Bug 999594 - MariaDB specific log file
MariaDB specific log file
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
: Reopened
Depends On:
Blocks: 999595
  Show dependency treegraph
 
Reported: 2013-08-21 12:22 EDT by Honza Horak
Modified: 2013-08-29 08:28 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 999595 (view as bug list)
Environment:
Last Closed: 2013-08-29 08:28:13 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Honza Horak 2013-08-21 12:22:29 EDT
Description of problem:
We'd like to change the default error log file location in MariaDB to a location that would more correspond with the package name (while systemd unit file should be renamed as well). More info about this step in bug #999589

The current log file location is /var/log/mysqld.log

The new log file location will be
/var/log/mariadb/mariadb.log

So basically we need /var/log/mariadb and /var/log/mariadb/mariadb.log (maybe everything /var/log/mariadb(.*)$ ) to have SELinux context the same as /var/log/mysqld.log.

When doing this manually, there were still some issues:
# ls -dZ /var/log/mariadb /var/log/mariadb/mariadb.log
drwxr-x---. mysql mysql system_u:object_r:mysqld_log_t:s0 /var/log/mariadb
-rw-r-----. mysql mysql system_u:object_r:mysqld_log_t:s0 /var/log/mariadb/mariadb.log

/var/log/messages says:
Aug 21 18:17:57 dhcp-25-53 kernel: [1187569.555129] type=1400 audit(1377101877.904:145524): avc:  denied  { search } for  pid=7539 comm="mysqld_safe" name="mariadb" dev="dm-1" ino=629757 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:mysqld_log_t:s0 tclass=dir


Version-Release number of selected component (if applicable):
# rpm -q selinux-policy
selinux-policy-3.12.1-69.fc19.noarch

How reproducible:
every-time

Steps to Reproduce:
1. change log-errors to /var/log/mariadb/mariadb.log in /etc/my.cnf
2. mkdir /var/log/mariadb
3. touch /var/log/mariadb/mariadb.log
4. chown -R mysql:mysql /var/log/mariadb
5. semanage fcontext -a -e /var/log/mysqld.log /var/log/mariadb
6. restorecon -r /var/log/mariadb
7. systemctl start mysqld

Actual results:
AVC denials
mysqld doesn't start

Expected results:
no AVC denials
mysqld starts
Comment 1 Miroslav Grepl 2013-08-22 07:46:00 EDT
commit 2e96c326b6a4891e7619be451039da64106e8725
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Thu Aug 22 13:45:24 2013 +0200

    Add support for /var/log/mariadb dir and allow mysqld_safe to list this directory
Comment 2 Honza Horak 2013-08-29 08:12:47 EDT
It turned out that in case we use a symlink /var/log/mysqld.log => /var/log/mariadb/mariadb.log for backward compatibility, SELinux is not entirely happy even with selinux-policy-3.12.1-73.fc19.noarch:

Aug 29 13:33:13 dhcp-25-53 kernel: [1749532.345385] type=1400 audit(1377775993.717:145556): avc:  denied  { read } for
  pid=17580 comm="chmod" name="mysqld.log" dev="dm-1" ino=416401 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=
system_u:object_r:mysqld_log_t:s0 tclass=lnk_file

Could you, please, fix selinux-policy to work fine even with /var/log/mysqld.log being a symlink?
Comment 3 Miroslav Grepl 2013-08-29 08:28:13 EDT
commit cb625aef480ba682952aae1eca2592e9e5eed385
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Thu Aug 29 14:28:02 2013 +0200

    Allow mysqld_safe_t to handle also symlinks in /var/log/mariadb

Note You need to log in before you can comment on or make changes to this bug.