Hide Forgot
SELinux is preventing /usr/libexec/mysqld from read, write, open access on the file ibdATW7I. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that mysqld should be allowed read write open access on the ibdATW7I file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep mysqld /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:mysqld_t:s0 Target Context system_u:object_r:tmp_t:s0 Target Objects ibdATW7I [ file ] Source mysqld Source Path /usr/libexec/mysqld Port <Unknown> Host (removed) Source RPM Packages mysql-server-5.5.10-2.fc15 Target RPM Packages Policy RPM selinux-policy-3.9.16-13.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 2.6.38.2-9.fc15.x86_64 #1 SMP Wed Mar 30 16:55:57 UTC 2011 x86_64 x86_64 Alert Count 1 First Seen Fri 15 Apr 2011 04:49:19 PM CEST Last Seen Fri 15 Apr 2011 04:49:19 PM CEST Local ID c20e1ea2-22db-4a14-82d8-14995eea5cf5 Raw Audit Messages type=AVC msg=audit(1302878959.949:78): avc: denied { read write open } for pid=2991 comm="mysqld" name="ibdATW7I" dev=tmpfs ino=49479 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file type=SYSCALL msg=audit(1302878959.949:78): arch=x86_64 syscall=open success=no exit=EACCES a0=7fff1f8f4dc0 a1=c2 a2=180 a3=0 items=0 ppid=2795 pid=2991 auid=4294967295 uid=27 gid=27 euid=27 suid=27 fsuid=27 egid=27 sgid=27 fsgid=27 tty=(none) ses=4294967295 comm=mysqld exe=/usr/libexec/mysqld subj=system_u:system_r:mysqld_t:s0 key=(null) Hash: mysqld,mysqld_t,tmp_t,file,read,write,open audit2allow #============= mysqld_t ============== #!!!! The source type 'mysqld_t' can write to a 'file' of the following types: # mysqld_var_run_t, mysqld_db_t, hugetlbfs_t, mysqld_tmp_t, mysqld_log_t, root_t allow mysqld_t tmp_t:file { read write open }; audit2allow -R #============= mysqld_t ============== #!!!! The source type 'mysqld_t' can write to a 'file' of the following types: # mysqld_var_run_t, mysqld_db_t, hugetlbfs_t, mysqld_tmp_t, mysqld_log_t, root_t allow mysqld_t tmp_t:file { read write open };
How to reproduce this bug : 1. yum install mysqld 2. su -c 'service mysqld start' 3. !! ERROR !! It's a fresh install of mysqld on a Fedora 15 alpha system. The log /var/log/mysqld.log gives the additional error message: """"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 110415 16:46:17 mysqld_safe mysqld from pid file /var/run/mysqld/mysqld.pid ended 110415 16:49:19 mysqld_safe Starting mysqld daemon with databases from /var/lib/mysql 110415 16:49:19 [Note] Plugin 'FEDERATED' is disabled. 110415 16:49:19 InnoDB: The InnoDB memory heap is disabled 110415 16:49:19 InnoDB: Mutexes and rw_locks use GCC atomic builtins 110415 16:49:19 InnoDB: Compressed tables use zlib 1.2.5 110415 16:49:19 InnoDB: Using Linux native AIO /usr/libexec/mysqld: Can't create/write to file '/tmp/ibdATW7I' (Errcode: 13) 110415 16:49:19 InnoDB: Error: unable to create temporary file; errno: 13 110415 16:49:19 [ERROR] Plugin 'InnoDB' init function returned error. 110415 16:49:19 [ERROR] Plugin 'InnoDB' registration as a STORAGE ENGINE failed. 110415 16:49:19 [ERROR] Unknown/unsupported storage engine: InnoDB 110415 16:49:19 [ERROR] Aborting 110415 16:49:19 [Note] /usr/libexec/mysqld: Shutdown complete 110415 16:49:19 mysqld_safe mysqld from pid file /var/run/mysqld/mysqld.pid ended """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
Why is mysql creating files in /tmp rather then in /var/run?
Hm, I don't see any such selinux complaint either on my F13 or F15 machines, but watching the timestamp of /tmp suggests that mysql does transiently create a file there during startup --- both 5.1 and 5.5 appear to do that. The F15 machine isn't terribly up to date though. Is this selinux restriction something you added recently? If so it probably ought to be reverted.
Strange since we have policy to allow this, if the file is labeled correctly. grep tmp mysql.te type mysqld_tmp_t; files_tmp_file(mysqld_tmp_t) manage_dirs_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t) manage_files_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t) files_tmp_filetrans(mysqld_t, mysqld_tmp_t, { file dir }) So something strange is going on, mysqld did not create this file or it did not transition properly. It would be better if the file was created in a location other then tmp.
John can you get this to happen again?
No. I mean, I've tested on a clean qemu-kvm x86_64 guest and mysqld was installed smoothly. So the original bug may be due to a wrong configuration on my computer. I will test on a second VM to check it.
Ok so I double-checked this issue and the problem was due to an old hack in my /etc/fstab file: |tail -n1 /etc/fstab| #none /tmp tmpfs defaults,size=50%,context=system_u:object_r:tmp_t:s0 0 0 Commenting this line about tmpfs and /tmp solved my problem with mysqld. I should definitely try to learn SELinux one day and stop randomly inserting se-context around :( I wish someone could help me to get selinux, mysqld and tmpfs together but for the time being I will close this bug report since it does not appear in the default Fedora installation. regards
Come to #selinux or #fedora-selinux on FreeNode IRC, and ask questions there or send me an email if you have a problem.