← Back to team overview

ius-coredev team mailing list archive

[Bug 1026008] [NEW] mysql55: SELinux errors due to /var/lib/mysqllogs/slow-log

 

Public bug reported:

On CentOS 6.3 installing mysql55-5.5.25-1.ius.el6 results in subsequent
SELinux errors when logrotate is run:

type=AVC msg=audit(1342590069.509:531): avc:  denied  { getattr } for
pid=3493 comm="logrotate" path="/var/lib/mysqllogs/slow-log" dev=dm-2
ino=1204 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:mysqld_db_t:s0 tclass=file

type=AVC msg=audit(1342590069.528:532): avc:  denied  { open } for
pid=3493 comm="logrotate" name="slow-log" dev=dm-2 ino=1204
scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:mysqld_db_t:s0 tclass=file

type=AVC msg=audit(1342590069.528:532): avc:  denied  { read write } for
pid=3493 comm="logrotate" name="slow-log" dev=dm-2 ino=1204
scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:mysqld_db_t:s0 tclass=file

type=AVC msg=audit(1342590069.529:533): avc:  denied  { rename } for
pid=3493 comm="logrotate" name="slow-log" dev=dm-2 ino=1204
scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:mysqld_db_t:s0 tclass=file

type=AVC msg=audit(1342590069.530:534): avc:  denied  { create } for
pid=3493 comm="logrotate" name="logrotate_temp.p1vdKk"
scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:mysqld_db_t:s0 tclass=file

type=AVC msg=audit(1342590069.530:535): avc:  denied  { setattr } for
pid=3493 comm="logrotate" name="logrotate_temp.p1vdKk" dev=dm-2 ino=1425
scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:mysqld_db_t:s0 tclass=file

(this was recorded with SELinux in permissive mode; in enforcing mode
logrotate would fail on the first error).

The problem is that the package tries to place the slow log file in a
location which is not specified in the default SELinux policy for MySQL
(/var/lib/mysqllogs/slow-log). The log file is then labeled as
mysqld_db_t instead of mysqld_log_t, and the SELinux policy for
logrotate prevents it from working with such files.

Even worse, when /var/lib/mysqllogs/slow-log is relabeled for some
reason (e.g., restorecon -Rv /var/lib/mysqllogs), this file is labeled
as var_lib_t (again because there is no file context rule for it,
therefore a general label for /var/lib is used), and then the mysqld
process is unable to write to this file:

type=AVC msg=audit(1342595552.399:1165): avc:  denied  { open } for
pid=6493 comm="mysqld" name="slow-log" dev=dm-2 ino=1425
scontext=unconfined_u:system_r:mysqld_t:s0
tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file

type=AVC msg=audit(1342595552.399:1165): avc:  denied  { append } for
pid=6493 comm="mysqld" name="slow-log" dev=dm-2 ino=1425
scontext=unconfined_u:system_r:mysqld_t:s0
tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file

In enforcing mode this breaks logging of slow queries:

/usr/libexec/mysqld: File '/var/lib/mysqllogs/slow-log' not found (Errcode: 13)
120718 11:16:43 [ERROR] Could not use /var/lib/mysqllogs/slow-log for logging (error 13). Turning logging off for the whole duration of the MySQL server process. To turn it on again: fix the cause, shutdown the MySQL server and restart it.

To fix this problem, you could move the slow query log file to a
location which is compatible with the default SELinux policy — e.g., to
/var/log/mysqld-slow.log. The policy has the following file context
rule:

/var/log/mysql.*        --
gen_context(system_u:object_r:mysqld_log_t,s0)

This means that any regular file in /var/lib with name starting with
"mysql" will be labeled as a MySQL log file; then both mysqld and
logrotate will be able to work with the log file properly. The file will
also need to be precreated by the package like /var/log/mysqld.log,
because the mysqld process will not have permissions to create the file
itself.

Another option is to create the /var/log/mysql directory in the package
instead of /var/lib/mysqllogs, and specify slow-query-log-file =
/var/log/mysql/slow-log; the directory will still get the generic
var_log_t label, but the actual log files will be labeled as
mysqld_log_t. In this case even log file creation by the mysqld process
will work properly.

** Affects: ius
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of IUS Core
Development, which is subscribed to IUS Community Project.
https://bugs.launchpad.net/bugs/1026008

Title:
  mysql55: SELinux errors due to /var/lib/mysqllogs/slow-log

Status in IUS Community Project:
  New

Bug description:
  On CentOS 6.3 installing mysql55-5.5.25-1.ius.el6 results in
  subsequent SELinux errors when logrotate is run:

  type=AVC msg=audit(1342590069.509:531): avc:  denied  { getattr } for
  pid=3493 comm="logrotate" path="/var/lib/mysqllogs/slow-log" dev=dm-2
  ino=1204 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023
  tcontext=unconfined_u:object_r:mysqld_db_t:s0 tclass=file

  type=AVC msg=audit(1342590069.528:532): avc:  denied  { open } for
  pid=3493 comm="logrotate" name="slow-log" dev=dm-2 ino=1204
  scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023
  tcontext=unconfined_u:object_r:mysqld_db_t:s0 tclass=file

  type=AVC msg=audit(1342590069.528:532): avc:  denied  { read write }
  for  pid=3493 comm="logrotate" name="slow-log" dev=dm-2 ino=1204
  scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023
  tcontext=unconfined_u:object_r:mysqld_db_t:s0 tclass=file

  type=AVC msg=audit(1342590069.529:533): avc:  denied  { rename } for
  pid=3493 comm="logrotate" name="slow-log" dev=dm-2 ino=1204
  scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023
  tcontext=unconfined_u:object_r:mysqld_db_t:s0 tclass=file

  type=AVC msg=audit(1342590069.530:534): avc:  denied  { create } for
  pid=3493 comm="logrotate" name="logrotate_temp.p1vdKk"
  scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023
  tcontext=unconfined_u:object_r:mysqld_db_t:s0 tclass=file

  type=AVC msg=audit(1342590069.530:535): avc:  denied  { setattr } for
  pid=3493 comm="logrotate" name="logrotate_temp.p1vdKk" dev=dm-2
  ino=1425 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023
  tcontext=unconfined_u:object_r:mysqld_db_t:s0 tclass=file

  (this was recorded with SELinux in permissive mode; in enforcing mode
  logrotate would fail on the first error).

  The problem is that the package tries to place the slow log file in a
  location which is not specified in the default SELinux policy for
  MySQL (/var/lib/mysqllogs/slow-log). The log file is then labeled as
  mysqld_db_t instead of mysqld_log_t, and the SELinux policy for
  logrotate prevents it from working with such files.

  Even worse, when /var/lib/mysqllogs/slow-log is relabeled for some
  reason (e.g., restorecon -Rv /var/lib/mysqllogs), this file is labeled
  as var_lib_t (again because there is no file context rule for it,
  therefore a general label for /var/lib is used), and then the mysqld
  process is unable to write to this file:

  type=AVC msg=audit(1342595552.399:1165): avc:  denied  { open } for
  pid=6493 comm="mysqld" name="slow-log" dev=dm-2 ino=1425
  scontext=unconfined_u:system_r:mysqld_t:s0
  tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file

  type=AVC msg=audit(1342595552.399:1165): avc:  denied  { append } for
  pid=6493 comm="mysqld" name="slow-log" dev=dm-2 ino=1425
  scontext=unconfined_u:system_r:mysqld_t:s0
  tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file

  In enforcing mode this breaks logging of slow queries:

  /usr/libexec/mysqld: File '/var/lib/mysqllogs/slow-log' not found (Errcode: 13)
  120718 11:16:43 [ERROR] Could not use /var/lib/mysqllogs/slow-log for logging (error 13). Turning logging off for the whole duration of the MySQL server process. To turn it on again: fix the cause, shutdown the MySQL server and restart it.

  To fix this problem, you could move the slow query log file to a
  location which is compatible with the default SELinux policy — e.g.,
  to /var/log/mysqld-slow.log. The policy has the following file context
  rule:

  /var/log/mysql.*        --
  gen_context(system_u:object_r:mysqld_log_t,s0)

  This means that any regular file in /var/lib with name starting with
  "mysql" will be labeled as a MySQL log file; then both mysqld and
  logrotate will be able to work with the log file properly. The file
  will also need to be precreated by the package like
  /var/log/mysqld.log, because the mysqld process will not have
  permissions to create the file itself.

  Another option is to create the /var/log/mysql directory in the
  package instead of /var/lib/mysqllogs, and specify slow-query-log-file
  = /var/log/mysql/slow-log; the directory will still get the generic
  var_log_t label, but the actual log files will be labeled as
  mysqld_log_t. In this case even log file creation by the mysqld
  process will work properly.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ius/+bug/1026008/+subscriptions


Follow ups

References