ius-coredev team mailing list archive
-
ius-coredev team
-
Mailing list archive
-
Message #01746
[Bug 1026008] [NEW] mysql55: SELinux errors due to /var/lib/mysqllogs/slow-log
Public bug reported:
On CentOS 6.3 installing mysql55-5.5.25-1.ius.el6 results in subsequent
SELinux errors when logrotate is run:
type=AVC msg=audit(1342590069.509:531): avc: denied { getattr } for
pid=3493 comm="logrotate" path="/var/lib/mysqllogs/slow-log" dev=dm-2
ino=1204 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:mysqld_db_t:s0 tclass=file
type=AVC msg=audit(1342590069.528:532): avc: denied { open } for
pid=3493 comm="logrotate" name="slow-log" dev=dm-2 ino=1204
scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:mysqld_db_t:s0 tclass=file
type=AVC msg=audit(1342590069.528:532): avc: denied { read write } for
pid=3493 comm="logrotate" name="slow-log" dev=dm-2 ino=1204
scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:mysqld_db_t:s0 tclass=file
type=AVC msg=audit(1342590069.529:533): avc: denied { rename } for
pid=3493 comm="logrotate" name="slow-log" dev=dm-2 ino=1204
scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:mysqld_db_t:s0 tclass=file
type=AVC msg=audit(1342590069.530:534): avc: denied { create } for
pid=3493 comm="logrotate" name="logrotate_temp.p1vdKk"
scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:mysqld_db_t:s0 tclass=file
type=AVC msg=audit(1342590069.530:535): avc: denied { setattr } for
pid=3493 comm="logrotate" name="logrotate_temp.p1vdKk" dev=dm-2 ino=1425
scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:mysqld_db_t:s0 tclass=file
(this was recorded with SELinux in permissive mode; in enforcing mode
logrotate would fail on the first error).
The problem is that the package tries to place the slow log file in a
location which is not specified in the default SELinux policy for MySQL
(/var/lib/mysqllogs/slow-log). The log file is then labeled as
mysqld_db_t instead of mysqld_log_t, and the SELinux policy for
logrotate prevents it from working with such files.
Even worse, when /var/lib/mysqllogs/slow-log is relabeled for some
reason (e.g., restorecon -Rv /var/lib/mysqllogs), this file is labeled
as var_lib_t (again because there is no file context rule for it,
therefore a general label for /var/lib is used), and then the mysqld
process is unable to write to this file:
type=AVC msg=audit(1342595552.399:1165): avc: denied { open } for
pid=6493 comm="mysqld" name="slow-log" dev=dm-2 ino=1425
scontext=unconfined_u:system_r:mysqld_t:s0
tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1342595552.399:1165): avc: denied { append } for
pid=6493 comm="mysqld" name="slow-log" dev=dm-2 ino=1425
scontext=unconfined_u:system_r:mysqld_t:s0
tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file
In enforcing mode this breaks logging of slow queries:
/usr/libexec/mysqld: File '/var/lib/mysqllogs/slow-log' not found (Errcode: 13)
120718 11:16:43 [ERROR] Could not use /var/lib/mysqllogs/slow-log for logging (error 13). Turning logging off for the whole duration of the MySQL server process. To turn it on again: fix the cause, shutdown the MySQL server and restart it.
To fix this problem, you could move the slow query log file to a
location which is compatible with the default SELinux policy — e.g., to
/var/log/mysqld-slow.log. The policy has the following file context
rule:
/var/log/mysql.* --
gen_context(system_u:object_r:mysqld_log_t,s0)
This means that any regular file in /var/lib with name starting with
"mysql" will be labeled as a MySQL log file; then both mysqld and
logrotate will be able to work with the log file properly. The file will
also need to be precreated by the package like /var/log/mysqld.log,
because the mysqld process will not have permissions to create the file
itself.
Another option is to create the /var/log/mysql directory in the package
instead of /var/lib/mysqllogs, and specify slow-query-log-file =
/var/log/mysql/slow-log; the directory will still get the generic
var_log_t label, but the actual log files will be labeled as
mysqld_log_t. In this case even log file creation by the mysqld process
will work properly.
** Affects: ius
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of IUS Core
Development, which is subscribed to IUS Community Project.
https://bugs.launchpad.net/bugs/1026008
Title:
mysql55: SELinux errors due to /var/lib/mysqllogs/slow-log
Status in IUS Community Project:
New
Bug description:
On CentOS 6.3 installing mysql55-5.5.25-1.ius.el6 results in
subsequent SELinux errors when logrotate is run:
type=AVC msg=audit(1342590069.509:531): avc: denied { getattr } for
pid=3493 comm="logrotate" path="/var/lib/mysqllogs/slow-log" dev=dm-2
ino=1204 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:mysqld_db_t:s0 tclass=file
type=AVC msg=audit(1342590069.528:532): avc: denied { open } for
pid=3493 comm="logrotate" name="slow-log" dev=dm-2 ino=1204
scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:mysqld_db_t:s0 tclass=file
type=AVC msg=audit(1342590069.528:532): avc: denied { read write }
for pid=3493 comm="logrotate" name="slow-log" dev=dm-2 ino=1204
scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:mysqld_db_t:s0 tclass=file
type=AVC msg=audit(1342590069.529:533): avc: denied { rename } for
pid=3493 comm="logrotate" name="slow-log" dev=dm-2 ino=1204
scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:mysqld_db_t:s0 tclass=file
type=AVC msg=audit(1342590069.530:534): avc: denied { create } for
pid=3493 comm="logrotate" name="logrotate_temp.p1vdKk"
scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:mysqld_db_t:s0 tclass=file
type=AVC msg=audit(1342590069.530:535): avc: denied { setattr } for
pid=3493 comm="logrotate" name="logrotate_temp.p1vdKk" dev=dm-2
ino=1425 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:mysqld_db_t:s0 tclass=file
(this was recorded with SELinux in permissive mode; in enforcing mode
logrotate would fail on the first error).
The problem is that the package tries to place the slow log file in a
location which is not specified in the default SELinux policy for
MySQL (/var/lib/mysqllogs/slow-log). The log file is then labeled as
mysqld_db_t instead of mysqld_log_t, and the SELinux policy for
logrotate prevents it from working with such files.
Even worse, when /var/lib/mysqllogs/slow-log is relabeled for some
reason (e.g., restorecon -Rv /var/lib/mysqllogs), this file is labeled
as var_lib_t (again because there is no file context rule for it,
therefore a general label for /var/lib is used), and then the mysqld
process is unable to write to this file:
type=AVC msg=audit(1342595552.399:1165): avc: denied { open } for
pid=6493 comm="mysqld" name="slow-log" dev=dm-2 ino=1425
scontext=unconfined_u:system_r:mysqld_t:s0
tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1342595552.399:1165): avc: denied { append } for
pid=6493 comm="mysqld" name="slow-log" dev=dm-2 ino=1425
scontext=unconfined_u:system_r:mysqld_t:s0
tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file
In enforcing mode this breaks logging of slow queries:
/usr/libexec/mysqld: File '/var/lib/mysqllogs/slow-log' not found (Errcode: 13)
120718 11:16:43 [ERROR] Could not use /var/lib/mysqllogs/slow-log for logging (error 13). Turning logging off for the whole duration of the MySQL server process. To turn it on again: fix the cause, shutdown the MySQL server and restart it.
To fix this problem, you could move the slow query log file to a
location which is compatible with the default SELinux policy — e.g.,
to /var/log/mysqld-slow.log. The policy has the following file context
rule:
/var/log/mysql.* --
gen_context(system_u:object_r:mysqld_log_t,s0)
This means that any regular file in /var/lib with name starting with
"mysql" will be labeled as a MySQL log file; then both mysqld and
logrotate will be able to work with the log file properly. The file
will also need to be precreated by the package like
/var/log/mysqld.log, because the mysqld process will not have
permissions to create the file itself.
Another option is to create the /var/log/mysql directory in the
package instead of /var/lib/mysqllogs, and specify slow-query-log-file
= /var/log/mysql/slow-log; the directory will still get the generic
var_log_t label, but the actual log files will be labeled as
mysqld_log_t. In this case even log file creation by the mysqld
process will work properly.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ius/+bug/1026008/+subscriptions
Follow ups
References