Bug 426877 - MySQL access denied on shmget call for HugeTLB
MySQL access denied on shmget call for HugeTLB
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
8
All Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-12-27 15:36 EST by Andrig Miller
Modified: 2008-02-20 17:12 EST (History)
0 users

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-02-20 17:12:59 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Andrig Miller 2007-12-27 15:36:00 EST
Description of problem:

When setting up MySQL to use HugeTLB (large pages), it fails on the shmget call
with a permission denied, because of the selinux targeted policy.

Version-Release number of selected component (if applicable):

selinux-policy-targeted-3.0.8-69.fc8

How reproducible:

Every time.

Steps to Reproduce:
1. Setup HugeTLB with the following changes:
In /etc/sysctl.conf:
# Change maximum shared memory segment size to 8GB
kernel.shmmax = 8589934592

# Add the gid to the hugetlb_shm_group to give access to the users
vm.hugetlb_shm_group = 501

# Add 5GB of in 2MB pages to be shared between the JVM and MySQL
vm.nr_hugepages = 2560

In /etc/security/limits.conf:
# Add the limits for memlock to allow the JVM and MySQL to access the large
# page memory.
jboss           soft    memlock         5242880
jboss           hard    memlock         5242880
mysql           soft    memlock         5242880
mysql           hard    memlock         5242880


2. Enter sysctl -p to make everything take affect, and set large-pages in
/etc/my.cnf
3. Restart mysql
  
Actual results:

In /var/log/mysqld.log:

071227 13:20:09  mysqld started
InnoDB: HugeTLB: Warning: Failed to allocate 1493188608 bytes. errno 13
InnoDB HugeTLB: Warning: Using conventional memory pool
071227 13:20:12  InnoDB: Started; log sequence number 1 3807744248
Warning: Failed to allocate 8388608 bytes from HugeTLB memory. errno 13
Warning: Using conventional memory pool

In /var/log/messages:

Dec 27 13:20:10 jbosstesting kernel: audit(1198786810.352:5): avc:  denied  {
create } for  pid=1740 comm="mysqld" key=0
scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:mysqld_t:s0
tclass=shm
Dec 27 13:20:12 jbosstesting kernel: audit(1198786812.233:6): avc:  denied  {
create } for  pid=1740 comm="mysqld" key=0
scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:mysqld_t:s0
tclass=shm

Expected results:

In /var/log/mysqld.log:

071227 13:31:50  mysqld started
071227 13:31:51  InnoDB: Started; log sequence number 1 3807744248

In /proc/meminfo:

HugePages_Total:  2560
HugePages_Free:   2559
HugePages_Rsvd:    716

After setting setenforce 0, to make it only log, I can then restart mysql and as
you can see from /proc/meminfo, we now have HugePages reserved.

Additional info:

MySQL should be allowed to do a shmget for hugetlb (large pages), as this has
been supported functionality on Linux for a long time (supported by MySQL that is).
Comment 1 Daniel Walsh 2007-12-31 07:01:03 EST
You can allow this for now by executing 

# audit2allow -M mypol -i /var/log/audit/audit.log 
# semodule -i mypol.pp

Fixed in selinux-policy-3.0.8-73.fc8
Comment 2 Andrig Miller 2008-01-24 14:48:17 EST
I am now on selinux-policy-3.0.8-76.fc8 and I still have to do a setenforce=0
for MySQL to be able to access hugetlb memory.  Here is the message in /var/log:

Jan 24 12:37:40 jbosstesting kernel: audit(1201203460.943:7): avc:  denied  {
read write } for  pid=1997 comm="mysqld"
path=2F535953563030303030303030202864656C6574656429 dev=hugetlbfs ino=0
scontext=root:system_r:mysqld_t:s0 tcontext=system_u:object_r:hugetlbfs_t:s0
tclass=file

Comment 3 Daniel Walsh 2008-01-24 15:49:20 EST
You can allow this for now by executing 

# audit2allow -M mypol -i /var/log/audit/audit.log 
# semodule -i mypol.pp

Fixed in selinux-policy-3.0.8-82.fc8
Comment 4 Andrig Miller 2008-02-20 16:53:27 EST
I retested this with 3.0.8-84, and it now works as expected.

Note You need to log in before you can comment on or make changes to this bug.