mysql vs selinux
Amadeus W.M.
amadeus84 at verizon.net
Tue Jul 7 02:08:47 UTC 2009
On Mon, 06 Jul 2009 08:10:29 -0400, Daniel J Walsh wrote:
> On 07/05/2009 11:57 PM, Amadeus W.M. wrote:
>> Trying to run mysqld with datadir=/data/mysql (i.e. different than the
>> default datadir=/var/lib/mysql). When I start mysqld for the first time
>> it fails:
>>
>> [root at alm ~]# /etc/rc.d/init.d/mysqld start Initializing MySQL
>> database: Installing MySQL system tables... 090705 23:01:52 [Warning]
>> Can't create test file /data/mysql/alm.lower-test 090705 23:01:52
>> [Warning] Can't create test file /data/mysql/alm.lower-test
>> /usr/libexec/mysqld: Can't change dir to '/data/mysql/' (Errcode: 13)
>> 090705 23:01:52 [ERROR] Aborting
>>
>>
>>
>> and selinux pops up and says
>>
>> Summary:
>> SELinux is preventing mysqld (mysqld_t) "search" to / (default_t).
>>
>> Detailed Description:
>> SELinux denied access requested by mysqld. / may be a mislabeled. /
>> default SELinux type is root_t, but its current type is default_t.
>> Changing this file back to the default type, may fix your problem.
>>
>> <more stuff>
>>
>>
>> Poking around on google I found this suggestion:
>>
>>
>> http://www.linuxforums.org/forum/servers/54215-moving-mysql-datafile-
>> another-location-2.html
>>
>> chcon -R -u system_u -r object_r -t mysqld_db_t /home/mysqldb chcon -R
>> -u system_u -r object_r -t mysqld_db_t /var/lib/mysql/ chcon -u
>> system_u -r object_r -t mysqld_etc_t /etc/my.cnf
>>
>> with /data/mysql instead of /home/mysqldb, of course.
>>
>> This was as of FC7. Would this still be the right thing to do in F11?
>> I'm really being patient here with selinux, trying to give it a 2nd
>> chance (first chance was about F3 or F4). I'm trying to avoid the
>> barbaric solution of disabling it alltogether yet again.
>>
>> Oh, by the way, I am able to run mysqld without a hitch even with
>> selinux enabled provided that I use the default datadir=/var/lib/mysql.
>> That's not acceptable though, as my /var is too small for the colossal
>> amount of data I have.
>>
>>
>> I tried to keep this post relatively short, so I didn't include all
>> selinux info. If more is necessary, I'll post it. Please help!
>>
>>
>>
>>
>>
> Here is a new guide we are working on for setting up different confined
> services. There is a chapter on mysql.
>
>
>
> http://sradvan.fedorapeople.org/SELinux_Managing_Confined_Services/en-US/
html/
>
> Specifically check out the chapter this page
>
> http://sradvan.fedorapeople.org/SELinux_Managing_Confined_Services/en-US/
html/sect-Managing_Confined_Services-MySQL-Configuration_Examples.html
Thanks, I followed the instructions:
[root at alm ~]# semanage fcontext -a -t mysqld_db_t "/data/mysql(/.*)?"
[root at alm ~]# restorecon -R -v /data/mysql
but now selinux complains about /data itself:
Summary
SELinux is preventing access to files with the default label, default_t.
Additional Information
Source Context: unconfined_u:system_r:mysqld_t:s0
Target Context: system_u:object_r:default_t:s0
Target Objects: /data [ dir ]
Source: mysqld
Source Path: /usr/libexec/mysqld
And indeed,
[root at alm ~]# ls -lZd /data
drwxr-xr-x. amadeus users system_u:object_r:default_t:s0 /data
So I'm guessing I should add a context for /data, something like
semanage fcontext -a -t data_t "/data"
restorecon -R -v /data/mysql
Is that correct?
Also, in addition to /data selinux is also complaining abut / :
Summary
SELinux is preventing mysqld (mysqld_t) "search" to / (default_t).
Additional Information
Source Context: unconfined_u:system_r:mysqld_t:s0
Target Context: system_u:object_r:default_t:s0
Target Objects: / [ dir ]
Source: mysqld
Source Path: /usr/libexec/mysqld
But
[root at alm ~]# ls -lZd /
drwxr-xr-x. root root system_u:object_r:root_t:s0 /
i.e. / is not default_t. What gives?
More information about the fedora-list
mailing list