mysql 의 data directory 변경 및 symbolic link 후 mysql 구동 에러

증상

/var/lib/mysql 을 /home/mysql 로 이동 및 ln -s /home/mysql /var/lib/mysql 로 symbolic link 후 다음 에러 발생

조치

1. 관련 rule 조회

   sesearch --allow -s mysqld_safe_t | grep mysqld_db_t  
      allow mysqld_safe_t mysqld_db_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ; 
      allow mysqld_safe_t mysqld_db_t : dir { ioctl read write getattr lock add_name remove_name search open } ; 
      allow mysqld_safe_t mysqld_db_t : lnk_file { read getattr } ; 
      allow mysqld_safe_t mysqld_db_t : sock_file { getattr unlink } ; 

   BASH
2. You can allow mysqld_safe_t to read lnk_files with type mysqld_db_t:

3. mysql 이 symbolic link 를 읽을수 있게 rule 추가

   1. audit2alow 로 처리

      echo "type=AVC msg=audit(1382344900.464:183339): avc: denied { read } for pid=27270 comm="mysqld_safe" name="mysql" dev=dm-0 ino=1837146 scontext=unconfined_u:system_r:mysqld_safe_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=lnk_file"|audit2allow -M my_mysqldsafe
       
      ******************** IMPORTANT ***********************
      To make this policy package active, execute:
      semodule -i my_mysqldsafe.pp

      CODE

   2. semodule -i my_mysqldsafe.pp

4. 위와 같이 해도 에러가 발생하여 확인해 보니 /home의 context 가 다음과 같음

   ls -ldZ /home/
   drwxr-xr-x. root root system_u:object_r:home_root_t:s0 /home/

   CODE
5. mysql_safe_t 가 home_root_t 를 읽을수 있게 rule 추가

   1. vi mysql_home_root_t.te

      module mysql_home_root_t 1.0;
      require {
              type mysqld_safe_t;
              type home_root_t;
              class dir {open read getattr };
      }
      #============= mysqld_safe_t ==============
      allow mysqld_safe_t home_root_t : dir { read open getattr } ;

      CODE
   2. Compile the module
      1. checkmodule -M -m -o mysql_home_root_t.mod mysql_home_root_t.te 
   3. Create the package
      
      1. semodule_package -o mysql_home_root_t.pp -m mysql_home_root_t.mod
   4. Load the module into the kernel
      1. semodule -i mysql_home_root_t.pp

   5. service mysql restart 했더니 log 가 다음 내용으로 변경되어 있음

      type=AVC msg=audit(1382425111.686:477133): avc:  denied  { read } for  pid=2462 comm="mysqld" name="mysql" dev=dm-0 ino=1966475 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=lnk_file
              Was caused by:
                      Missing type enforcement (TE) allow rule.
                      You can use audit2allow to generate a loadable module to allow this access.

      CODE

   6. audit2allow 로 rule 추가

      # echo type=AVC msg=audit\(1382425111.686:477133\): avc:  denied  { read } for  pid=2462 comm="mysqld" name="mysql" dev=dm-0 ino=1966475 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=lnk_file | audit2allow -M mysqld_polocy
       

      CODE

   7. semodule -i mysqld_polocy.pp

6. service mysql restart 로 정상구동 여부 확인

Ref

• https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Confined_Services/sect-Managing_Confined_Services-MySQL-Configuration_Examples.html
• https://wiki.gentoo.org/wiki/SELinux/Tutorials/Where_to_find_SELinux_permission_denial_details
• https://blogs.oracle.com/jsmyth/entry/selinux_and_mysql
• http://forums.mysql.com/read.php?10,520100,520469
• http://www.redhat.com/archives/fedora-selinux-list/2010-January/msg00038.html
• https://blogs.oracle.com/jsmyth/entry/selinux_and_mysql