Description of problem: We'd like to change the default error log file location in MariaDB to a location that would more correspond with the package name (while systemd unit file should be renamed as well). More info about this step in bug #999589 The current log file location is /var/log/mysqld.log The new log file location will be /var/log/mariadb/mariadb.log So basically we need /var/log/mariadb and /var/log/mariadb/mariadb.log (maybe everything /var/log/mariadb(.*)$ ) to have SELinux context the same as /var/log/mysqld.log. When doing this manually, there were still some issues: # ls -dZ /var/log/mariadb /var/log/mariadb/mariadb.log drwxr-x---. mysql mysql system_u:object_r:mysqld_log_t:s0 /var/log/mariadb -rw-r-----. mysql mysql system_u:object_r:mysqld_log_t:s0 /var/log/mariadb/mariadb.log /var/log/messages says: Aug 21 18:17:57 dhcp-25-53 kernel: [1187569.555129] type=1400 audit(1377101877.904:145524): avc: denied { search } for pid=7539 comm="mysqld_safe" name="mariadb" dev="dm-1" ino=629757 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:mysqld_log_t:s0 tclass=dir Version-Release number of selected component (if applicable): # rpm -q selinux-policy selinux-policy-3.12.1-69.fc19.noarch How reproducible: every-time Steps to Reproduce: 1. change log-errors to /var/log/mariadb/mariadb.log in /etc/my.cnf 2. mkdir /var/log/mariadb 3. touch /var/log/mariadb/mariadb.log 4. chown -R mysql:mysql /var/log/mariadb 5. semanage fcontext -a -e /var/log/mysqld.log /var/log/mariadb 6. restorecon -r /var/log/mariadb 7. systemctl start mysqld Actual results: AVC denials mysqld doesn't start Expected results: no AVC denials mysqld starts
commit 2e96c326b6a4891e7619be451039da64106e8725 Author: Miroslav Grepl <mgrepl> Date: Thu Aug 22 13:45:24 2013 +0200 Add support for /var/log/mariadb dir and allow mysqld_safe to list this directory
It turned out that in case we use a symlink /var/log/mysqld.log => /var/log/mariadb/mariadb.log for backward compatibility, SELinux is not entirely happy even with selinux-policy-3.12.1-73.fc19.noarch: Aug 29 13:33:13 dhcp-25-53 kernel: [1749532.345385] type=1400 audit(1377775993.717:145556): avc: denied { read } for pid=17580 comm="chmod" name="mysqld.log" dev="dm-1" ino=416401 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext= system_u:object_r:mysqld_log_t:s0 tclass=lnk_file Could you, please, fix selinux-policy to work fine even with /var/log/mysqld.log being a symlink?
commit cb625aef480ba682952aae1eca2592e9e5eed385 Author: Miroslav Grepl <mgrepl> Date: Thu Aug 29 14:28:02 2013 +0200 Allow mysqld_safe_t to handle also symlinks in /var/log/mariadb