Comment 7 barry gould 2006-02-10 14:13:43 EST
OK, thanks.

FWIW,

(In reply to comment #4)
> Updated u3 policy is available at 
> ftp://people.redhat.com/dwalsh/SELinux/RHEL4/u3/noarch
> selinux-policy-targeted-1.17.30-2.122.noarch.rpm

This doesn't install on a RHEL4 x86-64 system with all updates applied... 
it says:
error: Failed dependencies:
        policycoreutils >= 1.18.1-4.9 is needed


# rpm -q policycoreutils
policycoreutils-1.18.1-4.7


Thanks,
Barry
Comment 8 Daniel Walsh 2006-02-10 14:18:31 EST
policycoreutils-1.18.1-4.9 is available on my people page for x86-64
Comment 9 barry gould 2006-02-10 17:35:30 EST
One more problem?

Every time I start MySQL (5.0.17 from MySQL AB's RPM), I get:

Feb 10 14:37:58 inet-dev-mysql kernel: audit(1139611078.049:4): avc:  denied  {
sys_resource } for  pid=3134 comm="mysqld" capability=24
scontext=root:system_r:mysqld_t tcontext=root:system_r:mysqld_t tclass=capability
Feb 10 14:37:58 inet-dev-mysql kernel: audit(1139611078.049:5): avc:  denied  {
setrlimit } for  pid=3134 comm="mysqld" scontext=root:system_r:mysqld_t
tcontext=root:system_r:mysqld_t tclass=process

Feb 10 14:37:59 inet-dev-mysql lsb_log_message:  succeeded

Thanks,
Barry
Comment 11 Daniel Walsh 2006-02-17 13:55:57 EST
Please attach the actual avc messages.
Comment 13 Daniel Walsh 2006-02-20 11:04:57 EST
This looks like a labeling problem.

restorecon -R -v /var/lib 

And then try to start mysql again.
Comment 14 Daniel Walsh 2006-02-21 10:12:21 EST
The mis-labeling is the result of the Mysql-server rpm scripts.  If I run
restorecon after installing the packages the service starts as expected.

Considering the fact that our stock RHEL packages initialize the database via
the initscript, I tend to think this is an issue with the the packages from
dev.mysql.com.  If they want to initialize the DB as part of %post, then they
should add something like the following to their scripts:
if [ -x /sbin/restorecon ]; then
   #
   # Restore selinux file_context
   #
   /sbin/restorecon -R /var/lib/mysql
fi

If this makes sense to you, I'll move on.  Thanks.


Additional info:
preinstall scriptlet (using /bin/sh):
# Shut down a previously installed server first
if test -x /etc/init.d/mysql
then
  /etc/init.d/mysql stop > /dev/null 2>&1
  echo "Giving mysqld a couple of seconds to exit nicely"
  sleep 5
elif test -x /etc/rc.d/init.d/mysql
then
  /etc/rc.d/init.d/mysql stop > /dev/null 2>&1
  echo "Giving mysqld a couple of seconds to exit nicely"
  sleep 5
fi
postinstall scriptlet (using /bin/sh):
mysql_datadir=/var/lib/mysql

# Create data directory if needed
if test ! -d $mysql_datadir; then mkdir -m755 $mysql_datadir; fi
if test ! -d $mysql_datadir/mysql; then mkdir $mysql_datadir/mysql; fi
if test ! -d $mysql_datadir/test; then mkdir $mysql_datadir/test; fi

# Make MySQL start/shutdown automatically when the machine does it.
# use insserv for older SuSE Linux versions
if test -x /sbin/insserv
then
        /sbin/insserv /etc/init.d/mysql
# use chkconfig on Red Hat and newer SuSE releases
elif test -x /sbin/chkconfig
then
        /sbin/chkconfig --add mysql
fi

# Create a MySQL user and group. Do not report any problems if it already
# exists.
groupadd -r mysql 2> /dev/null || true
useradd -M -r -d $mysql_datadir -s /bin/bash -c "MySQL server" -g mysql mysql 2>
/dev/null || true
# The user may already exist, make sure it has the proper group nevertheless
(BUG#12823)
usermod -g mysql mysql 2> /dev/null || true

# Change permissions so that the user that will run the MySQL daemon
# owns all database files.
chown -R mysql:mysql $mysql_datadir

# Initiate databases
/usr/bin/mysql_install_db --rpm --user=mysql

# Change permissions again to fix any new files.
chown -R mysql:mysql $mysql_datadir

# Fix permissions for the permission database so that only the user
# can read them.
chmod -R og-rw $mysql_datadir/mysql

# Restart in the same way that mysqld will be started normally.
/etc/init.d/mysql start

# Allow safe_mysqld to start mysqld and print a message before we exit
sleep 2
preuninstall scriptlet (using /bin/sh):
if test $1 = 0
then
        # Stop MySQL before uninstalling it
  if test -x /etc/init.d/mysql
  then
    /etc/init.d/mysql stop > /dev/null

    # Remove autostart of mysql
    # for older SuSE Linux versions
    if test -x /sbin/insserv
    then
      /sbin/insserv -r /etc/init.d/mysql
    # use chkconfig on Red Hat and newer SuSE releases
    elif test -x /sbin/chkconfig
    then
      /sbin/chkconfig --del mysql
    fi
  fi
fi

# We do not remove the mysql user since it may still own a lot of
# database files.

# Clean up the BuildRoot

-----

# fixfiles check /var/lib/mysql/
/sbin/restorecon reset context
/var/lib/mysql:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t
/sbin/restorecon reset context
/var/lib/mysql/mysql:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t
/sbin/restorecon reset context
/var/lib/mysql/mysql/help_category.MYI:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t
/sbin/restorecon reset context
/var/lib/mysql/mysql/help_keyword.frm:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t
/sbin/restorecon reset context
/var/lib/mysql/mysql/help_topic.MYD:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t
/sbin/restorecon reset context
/var/lib/mysql/mysql/tables_priv.MYD:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t
/sbin/restorecon reset context
/var/lib/mysql/mysql/time_zone_transition.MYI:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t
/sbin/restorecon reset context
/var/lib/mysql/mysql/time_zone.MYD:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t
/sbin/restorecon reset context
/var/lib/mysql/mysql/help_keyword.MYI:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t
/sbin/restorecon reset context
/var/lib/mysql/mysql/func.MYD:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t
/sbin/restorecon reset context
/var/lib/mysql/mysql/help_topic.frm:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t
/sbin/restorecon reset context
/var/lib/mysql/mysql/columns_priv.MYI:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t
/sbin/restorecon reset context
/var/lib/mysql/mysql/host.MYI:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t
/sbin/restorecon reset context
/var/lib/mysql/mysql/time_zone_transition_type.frm:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t
/sbin/restorecon reset context
/var/lib/mysql/mysql/db.MYI:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t
/sbin/restorecon reset context
/var/lib/mysql/mysql/time_zone_leap_second.frm:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t
/sbin/restorecon reset context
/var/lib/mysql/mysql/time_zone_transition_type.MYD:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t
/sbin/restorecon reset context
/var/lib/mysql/mysql/user.frm:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t
/sbin/restorecon reset context
/var/lib/mysql/mysql/columns_priv.frm:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t
/sbin/restorecon reset context
/var/lib/mysql/mysql/host.MYD:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t
/sbin/restorecon reset context
/var/lib/mysql/mysql/time_zone_leap_second.MYD:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t
/sbin/restorecon reset context
/var/lib/mysql/mysql/db.MYD:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t
/sbin/restorecon reset context
/var/lib/mysql/mysql/time_zone_name.frm:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t/sbin/restorecon
reset context
/var/lib/mysql/mysql/tables_priv.frm:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t
/sbin/restorecon reset context
/var/lib/mysql/mysql/help_relation.MYI:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t
/sbin/restorecon reset context
/var/lib/mysql/mysql/help_topic.MYI:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t
/sbin/restorecon reset context
/var/lib/mysql/mysql/time_zone_name.MYI:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t/sbin/restorecon
reset context
/var/lib/mysql/mysql/time_zone_leap_second.MYI:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t
/sbin/restorecon reset context
/var/lib/mysql/mysql/time_zone.frm:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t
/sbin/restorecon reset context
/var/lib/mysql/mysql/help_relation.frm:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t
/sbin/restorecon reset context
/var/lib/mysql/mysql/help_category.frm:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t
/sbin/restorecon reset context
/var/lib/mysql/mysql/time_zone_transition.MYD:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t
/sbin/restorecon reset context
/var/lib/mysql/mysql/time_zone.MYI:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t
/sbin/restorecon reset context
/var/lib/mysql/mysql/db.frm:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t
/sbin/restorecon reset context
/var/lib/mysql/mysql/func.frm:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t
/sbin/restorecon reset context
/var/lib/mysql/mysql/help_category.MYD:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t
/sbin/restorecon reset context
/var/lib/mysql/mysql/columns_priv.MYD:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t
/sbin/restorecon reset context
/var/lib/mysql/mysql/tables_priv.MYI:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t
/sbin/restorecon reset context
/var/lib/mysql/mysql/func.MYI:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t
/sbin/restorecon reset context
/var/lib/mysql/mysql/help_relation.MYD:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t
/sbin/restorecon reset context
/var/lib/mysql/mysql/user.MYI:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t
/sbin/restorecon reset context
/var/lib/mysql/mysql/time_zone_name.MYD:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t/sbin/restorecon
reset context
/var/lib/mysql/mysql/host.frm:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t
/sbin/restorecon reset context
/var/lib/mysql/mysql/help_keyword.MYD:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t
/sbin/restorecon reset context
/var/lib/mysql/mysql/time_zone_transition_type.MYI:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t
/sbin/restorecon reset context
/var/lib/mysql/mysql/time_zone_transition.frm:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t
/sbin/restorecon reset context
/var/lib/mysql/mysql/user.MYD:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t
/sbin/restorecon reset context
/var/lib/mysql/test:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t
/sbin/restorecon reset context
/var/lib/mysql/test1203.test.redhat.com.err:root:object_r:var_lib_t->system_u:object_r:mysqld_db_t


Comment #42 from Daniel Walsh (dwalsh@redhat.com) on 2006-02-20 13:40 prev |
next | top [reply]

Yes but there should be a bugzilla for this.


Comment #43 from Ben Levenson (benl@redhat.com) on 2006-02-21 09:54 prev | next
| top [reply]

State changed from ON_QA to NEED_DEV by Ben Levenson (benl@redhat.com).


Comment #44 from Ben Levenson (benl@redhat.com) on 2006-02-21 09:54 prev | top
[reply]

Not sure what you mean by the previous comment.  There is a bugzilla for this:
bug 167551.  Is it not sufficient to close that bug with a final comment reading

"run 'restorecon -R /var/lib/mysql' after installing the packages from 
dev.mysql.com to fix the broken file contexts created by the Mysql-server 
post-install script"

Comment 16 Red Hat Bugzilla 2006-03-07 13:10:23 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2006-0049.html
Comment 17 barry gould 2006-03-27 13:58:58 EST
I'm still getting messages like this:

kernel: audit(1143485553.255:2): avc:  denied  { sys_resource } for  pid=2260
comm="mysqld" capability=24 scontext=user_u:system_r:mysqld_t
tcontext=user_u:system_r:mysqld_t tclass=capability

when restarting MySQL, with all up2dates installed on RHEL4

# rpm -q selinux-policy-targeted
selinux-policy-targeted-1.17.30-2.126

MySQL-client-pro-gpl-cert-5.0.17a-0.rhel4
MySQL-server-pro-gpl-cert-5.0.17a-0.rhel4

Daniel, you asked for "the actual AVC messages"... where does one find those?
there are no files in /var/log/audit and 'ausearch -m avc' has no output...
(from http://fedoraproject.org/wiki/SELinux/Troubleshooting)

Thanks,
Barry
Comment 18 barry gould 2006-03-27 14:00:24 EST
MySQL is working, btw; I just am a little concerned about these messages.

Thanks
Comment 19 barry gould 2006-03-27 14:04:05 EST
Running restorecon (again) seems to have helped.
Perhaps that needs to be mentioned in the errata??

Thanks
Comment 20 Tom Lane 2006-03-27 14:47:45 EST
From our perspective, this is a bug in MySQL AB's RPMs.  You should either use
our RPMs or file a bug report at www.mysql.com.

Note You need to log in before you can comment on or make changes to this bug.