MySQL custom datadir location - other daemons too

Florin Andrei florin at andrei.myip.org
Fri Apr 20 17:36:33 UTC 2007 

I'm building a log analysis server that's running a big MySQL database. 
Logs are imported in the database and then are processed for statistical 
analysis and stuff like that. The system is running CentOS5 64bit 
(almost identical to RHEL 5).
I'm keeping the database on a separate RAID array, for obvious reasons. 
So I mounted that array as /db and then moved the MySQL datadir via 
/etc/my.cnf:

datadir=/db/mysql
tmpdir=/db/tmp/
basedir=/db

I made sure to move /var/lib/mysql to /db/mysql in such a way as to 
preserve all the attributes, including SELinux.
But, of course, MySQL fails to run:

type=AVC msg=audit(1177025497.442:254): avc:  denied  { search } for 
pid=7453 comm="mysqld" name="/" dev=sdb1 ino=2 
scontext=root:system_r:mysqld_t:s0 tcontext=system_u:object_r:file_t:s0 
tclass=dir
type=SYSCALL msg=audit(1177025497.442:254): arch=c000003e syscall=87 
success=no exit=-13 a0=7fff6ee35150 a1=0 a2=0 a3=3 items=0 ppid=7417 
pid=7453 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 
tty=(none) comm="mysqld" exe="/usr/libexec/mysqld" 
subj=root:system_r:mysqld_t:s0 key=(null)
type=AVC msg=audit(1177025497.442:255): avc:  denied  { search } for 
pid=7453 comm="mysqld" name="/" dev=sdb1 ino=2 
scontext=root:system_r:mysqld_t:s0 tcontext=system_u:object_r:file_t:s0 
tclass=dir
type=SYSCALL msg=audit(1177025497.442:255): arch=c000003e syscall=2 
success=no exit=-13 a0=7fff6ee35350 a1=42 a2=1b6 a3=3 items=0 ppid=7417 
pid=7453 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 
tty=(none) comm="mysqld" exe="/usr/libexec/mysqld" 
subj=root:system_r:mysqld_t:s0 key=(null)
type=AVC msg=audit(1177025497.442:256): avc:  denied  { search } for 
pid=7453 comm="mysqld" name="/" dev=sdb1 ino=2 
scontext=root:system_r:mysqld_t:s0 tcontext=system_u:object_r:file_t:s0 
tclass=dir

Now, I can definitely customize the policy, I guess the first rule would 
be like this and I'll keep tweaking it until it works:

allow mysqld_t file_t:dir search;

But this seems like a hack. I mean, moving the datadir to a different 
location is probably something that MySQL admins do all the time when 
building big servers (or maybe even not that big).

I wish there was a SELinux variable, or a place where I can tell SELinux 
that the datadir has moved, that XYZ is the new location, and just let 
me use it (provided that the SELinux attributes are OK within the MySQL 
datadir per se).

Same thing happens with many servers when moving their default data 
locations. Examples that I had issues with: Cyrus-IMAPd, Squid.
Sure, one can customize the policy the "normal", step-by-step way, but 
that doesn't seem the right thing.

I'm strictly speaking from the sysadmin's perspective. It just looks 
like a natural thing to be able to customize SELinux via a simple 
variable or something, and make it "aware" (sort of) that, hey, I only 
moved the data dir to a new location, stop panicking about that.

Thanks,

-- 
Florin Andrei

http://florin.myip.org/

More information about the selinux mailing list