Red Hat Bugzilla – Bug 426877
MySQL access denied on shmget call for HugeTLB
Last modified: 2008-02-20 17:12:59 EST
Description of problem: When setting up MySQL to use HugeTLB (large pages), it fails on the shmget call with a permission denied, because of the selinux targeted policy. Version-Release number of selected component (if applicable): selinux-policy-targeted-3.0.8-69.fc8 How reproducible: Every time. Steps to Reproduce: 1. Setup HugeTLB with the following changes: In /etc/sysctl.conf: # Change maximum shared memory segment size to 8GB kernel.shmmax = 8589934592 # Add the gid to the hugetlb_shm_group to give access to the users vm.hugetlb_shm_group = 501 # Add 5GB of in 2MB pages to be shared between the JVM and MySQL vm.nr_hugepages = 2560 In /etc/security/limits.conf: # Add the limits for memlock to allow the JVM and MySQL to access the large # page memory. jboss soft memlock 5242880 jboss hard memlock 5242880 mysql soft memlock 5242880 mysql hard memlock 5242880 2. Enter sysctl -p to make everything take affect, and set large-pages in /etc/my.cnf 3. Restart mysql Actual results: In /var/log/mysqld.log: 071227 13:20:09 mysqld started InnoDB: HugeTLB: Warning: Failed to allocate 1493188608 bytes. errno 13 InnoDB HugeTLB: Warning: Using conventional memory pool 071227 13:20:12 InnoDB: Started; log sequence number 1 3807744248 Warning: Failed to allocate 8388608 bytes from HugeTLB memory. errno 13 Warning: Using conventional memory pool In /var/log/messages: Dec 27 13:20:10 jbosstesting kernel: audit(1198786810.352:5): avc: denied { create } for pid=1740 comm="mysqld" key=0 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:mysqld_t:s0 tclass=shm Dec 27 13:20:12 jbosstesting kernel: audit(1198786812.233:6): avc: denied { create } for pid=1740 comm="mysqld" key=0 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:mysqld_t:s0 tclass=shm Expected results: In /var/log/mysqld.log: 071227 13:31:50 mysqld started 071227 13:31:51 InnoDB: Started; log sequence number 1 3807744248 In /proc/meminfo: HugePages_Total: 2560 HugePages_Free: 2559 HugePages_Rsvd: 716 After setting setenforce 0, to make it only log, I can then restart mysql and as you can see from /proc/meminfo, we now have HugePages reserved. Additional info: MySQL should be allowed to do a shmget for hugetlb (large pages), as this has been supported functionality on Linux for a long time (supported by MySQL that is).
You can allow this for now by executing # audit2allow -M mypol -i /var/log/audit/audit.log # semodule -i mypol.pp Fixed in selinux-policy-3.0.8-73.fc8
I am now on selinux-policy-3.0.8-76.fc8 and I still have to do a setenforce=0 for MySQL to be able to access hugetlb memory. Here is the message in /var/log: Jan 24 12:37:40 jbosstesting kernel: audit(1201203460.943:7): avc: denied { read write } for pid=1997 comm="mysqld" path=2F535953563030303030303030202864656C6574656429 dev=hugetlbfs ino=0 scontext=root:system_r:mysqld_t:s0 tcontext=system_u:object_r:hugetlbfs_t:s0 tclass=file
You can allow this for now by executing # audit2allow -M mypol -i /var/log/audit/audit.log # semodule -i mypol.pp Fixed in selinux-policy-3.0.8-82.fc8
I retested this with 3.0.8-84, and it now works as expected.