999594 – MariaDB specific log file

Bug 999594 - MariaDB specific log file

Summary: MariaDB specific log file

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	rawhide
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	999595
TreeView+	depends on / blocked

Reported:	2013-08-21 16:22 UTC by Honza Horak
Modified:	2013-08-29 12:28 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	999595 (view as bug list)
Environment:
Last Closed:	2013-08-29 12:28:13 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Honza Horak 2013-08-21 16:22:29 UTC

Description of problem:
We'd like to change the default error log file location in MariaDB to a location that would more correspond with the package name (while systemd unit file should be renamed as well). More info about this step in bug #999589

The current log file location is /var/log/mysqld.log

The new log file location will be
/var/log/mariadb/mariadb.log

So basically we need /var/log/mariadb and /var/log/mariadb/mariadb.log (maybe everything /var/log/mariadb(.*)$ ) to have SELinux context the same as /var/log/mysqld.log.

When doing this manually, there were still some issues:
# ls -dZ /var/log/mariadb /var/log/mariadb/mariadb.log
drwxr-x---. mysql mysql system_u:object_r:mysqld_log_t:s0 /var/log/mariadb
-rw-r-----. mysql mysql system_u:object_r:mysqld_log_t:s0 /var/log/mariadb/mariadb.log

/var/log/messages says:
Aug 21 18:17:57 dhcp-25-53 kernel: [1187569.555129] type=1400 audit(1377101877.904:145524): avc:  denied  { search } for  pid=7539 comm="mysqld_safe" name="mariadb" dev="dm-1" ino=629757 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:mysqld_log_t:s0 tclass=dir


Version-Release number of selected component (if applicable):
# rpm -q selinux-policy
selinux-policy-3.12.1-69.fc19.noarch

How reproducible:
every-time

Steps to Reproduce:
1. change log-errors to /var/log/mariadb/mariadb.log in /etc/my.cnf
2. mkdir /var/log/mariadb
3. touch /var/log/mariadb/mariadb.log
4. chown -R mysql:mysql /var/log/mariadb
5. semanage fcontext -a -e /var/log/mysqld.log /var/log/mariadb
6. restorecon -r /var/log/mariadb
7. systemctl start mysqld

Actual results:
AVC denials
mysqld doesn't start

Expected results:
no AVC denials
mysqld starts

Comment 1 Miroslav Grepl 2013-08-22 11:46:00 UTC

commit 2e96c326b6a4891e7619be451039da64106e8725
Author: Miroslav Grepl <mgrepl>
Date:   Thu Aug 22 13:45:24 2013 +0200

    Add support for /var/log/mariadb dir and allow mysqld_safe to list this directory

Comment 2 Honza Horak 2013-08-29 12:12:47 UTC

It turned out that in case we use a symlink /var/log/mysqld.log => /var/log/mariadb/mariadb.log for backward compatibility, SELinux is not entirely happy even with selinux-policy-3.12.1-73.fc19.noarch:

Aug 29 13:33:13 dhcp-25-53 kernel: [1749532.345385] type=1400 audit(1377775993.717:145556): avc:  denied  { read } for
  pid=17580 comm="chmod" name="mysqld.log" dev="dm-1" ino=416401 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=
system_u:object_r:mysqld_log_t:s0 tclass=lnk_file

Could you, please, fix selinux-policy to work fine even with /var/log/mysqld.log being a symlink?

Comment 3 Miroslav Grepl 2013-08-29 12:28:13 UTC

commit cb625aef480ba682952aae1eca2592e9e5eed385
Author: Miroslav Grepl <mgrepl>
Date:   Thu Aug 29 14:28:02 2013 +0200

    Allow mysqld_safe_t to handle also symlinks in /var/log/mariadb

Note You need to log in before you can comment on or make changes to this bug.