Bug 306351 - mysqld is unable to use tmpfs filesystem because of selinux-policy
Summary: mysqld is unable to use tmpfs filesystem because of selinux-policy
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: selinux-policy-targeted
Version: 4.5
Hardware: noarch
OS: Linux
low
low
Target Milestone: ---
: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-09-26 02:23 UTC by Roger Pena-Escobio
Modified: 2007-11-17 01:14 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-09-26 13:38:21 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description Roger Pena-Escobio 2007-09-26 02:23:33 UTC
Description of problem:
SELinux policy do not give support to mysqld_t to use tmpfs_t.
so if I want to use a tmpfs for the tmp dir in mysql, selinux don't let mysql
create,search any file in the tmp directory

Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.17.30-2.145

How reproducible:
always

Steps to Reproduce:
1. create a tmpfs filesystem and mount it somewhere, for example in /var/tmp4mysql
2. define the tmp dir in my.cfn to point to that directory
3. try to start mysqld
  
Actual results:
get this selinux errors:
kernel: audit(1190749151.616:2): avc:  denied  { read } for  pid=2425
comm="mysqld" name="/" dev=tmpfs
 ino=101876 scontext=root:system_r:mysqld_t tcontext=root:object_r:tmpfs_t
tclass=dir

kernel: audit(1190749151.676:3): avc:  denied  { search } for  pid=2425
comm="mysqld" name="/" dev=tmp
fs ino=101876 scontext=root:system_r:mysqld_t tcontext=root:object_r:tmpfs_t
tclass=dir
mysqld: Starting MySQL:  failed

Expected results:
MySQL start succefull 

Additional info:
the following patch to selinux-policy-targeted fix this problem:
--------------
--- policy-1.17.30-ori/domains/program/unused/mysqld.te 2007-09-25
21:35:40.000000000 -0400
+++ policy-1.17.30/domains/program/unused/mysqld.te     2007-09-25
16:30:40.000000000 -0400
@@ -25,6 +25,8 @@

 # for temporary tables
 tmp_domain(mysqld)
+# for temporary filesystem
+tmpfs_domain(mysqld)

 allow mysqld_t usr_t:file { getattr read };

----

Comment 1 Daniel Walsh 2007-09-26 13:38:21 UTC
A better solution might be to just label the tmpfs file system as tmp_t.

chcon -R -t tmp_t  /var/tmp4mysql

Or just mount it on 

/var/tmp/mysql And relabel with a restorecon.


Comment 2 Roger Pena-Escobio 2007-09-26 15:00:53 UTC
well, the fist solution only works until next reboot (or umount/mount
/var/tmp4linux)

the second one do not work at all, it should work if /var/tmp/mysql would be a
normal directory and not a mount point to a tmpfs but that is not the case

any way, I could use the first solution and add:
chcon -R -t tmp_t  /var/tmp4mysql
to mysqld init script, and it will work for mysql anytime

but, do you agree that adding this line to mysql init script is just a
workaround to the problem?

My scenario is a mysql HA cluster, using RHCS, so any time the service is moved
to another node of the cluster (recovering procedure) I will face the problem if
 I do not modify the mysql init script

so, is there any good point to not modify the selinux-policy the way I propose?
because I am doing it myseft and it looks to work but I am just a very beginer
to the selinux world so I may be making a big mistake.

I will leave the bug closed but I think it should not be

Comment 3 Daniel Walsh 2007-09-26 15:39:01 UTC
A better solution would be to use a mount context

mount -o fscontext="system_u:object_r:tmp_t" tmpfs /var/tmp4mysql

Not sure if you would use context= or fscontext= or defcontext=
Never quite grasped the difference.

Comment 4 Roger Pena-Escobio 2007-09-26 17:15:40 UTC
that works, but I was caution about what Stephen Smalley say in this email:
http://www.redhat.com/archives/fedora-selinux-list/2005-March/msg00124.html

if you say it is ok with using fscontext as a mount option, I will go with that

still don't know why not to change the policy ;-)

Comment 5 Daniel Walsh 2007-09-26 18:29:34 UTC
You can change the policy, it is just more difficult.  Then you have to worry
about policy upgrades also.


Note You need to log in before you can comment on or make changes to this bug.