← Back to team overview

ius-coredev team mailing list archive

[Bug 1026008] Re: mysql55: SELinux errors due to /var/lib/mysqllogs/slow-log

 

Hello Sergey,

Thank you for posting this bug regarding mysql55.

I've done a bit of research, and would like to add it to this report.

 * IUS does enable the slow-query-log by default, and places it in /var/lib/mysqllogs/:
   http://bazaar.launchpad.net/~ius-coredev/ius/mysql55/view/head:/SOURCES/my-55-terse.cnf#L92

 * Fedora does not assume the user wishes slow-query-log enabled and does not do so in their my.cnf:
   http://pkgs.fedoraproject.org/gitweb/?p=mysql.git;a=blob;f=my.cnf;h=692a4bbe82b99978b6a2c3b634ee8a2a6ebf871f;hb=HEAD

 * Fedora seems to create /var/log/mysqld.log in their SPEC:
    http://pkgs.fedoraproject.org/gitweb/?p=mysql.git;a=blob;f=mysql.spec;h=277d64918db8895b7801a6f388c2c757dc147f1f;hb=HEAD#l658

-- 
You received this bug notification because you are a member of IUS Core
Development, which is subscribed to IUS Community Project.
https://bugs.launchpad.net/bugs/1026008

Title:
  mysql55: SELinux errors due to /var/lib/mysqllogs/slow-log

Status in IUS Community Project:
  New

Bug description:
  On CentOS 6.3 installing mysql55-5.5.25-1.ius.el6 results in
  subsequent SELinux errors when logrotate is run:

  type=AVC msg=audit(1342590069.509:531): avc:  denied  { getattr } for
  pid=3493 comm="logrotate" path="/var/lib/mysqllogs/slow-log" dev=dm-2
  ino=1204 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023
  tcontext=unconfined_u:object_r:mysqld_db_t:s0 tclass=file

  type=AVC msg=audit(1342590069.528:532): avc:  denied  { open } for
  pid=3493 comm="logrotate" name="slow-log" dev=dm-2 ino=1204
  scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023
  tcontext=unconfined_u:object_r:mysqld_db_t:s0 tclass=file

  type=AVC msg=audit(1342590069.528:532): avc:  denied  { read write }
  for  pid=3493 comm="logrotate" name="slow-log" dev=dm-2 ino=1204
  scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023
  tcontext=unconfined_u:object_r:mysqld_db_t:s0 tclass=file

  type=AVC msg=audit(1342590069.529:533): avc:  denied  { rename } for
  pid=3493 comm="logrotate" name="slow-log" dev=dm-2 ino=1204
  scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023
  tcontext=unconfined_u:object_r:mysqld_db_t:s0 tclass=file

  type=AVC msg=audit(1342590069.530:534): avc:  denied  { create } for
  pid=3493 comm="logrotate" name="logrotate_temp.p1vdKk"
  scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023
  tcontext=unconfined_u:object_r:mysqld_db_t:s0 tclass=file

  type=AVC msg=audit(1342590069.530:535): avc:  denied  { setattr } for
  pid=3493 comm="logrotate" name="logrotate_temp.p1vdKk" dev=dm-2
  ino=1425 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023
  tcontext=unconfined_u:object_r:mysqld_db_t:s0 tclass=file

  (this was recorded with SELinux in permissive mode; in enforcing mode
  logrotate would fail on the first error).

  The problem is that the package tries to place the slow log file in a
  location which is not specified in the default SELinux policy for
  MySQL (/var/lib/mysqllogs/slow-log). The log file is then labeled as
  mysqld_db_t instead of mysqld_log_t, and the SELinux policy for
  logrotate prevents it from working with such files.

  Even worse, when /var/lib/mysqllogs/slow-log is relabeled for some
  reason (e.g., restorecon -Rv /var/lib/mysqllogs), this file is labeled
  as var_lib_t (again because there is no file context rule for it,
  therefore a general label for /var/lib is used), and then the mysqld
  process is unable to write to this file:

  type=AVC msg=audit(1342595552.399:1165): avc:  denied  { open } for
  pid=6493 comm="mysqld" name="slow-log" dev=dm-2 ino=1425
  scontext=unconfined_u:system_r:mysqld_t:s0
  tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file

  type=AVC msg=audit(1342595552.399:1165): avc:  denied  { append } for
  pid=6493 comm="mysqld" name="slow-log" dev=dm-2 ino=1425
  scontext=unconfined_u:system_r:mysqld_t:s0
  tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file

  In enforcing mode this breaks logging of slow queries:

  /usr/libexec/mysqld: File '/var/lib/mysqllogs/slow-log' not found (Errcode: 13)
  120718 11:16:43 [ERROR] Could not use /var/lib/mysqllogs/slow-log for logging (error 13). Turning logging off for the whole duration of the MySQL server process. To turn it on again: fix the cause, shutdown the MySQL server and restart it.

  To fix this problem, you could move the slow query log file to a
  location which is compatible with the default SELinux policy — e.g.,
  to /var/log/mysqld-slow.log. The policy has the following file context
  rule:

  /var/log/mysql.*        --
  gen_context(system_u:object_r:mysqld_log_t,s0)

  This means that any regular file in /var/lib with name starting with
  "mysql" will be labeled as a MySQL log file; then both mysqld and
  logrotate will be able to work with the log file properly. The file
  will also need to be precreated by the package like
  /var/log/mysqld.log, because the mysqld process will not have
  permissions to create the file itself.

  Another option is to create the /var/log/mysql directory in the
  package instead of /var/lib/mysqllogs, and specify slow-query-log-file
  = /var/log/mysql/slow-log; the directory will still get the generic
  var_log_t label, but the actual log files will be labeled as
  mysqld_log_t. In this case even log file creation by the mysqld
  process will work properly.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ius/+bug/1026008/+subscriptions


References