Bug 426877 - MySQL access denied on shmget call for HugeTLB
Summary: MySQL access denied on shmget call for HugeTLB
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 8
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-12-27 20:36 UTC by Andrig Miller
Modified: 2008-02-20 22:12 UTC (History)
0 users

Fixed In Version: Current
Clone Of:
Environment:
Last Closed: 2008-02-20 22:12:59 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Andrig Miller 2007-12-27 20:36:00 UTC
Description of problem:

When setting up MySQL to use HugeTLB (large pages), it fails on the shmget call
with a permission denied, because of the selinux targeted policy.

Version-Release number of selected component (if applicable):

selinux-policy-targeted-3.0.8-69.fc8

How reproducible:

Every time.

Steps to Reproduce:
1. Setup HugeTLB with the following changes:
In /etc/sysctl.conf:
# Change maximum shared memory segment size to 8GB
kernel.shmmax = 8589934592

# Add the gid to the hugetlb_shm_group to give access to the users
vm.hugetlb_shm_group = 501

# Add 5GB of in 2MB pages to be shared between the JVM and MySQL
vm.nr_hugepages = 2560

In /etc/security/limits.conf:
# Add the limits for memlock to allow the JVM and MySQL to access the large
# page memory.
jboss           soft    memlock         5242880
jboss           hard    memlock         5242880
mysql           soft    memlock         5242880
mysql           hard    memlock         5242880


2. Enter sysctl -p to make everything take affect, and set large-pages in
/etc/my.cnf
3. Restart mysql
  
Actual results:

In /var/log/mysqld.log:

071227 13:20:09  mysqld started
InnoDB: HugeTLB: Warning: Failed to allocate 1493188608 bytes. errno 13
InnoDB HugeTLB: Warning: Using conventional memory pool
071227 13:20:12  InnoDB: Started; log sequence number 1 3807744248
Warning: Failed to allocate 8388608 bytes from HugeTLB memory. errno 13
Warning: Using conventional memory pool

In /var/log/messages:

Dec 27 13:20:10 jbosstesting kernel: audit(1198786810.352:5): avc:  denied  {
create } for  pid=1740 comm="mysqld" key=0
scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:mysqld_t:s0
tclass=shm
Dec 27 13:20:12 jbosstesting kernel: audit(1198786812.233:6): avc:  denied  {
create } for  pid=1740 comm="mysqld" key=0
scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:mysqld_t:s0
tclass=shm

Expected results:

In /var/log/mysqld.log:

071227 13:31:50  mysqld started
071227 13:31:51  InnoDB: Started; log sequence number 1 3807744248

In /proc/meminfo:

HugePages_Total:  2560
HugePages_Free:   2559
HugePages_Rsvd:    716

After setting setenforce 0, to make it only log, I can then restart mysql and as
you can see from /proc/meminfo, we now have HugePages reserved.

Additional info:

MySQL should be allowed to do a shmget for hugetlb (large pages), as this has
been supported functionality on Linux for a long time (supported by MySQL that is).

Comment 1 Daniel Walsh 2007-12-31 12:01:03 UTC
You can allow this for now by executing 

# audit2allow -M mypol -i /var/log/audit/audit.log 
# semodule -i mypol.pp

Fixed in selinux-policy-3.0.8-73.fc8

Comment 2 Andrig Miller 2008-01-24 19:48:17 UTC
I am now on selinux-policy-3.0.8-76.fc8 and I still have to do a setenforce=0
for MySQL to be able to access hugetlb memory.  Here is the message in /var/log:

Jan 24 12:37:40 jbosstesting kernel: audit(1201203460.943:7): avc:  denied  {
read write } for  pid=1997 comm="mysqld"
path=2F535953563030303030303030202864656C6574656429 dev=hugetlbfs ino=0
scontext=root:system_r:mysqld_t:s0 tcontext=system_u:object_r:hugetlbfs_t:s0
tclass=file



Comment 3 Daniel Walsh 2008-01-24 20:49:20 UTC
You can allow this for now by executing 

# audit2allow -M mypol -i /var/log/audit/audit.log 
# semodule -i mypol.pp

Fixed in selinux-policy-3.0.8-82.fc8


Comment 4 Andrig Miller 2008-02-20 21:53:27 UTC
I retested this with 3.0.8-84, and it now works as expected.


Note You need to log in before you can comment on or make changes to this bug.