Hi,
I'm trying to move the MySQL data directory to /home/mysql like I have done with every other install I have done before but the difference is this time I am trying to have SELinux active instead of turning it off.
I seem to need some help in a) Understanding what the selinux failure messages are saying; and b) How to correct the issue
I've read the selinux docs and all I got was a headache *sigh*
Now normally I just move /var/lib/mysql to /home/mysql and symlink it. SELinux complains with Oct 10 21:21:59 intspare kernel: audit(1160479319.080:2): avc: denied { read } for pid=15784 comm="mysqld" name="mysql" dev=dm-0 ino=1230340 scontext=root:system_r:mysqld_t tcontext=root:object_r:var_lib_t tclass=lnk_file
Ok, I guess it doesnt like following symlinks so instead I edited /etc/my.cnf to [mysqld] datadir=/home/mysql socket=/home/mysql/mysql.sock # Default to using old password format for compatibility with mysql 3.x # clients (those using the mysqlclient10 compatibility package). old_passwords=1
[mysql.server] user=mysql basedir=/home
Now SELinux complains with Oct 10 22:04:27 intspare kernel: audit(1160481867.663:2): avc: denied { search } for pid=3073 comm="mysqld" name="/" dev=dm-1 ino=2 scontext=user_u:system_r:mysqld_t tcontext=system_u:object_r:home_root_t tclass=dir
WHY is mysqld trying to read / when I told it to use /home/mysql ?
BTW, here is the security contexts on /home/mysql # ls -laZ /home/ drwxr-xr-x mysql mysql system_u:object_r:mysqld_db_t mysql
Can anyone please shed some light on this for me?
What exactly is the avc message telling me and how do I fix it?
On Tue, 2006-10-10 at 22:33 +1000, Peter Kiem wrote:
Hi,
I'm trying to move the MySQL data directory to /home/mysql like I have done with every other install I have done before but the difference is this time I am trying to have SELinux active instead of turning it off.
I seem to need some help in a) Understanding what the selinux failure messages are saying; and b) How to correct the issue
I've read the selinux docs and all I got was a headache *sigh*
Now normally I just move /var/lib/mysql to /home/mysql and symlink it. SELinux complains with Oct 10 21:21:59 intspare kernel: audit(1160479319.080:2): avc: denied { read } for pid=15784 comm="mysqld" name="mysql" dev=dm-0 ino=1230340 scontext=root:system_r:mysqld_t tcontext=root:object_r:var_lib_t tclass=lnk_file
Ok, I guess it doesnt like following symlinks so instead I edited /etc/my.cnf to [mysqld] datadir=/home/mysql socket=/home/mysql/mysql.sock # Default to using old password format for compatibility with mysql 3.x # clients (those using the mysqlclient10 compatibility package). old_passwords=1
[mysql.server] user=mysql basedir=/home
Now SELinux complains with Oct 10 22:04:27 intspare kernel: audit(1160481867.663:2): avc: denied { search } for pid=3073 comm="mysqld" name="/" dev=dm-1 ino=2 scontext=user_u:system_r:mysqld_t tcontext=system_u:object_r:home_root_t tclass=dir
WHY is mysqld trying to read / when I told it to use /home/mysql ?
BTW, here is the security contexts on /home/mysql # ls -laZ /home/ drwxr-xr-x mysql mysql system_u:object_r:mysqld_db_t mysql
Can anyone please shed some light on this for me?
What exactly is the avc message telling me and how do I fix it?
---- probably easier to use a 'bind' mount of /home/mysql at /var/lib/mysql and then it will inherit the contexts of /var/lib/mysql
Craig
Hi Craig,
---- probably easier to use a 'bind' mount of /home/mysql at /var/lib/mysql and then it will inherit the contexts of /var/lib/mysql
Hmmm, haven't come across 'bind' mounts before. What do you mean?
On Tue, 2006-10-10 at 22:55 +1000, Peter Kiem wrote:
Hi Craig,
---- probably easier to use a 'bind' mount of /home/mysql at /var/lib/mysql and then it will inherit the contexts of /var/lib/mysql
Hmmm, haven't come across 'bind' mounts before. What do you mean?
---- man mount # will explain the 'bind' option
http://www.redhat.com/archives/fedora-list/2006-May/msg04932.html
Craig
Now normally I just move /var/lib/mysql to /home/mysql and symlink it.
Um... why? This seems like it would be more trouble than it's worth. and with the symlink, I don't see the benefit.
SELinux complains with Oct 10 21:21:59 intspare kernel: audit(1160479319.080:2): avc: denied { read } for pid=15784 comm="mysqld" name="mysql" dev=dm-0 ino=1230340 scontext=root:system_r:mysqld_t tcontext=root:object_r:var_lib_t tclass=lnk_file
Correct. It has permission to access the directory where your symlink is, but it cannot follow it.
Ok, I guess it doesnt like following symlinks so instead I edited /etc/my.cnf
This is really how you should move the data directory anyway. Faking it as you were doing works, but it's not 'proper'.
Now SELinux complains with Oct 10 22:04:27 intspare kernel: audit(1160481867.663:2): avc: denied { search } for pid=3073 comm="mysqld" name="/" dev=dm-1 ino=2 scontext=user_u:system_r:mysqld_t tcontext=system_u:object_r:home_root_t tclass=dir
Correct, because now mysql doesn't have the proper context to be in /home/ poking around.
WHY is mysqld trying to read / when I told it to use /home/mysql ?
Because you have to get to / before you can get to /home/ and /home/mysql.. Directory traversal vulnerabilities are quite commonplace, which is why you see all the $DOCUMENT_ROOT/../../../etc/somedir/ type attempts in logs occasionally for things like apache.
BTW, here is the security contexts on /home/mysql # ls -laZ /home/ drwxr-xr-x mysql mysql system_u:object_r:mysqld_db_t mysql
I'm still questioning the logic for moving mysql.
Can anyone please shed some light on this for me?
What exactly is the avc message telling me and how do I fix it?
Hi Jim,
Now normally I just move /var/lib/mysql to /home/mysql and symlink it.
Um... why? This seems like it would be more trouble than it's worth. and with the symlink, I don't see the benefit.
The reason I move it is because I usually make my systems with a 'small' / partition (say 10GB) and a large /home partition.
It is very easy to have large MySQL databases sitting in the default location then use up all space on the / partition which causes all sorts of havoc.
By moving it off to the /home partition it is moved to where the majority of the space is available and away from system data. MySQL databases are user data and should be in the user area.
The symlink allows you then to just start MySQL without changing any of the config files and anything else that expects it to be in /var/lib/mysql can still find it.
This is really how you should move the data directory anyway. Faking it as you were doing works, but it's not 'proper'.
Symlinks were created for this very reason.
WHY is mysqld trying to read / when I told it to use /home/mysql ?
Because you have to get to / before you can get to /home/ and /home/mysql.. Directory traversal vulnerabilities are quite commonplace, which is why you see all the $DOCUMENT_ROOT/../../../etc/somedir/ type attempts in logs occasionally for things like apache.
Well doesn't it have to traverse / to get to the default location of /var/lib/mysql anyway?
I can see where it may not have permission for /home but surely everything can start at / ?
Peter Kiem wrote:
Hi Jim,
Now normally I just move /var/lib/mysql to /home/mysql and symlink it.
Um... why? This seems like it would be more trouble than it's worth. and with the symlink, I don't see the benefit.
The reason I move it is because I usually make my systems with a 'small' / partition (say 10GB) and a large /home partition.
Thats the reason for a /var partition. I always have a huge var (400+G), and a small home (40G)
All my samba shares (usually just /var/ftp/pub) go in /var
It is very easy to have large MySQL databases sitting in the default location then use up all space on the / partition which causes all sorts of havoc.
By moving it off to the /home partition it is moved to where the majority of the space is available and away from system data. MySQL databases are user data and should be in the user area.
The symlink allows you then to just start MySQL without changing any of the config files and anything else that expects it to be in /var/lib/mysql can still find it.
This is really how you should move the data directory anyway. Faking it as you were doing works, but it's not 'proper'.
Symlinks were created for this very reason.
WHY is mysqld trying to read / when I told it to use /home/mysql ?
Because you have to get to / before you can get to /home/ and /home/mysql.. Directory traversal vulnerabilities are quite commonplace, which is why you see all the $DOCUMENT_ROOT/../../../etc/somedir/ type attempts in logs occasionally for things like apache.
Well doesn't it have to traverse / to get to the default location of /var/lib/mysql anyway?
I can see where it may not have permission for /home but surely everything can start at / ?
On Tue, 2006-10-10 at 23:01 +1000, Peter Kiem wrote:
Hi Jim,
Now normally I just move /var/lib/mysql to /home/mysql and symlink it.
Um... why? This seems like it would be more trouble than it's worth. and with the symlink, I don't see the benefit.
The reason I move it is because I usually make my systems with a 'small' / partition (say 10GB) and a large /home partition.
It is very easy to have large MySQL databases sitting in the default location then use up all space on the / partition which causes all sorts of havoc.
By moving it off to the /home partition it is moved to where the majority of the space is available and away from system data. MySQL databases are user data and should be in the user area.
The symlink allows you then to just start MySQL without changing any of the config files and anything else that expects it to be in /var/lib/mysql can still find it.
While you're reading up on the mount command as suggested earlier, keep an eye open for the fact that you can mount any portion of a directory structure over another. This will give you the "freedom" to put stuff in /home and leave the config files and SELinux (? I think, I'm still total n00b at that) unchanged.
<snip>
BTW, I agree that user data belongs in a user area, not system area. I would move it for that reason alone.
HTH __ Bill
-
Craig White -
Jim Perrin -
John Allen -
Peter Kiem -
William L. Maltby