2

CentOS 6.4(x64) / MySQL 5.6.10

Installed MySQL from source files and started it fine under it's original location (/var/lib/mysql). I moved everything to a different volume (/u0/mysql) and went through a few rounds of exempting it from SELinux (cat /var/log/audit/audit.log | audit2allow -M mysql-* followed by semodule -i mysql-*.pp). After every round of this I try to restart the service and see this error:

Starting MySQL..The server quit without updating PID file (/u0/mysql/server.pid).
 [FAILED]

After 3-4 rounds of adding exemptions I noticed that the files weren't changing anymore. IE everything that could be added this way had already been added. Out of curiosity I ran audit2why -a and got a slew of:

type=AVC msg=audit(1387207317.009:666): avc:  <some permission> for  pid=20640 
  comm="mysqld" dev=sdc1 ino=36831373 scontext=unconfined_u:system_r:mysqld_t:s0 
  tcontext=system_u:object_r:default_t:s0 tclass=file
 Was caused by:
     Unknown - would be allowed by active policy
     Possible mismatch between this policy and the one under which the audit message was generated.
     Possible mismatch between current in-memory boolean settings vs. permanent ones.

This leads me to believe that it should be working. If I disable SELinux: setenforce 0 then mysql will start just fine so it (SE) is still getting in the way.

Searching through SF turned this up - have tried it with no change in outcome.

SO: how do I find out where the blockage is?

EDIT:

[root@server u0]# ls -ldZ /var/lib/mysql
drwxr-xr-x. mysql mysql unconfined_u:object_r:mysqld_db_t:s0 /var/lib/mysql

[root@server u0]# ls -ldZ /u0/mysql
drwxr-xr-x. mysql mysql unconfined_u:object_r:mysqld_db_t:s0 /u0/mysql
Community
  • 1
ethrbunny
  • 2,369
  • 4
  • 41
  • 75

2 Answers2

2

You need to change the security context of the new directory to be the same as /var/lib/mysql.

For instance:

ls -ldZ /var/lib/mysql/
drwxr-x--x. mysql mysql system_u:object_r:mysqld_db_t:s0 /var/lib/mysql/

Then change the new directory to the same settings with chcon

chcon -R -u system_u -r object_r -t mysqld_db_t /u0/mysql
Manuel Sousa
  • 496
  • 2
  • 2
  • Just did this. No change in outcome. – ethrbunny Dec 17 '13 at 14:16
  • What's the output of ls -ldZ /var/lib/mysql and /u0/mysql? – Manuel Sousa Dec 17 '13 at 14:19
  • Try to reload the policy: semodule -R and then audit2why since last reload: audit2why -l to see if anything shows. – Manuel Sousa Dec 17 '13 at 14:27
  • No change. `audit2why -l` has no output. – ethrbunny Dec 17 '13 at 14:34
  • 1
    What is mysql error log? You can try to enable logging of the don't audits at semodule using: semodule -B -D. There should be a lot more things in the audit log, see if anything relates. – Manuel Sousa Dec 17 '13 at 14:39
  • There isn't just a single mysql context to consider. Log files, configuration files and so on got their own contexts. Give a look at the output of "semanage fcontext --list |grep mysql" – stoned Dec 17 '13 at 14:52
  • Using `semodule -B -D` seems to have kicked something loose again. Now I'm able to use `audit2allow` to create exemptions again. This seems to be working. TY. – ethrbunny Dec 17 '13 at 14:58
1

You can also try something like this:

chcon --reference=/path/to/existing/file /path/to/new/file

BTW, here is a great intro to SELinux: http://www.youtube.com/watch?v=MxjenQ31b70 from Redhat 2012 Summit. Also, look in your log files for error messages in /var/log/audit/audit.log or /var/log/messages.

KM.
  • 1,786
  • 2
  • 18
  • 31