Hi, I'm trying to move the MySQL data directory to /home/mysql like I have done with every other install I have done before but the difference is this time I am trying to have SELinux active instead of turning it off. I seem to need some help in a) Understanding what the selinux failure messages are saying; and b) How to correct the issue I've read the selinux docs and all I got was a headache *sigh* Now normally I just move /var/lib/mysql to /home/mysql and symlink it. SELinux complains with Oct 10 21:21:59 intspare kernel: audit(1160479319.080:2): avc: denied { read } for pid=15784 comm="mysqld" name="mysql" dev=dm-0 ino=1230340 scontext=root:system_r:mysqld_t tcontext=root:object_r:var_lib_t tclass=lnk_file Ok, I guess it doesnt like following symlinks so instead I edited /etc/my.cnf to [mysqld] datadir=/home/mysql socket=/home/mysql/mysql.sock # Default to using old password format for compatibility with mysql 3.x # clients (those using the mysqlclient10 compatibility package). old_passwords=1 [mysql.server] user=mysql basedir=/home Now SELinux complains with Oct 10 22:04:27 intspare kernel: audit(1160481867.663:2): avc: denied { search } for pid=3073 comm="mysqld" name="/" dev=dm-1 ino=2 scontext=user_u:system_r:mysqld_t tcontext=system_u:object_r:home_root_t tclass=dir WHY is mysqld trying to read / when I told it to use /home/mysql ? BTW, here is the security contexts on /home/mysql # ls -laZ /home/ drwxr-xr-x mysql mysql system_u:object_r:mysqld_db_t mysql Can anyone please shed some light on this for me? What exactly is the avc message telling me and how do I fix it? -- Regards, Peter Kiem Zordah IT - IT Consultancy and Internet Services Ph: (0414) 724-766 Fax: (07) 3344-5827 Web: www.zordah.net Email: zordah at zordah.net
On Tue, 2006-10-10 at 22:33 +1000, Peter Kiem wrote:> Hi, > > I'm trying to move the MySQL data directory to /home/mysql like I have > done with every other install I have done before but the difference is > this time I am trying to have SELinux active instead of turning it off. > > I seem to need some help in > a) Understanding what the selinux failure messages are saying; and > b) How to correct the issue > > I've read the selinux docs and all I got was a headache *sigh* > > Now normally I just move /var/lib/mysql to /home/mysql and symlink it. > SELinux complains with > Oct 10 21:21:59 intspare kernel: audit(1160479319.080:2): avc: denied > { read } for pid=15784 comm="mysqld" name="mysql" dev=dm-0 ino=1230340 > scontext=root:system_r:mysqld_t tcontext=root:object_r:var_lib_t > tclass=lnk_file > > Ok, I guess it doesnt like following symlinks so instead I edited > /etc/my.cnf to > [mysqld] > datadir=/home/mysql > socket=/home/mysql/mysql.sock > # Default to using old password format for compatibility with mysql 3.x > # clients (those using the mysqlclient10 compatibility package). > old_passwords=1 > > [mysql.server] > user=mysql > basedir=/home > > > Now SELinux complains with > Oct 10 22:04:27 intspare kernel: audit(1160481867.663:2): avc: denied > { search } for pid=3073 comm="mysqld" name="/" dev=dm-1 ino=2 > scontext=user_u:system_r:mysqld_t tcontext=system_u:object_r:home_root_t > tclass=dir > > WHY is mysqld trying to read / when I told it to use /home/mysql ? > > BTW, here is the security contexts on /home/mysql > # ls -laZ /home/ > drwxr-xr-x mysql mysql system_u:object_r:mysqld_db_t mysql > > > Can anyone please shed some light on this for me? > > What exactly is the avc message telling me and how do I fix it?---- probably easier to use a 'bind' mount of /home/mysql at /var/lib/mysql and then it will inherit the contexts of /var/lib/mysql Craig
> Now normally I just move /var/lib/mysql to /home/mysql and symlink it.Um... why? This seems like it would be more trouble than it's worth. and with the symlink, I don't see the benefit.> SELinux complains with > Oct 10 21:21:59 intspare kernel: audit(1160479319.080:2): avc: denied > { read } for pid=15784 comm="mysqld" name="mysql" dev=dm-0 ino=1230340 > scontext=root:system_r:mysqld_t tcontext=root:object_r:var_lib_t > tclass=lnk_fileCorrect. It has permission to access the directory where your symlink is, but it cannot follow it.> Ok, I guess it doesnt like following symlinks so instead I edited /etc/my.cnfThis is really how you should move the data directory anyway. Faking it as you were doing works, but it's not 'proper'.> Now SELinux complains with > Oct 10 22:04:27 intspare kernel: audit(1160481867.663:2): avc: denied > { search } for pid=3073 comm="mysqld" name="/" dev=dm-1 ino=2 > scontext=user_u:system_r:mysqld_t tcontext=system_u:object_r:home_root_t > tclass=dirCorrect, because now mysql doesn't have the proper context to be in /home/ poking around.> WHY is mysqld trying to read / when I told it to use /home/mysql ?Because you have to get to / before you can get to /home/ and /home/mysql.. Directory traversal vulnerabilities are quite commonplace, which is why you see all the $DOCUMENT_ROOT/../../../etc/somedir/ type attempts in logs occasionally for things like apache.> BTW, here is the security contexts on /home/mysql > # ls -laZ /home/ > drwxr-xr-x mysql mysql system_u:object_r:mysqld_db_t mysqlI'm still questioning the logic for moving mysql.> Can anyone please shed some light on this for me? > > What exactly is the avc message telling me and how do I fix it? >-- During times of universal deceit, telling the truth becomes a revolutionary act. George Orwell
Reasonably Related Threads
- chcon failed to change context Permission denied
- NOT Solved - Re: SELinux policy to allow Dovecot to connect to Mysql
- NOT Solved - Re: SELinux policy to allow Dovecot to connect to Mysql
- Unable to apply mysqld_db_t to mysql directory
- Unable to apply mysqld_db_t to mysql directory