mysql 의 data directory 변경 및 symbolic link 후 mysql 구동 에러
증상
/var/lib/mysql 을 /home/mysql 로 이동 및 ln -s /home/mysql /var/lib/mysql 로 symbolic link 후 다음 에러 발생
type=AVC msg=audit(1382344900.461:183333): avc: denied { read } for pid=27573 comm="touch" name="mysql" dev=dm-0 ino=1837146 scontext=unconfined_u:system_r:mysqld_safe_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=lnk_file
Was caused by: Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1382344900.462:183335): avc: denied { read } for pid=27574 comm="chown" name="mysql" dev=dm-0 ino=1837146 scontext=unconfined_u:system_r:mysqld_safe_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=lnk_file
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1382344900.463:183337): avc: denied { read } for pid=27575 comm="chmod" name="mysql" dev=dm-0 ino=1837146 scontext=unconfined_u:system_r:mysqld_safe_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=lnk_file
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1382344900.464:183339): avc: denied { read } for pid=27270 comm="mysqld_safe" name="mysql" dev=dm-0 ino=1837146 scontext=unconfined_u:system_r:mysqld_safe_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=lnk_file
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
조치
관련 rule 조회
sesearch --allow -s mysqld_safe_t | grep mysqld_db_t allow mysqld_safe_t mysqld_db_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ; allow mysqld_safe_t mysqld_db_t : dir { ioctl read write getattr lock add_name remove_name search open } ; allow mysqld_safe_t mysqld_db_t : lnk_file { read getattr } ; allow mysqld_safe_t mysqld_db_t : sock_file { getattr unlink } ;
BASH- You can allow mysqld_safe_t to read lnk_files with type mysqld_db_t:
mysql 이 symbolic link 를 읽을수 있게 rule 추가
audit2alow 로 처리
echo "type=AVC msg=audit(1382344900.464:183339): avc: denied { read } for pid=27270 comm="mysqld_safe" name="mysql" dev=dm-0 ino=1837146 scontext=unconfined_u:system_r:mysqld_safe_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=lnk_file"|audit2allow -M my_mysqldsafe ******************** IMPORTANT *********************** To make this policy package active, execute: semodule -i my_mysqldsafe.pp
CODEsemodule -i my_mysqldsafe.pp
위와 같이 해도 에러가 발생하여 확인해 보니 /home의 context 가 다음과 같음
ls -ldZ /home/ drwxr-xr-x. root root system_u:object_r:home_root_t:s0 /home/
CODE- mysql_safe_t 가 home_root_t 를 읽을수 있게 rule 추가
vi mysql_home_root_t.te
module mysql_home_root_t 1.0; require { type mysqld_safe_t; type home_root_t; class dir {open read getattr }; } #============= mysqld_safe_t ============== allow mysqld_safe_t home_root_t : dir { read open getattr } ;
CODE- Compile the module
- checkmodule -M -m -o mysql_home_root_t.mod mysql_home_root_t.te
- Create the package
- semodule_package -o mysql_home_root_t.pp -m mysql_home_root_t.mod
- Load the module into the kernel
- semodule -i mysql_home_root_t.pp
service mysql restart 했더니 log 가 다음 내용으로 변경되어 있음
type=AVC msg=audit(1382425111.686:477133): avc: denied { read } for pid=2462 comm="mysqld" name="mysql" dev=dm-0 ino=1966475 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=lnk_file Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access.
CODEaudit2allow 로 rule 추가
# echo type=AVC msg=audit\(1382425111.686:477133\): avc: denied { read } for pid=2462 comm="mysqld" name="mysql" dev=dm-0 ino=1966475 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=lnk_file | audit2allow -M mysqld_polocy
CODEsemodule -i mysqld_polocy.pp
- service mysql restart 로 정상구동 여부 확인
Ref
- https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Confined_Services/sect-Managing_Confined_Services-MySQL-Configuration_Examples.html
- https://wiki.gentoo.org/wiki/SELinux/Tutorials/Where_to_find_SELinux_permission_denial_details
- https://blogs.oracle.com/jsmyth/entry/selinux_and_mysql
- http://forums.mysql.com/read.php?10,520100,520469
- http://www.redhat.com/archives/fedora-selinux-list/2010-January/msg00038.html
- https://blogs.oracle.com/jsmyth/entry/selinux_and_mysql