Description of problem: SELinux policy do not give support to mysqld_t to use tmpfs_t. so if I want to use a tmpfs for the tmp dir in mysql, selinux don't let mysql create,search any file in the tmp directory Version-Release number of selected component (if applicable): selinux-policy-targeted-1.17.30-2.145 How reproducible: always Steps to Reproduce: 1. create a tmpfs filesystem and mount it somewhere, for example in /var/tmp4mysql 2. define the tmp dir in my.cfn to point to that directory 3. try to start mysqld Actual results: get this selinux errors: kernel: audit(1190749151.616:2): avc: denied { read } for pid=2425 comm="mysqld" name="/" dev=tmpfs ino=101876 scontext=root:system_r:mysqld_t tcontext=root:object_r:tmpfs_t tclass=dir kernel: audit(1190749151.676:3): avc: denied { search } for pid=2425 comm="mysqld" name="/" dev=tmp fs ino=101876 scontext=root:system_r:mysqld_t tcontext=root:object_r:tmpfs_t tclass=dir mysqld: Starting MySQL: failed Expected results: MySQL start succefull Additional info: the following patch to selinux-policy-targeted fix this problem: -------------- --- policy-1.17.30-ori/domains/program/unused/mysqld.te 2007-09-25 21:35:40.000000000 -0400 +++ policy-1.17.30/domains/program/unused/mysqld.te 2007-09-25 16:30:40.000000000 -0400 @@ -25,6 +25,8 @@ # for temporary tables tmp_domain(mysqld) +# for temporary filesystem +tmpfs_domain(mysqld) allow mysqld_t usr_t:file { getattr read }; ----
A better solution might be to just label the tmpfs file system as tmp_t. chcon -R -t tmp_t /var/tmp4mysql Or just mount it on /var/tmp/mysql And relabel with a restorecon.
well, the fist solution only works until next reboot (or umount/mount /var/tmp4linux) the second one do not work at all, it should work if /var/tmp/mysql would be a normal directory and not a mount point to a tmpfs but that is not the case any way, I could use the first solution and add: chcon -R -t tmp_t /var/tmp4mysql to mysqld init script, and it will work for mysql anytime but, do you agree that adding this line to mysql init script is just a workaround to the problem? My scenario is a mysql HA cluster, using RHCS, so any time the service is moved to another node of the cluster (recovering procedure) I will face the problem if I do not modify the mysql init script so, is there any good point to not modify the selinux-policy the way I propose? because I am doing it myseft and it looks to work but I am just a very beginer to the selinux world so I may be making a big mistake. I will leave the bug closed but I think it should not be
A better solution would be to use a mount context mount -o fscontext="system_u:object_r:tmp_t" tmpfs /var/tmp4mysql Not sure if you would use context= or fscontext= or defcontext= Never quite grasped the difference.
that works, but I was caution about what Stephen Smalley say in this email: http://www.redhat.com/archives/fedora-selinux-list/2005-March/msg00124.html if you say it is ok with using fscontext as a mount option, I will go with that still don't know why not to change the policy ;-)
You can change the policy, it is just more difficult. Then you have to worry about policy upgrades also.