SELinux and MySQL
Manuel Arostegui Ramirez
manuel at todo-linux.com
Tue Aug 15 21:49:00 UTC 2006
El Martes, 15 de Agosto de 2006 23:42, Ryan Golhar escribió:
> Sorry I should have been more clear. I knew that too.
>
> If SELinux is enable, I cannot start the mysql daemon using
> "/etcd/init.d/mysql start". I have to disable it first.
>
> If I try to access a mysql database with SELinux enabled, I get an error
> about the file being corrupt:
>
> ERROR 1194 (HY000): Table 'user' is marked as crashed and should be
> repaired
>
> If I call '/usr/sbin/setenforce 0' prior to using mysql, all works well
> (all being relative by what I've tried).
>
> Ryan
>
Look at this:
"A co-worker recently came to me with an interesting and mysterious problem.
He was setting up a Red Hat Enterprise 4 based machine with MySQL, using a
default setup except he'd changed the location of MySQL's data directory
from /var to a different partition. Now MySQL wasn't starting properly.
The symptoms were really funny: the init.d script installed by the system
didn't work, except if he ran it by hand with 'sh -x', it did. So he renamed
it out of the way and grabbed a copy from another RHEL4 machine with a
working MySQL, which worked. But it turned out that the two scripts were
identical. So why did the new one from the other machine work but the old one
from the install not work?
(This was where he called me in.)
Fortunately I had been recently reading a series of articles on SELinux;
something about the whole situation tickled the back of my mind, and a little
light labeled 'file contexts' lit up. A quick lsattr showed that the two
scripts had different contexts; the 'as installed' one had a special context,
and the one copied from the other system had a generic one.
And this was the problem: the SELinux MySQL context lacked the magic SELinux
permissions to access the new data directory location, because (of course)
the new location hadn't been SELinux labeled as a MySQL area. However, the
normal root context could access everything fine.
(In Red Hat's SELinux setup, many daemons are deliberately run with extra
SELinux-imposed restrictions so that if someone finds and exploits a
vulnerability in the daemon it does less damage.)
So when the original MySQL init.d script was run directly, it switched into
the MySQL SELinux context and failed to access its data directory. However,
special contexts on a shell script only get switched into when you execute
the shell script directly, so when the original script was run via 'sh -x' it
was instead running in the normal root context, could access its data
directory, and worked fine. The copied script always ran in the normal root
context since it was not specially labeled, so it worked fine all the time.
(We tested this guess by running the original init.d script with just plain
'sh mysql start' instead of 'sh -x mysql start', and it worked fine then
too.)
I believe my co-worker's workaround was to turn off SELinux, on the grounds
that he didn't want to try wrestling with that particular pig right then."
Is your SeLinux configured to protect daemons?
--
Manuel Arostegui Ramirez.
Electronic Mail is not secure, may not be read every day, and should not
be used for urgent or sensitive issues.
More information about the redhat-list
mailing list