I'm building a log analysis server that's running a big MySQL database.
Logs are imported in the database and then are processed for statistical
analysis and stuff like that. The system is running CentOS5 64bit
(almost identical to RHEL 5).
I'm keeping the database on a separate RAID array, for obvious reasons.
So I mounted that array as /db and then moved the MySQL datadir via
/etc/my.cnf:
datadir=/db/mysql
tmpdir=/db/tmp/
basedir=/db
I made sure to move /var/lib/mysql to /db/mysql in such a way as to
preserve all the attributes, including SELinux.
But, of course, MySQL fails to run:
type=AVC msg=audit(1177025497.442:254): avc: denied { search } for
pid=7453 comm="mysqld" name="/" dev=sdb1 ino=2
scontext=root:system_r:mysqld_t:s0 tcontext=system_u:object_r:file_t:s0
tclass=dir
type=SYSCALL msg=audit(1177025497.442:254): arch=c000003e syscall=87
success=no exit=-13 a0=7fff6ee35150 a1=0 a2=0 a3=3 items=0 ppid=7417
pid=7453 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) comm="mysqld" exe="/usr/libexec/mysqld"
subj=root:system_r:mysqld_t:s0 key=(null)
type=AVC msg=audit(1177025497.442:255): avc: denied { search } for
pid=7453 comm="mysqld" name="/" dev=sdb1 ino=2
scontext=root:system_r:mysqld_t:s0 tcontext=system_u:object_r:file_t:s0
tclass=dir
type=SYSCALL msg=audit(1177025497.442:255): arch=c000003e syscall=2
success=no exit=-13 a0=7fff6ee35350 a1=42 a2=1b6 a3=3 items=0 ppid=7417
pid=7453 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) comm="mysqld" exe="/usr/libexec/mysqld"
subj=root:system_r:mysqld_t:s0 key=(null)
type=AVC msg=audit(1177025497.442:256): avc: denied { search } for
pid=7453 comm="mysqld" name="/" dev=sdb1 ino=2
scontext=root:system_r:mysqld_t:s0 tcontext=system_u:object_r:file_t:s0
tclass=dir
Now, I can definitely customize the policy, I guess the first rule would
be like this and I'll keep tweaking it until it works:
allow mysqld_t file_t:dir search;
But this seems like a hack. I mean, moving the datadir to a different
location is probably something that MySQL admins do all the time when
building big servers (or maybe even not that big).
I wish there was a SELinux variable, or a place where I can tell SELinux
that the datadir has moved, that XYZ is the new location, and just let
me use it (provided that the SELinux attributes are OK within the MySQL
datadir per se).
Same thing happens with many servers when moving their default data
locations. Examples that I had issues with: Cyrus-IMAPd, Squid.
Sure, one can customize the policy the "normal", step-by-step way, but
that doesn't seem the right thing.
I'm strictly speaking from the sysadmin's perspective. It just looks
like a natural thing to be able to customize SELinux via a simple
variable or something, and make it "aware" (sort of) that, hey, I only
moved the data dir to a new location, stop panicking about that.
Thanks,
--
Florin Andrei
http://florin.myip.org/
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
