427750 – mysql and /run migration

Bug 427750 - mysql and /run migration

Summary: mysql and /run migration

Status:	VERIFIED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	SELinux (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Sven Vermeulen (RETIRED)

URL:
Whiteboard:	sec-policy r2
Keywords:

Depends on:
Blocks:	424173
	Show dependency tree

Reported:	2012-07-23 14:04 UTC by Amadeusz Sławiński
Modified:	2012-10-04 18:36 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Amadeusz Sławiński 2012-07-23 14:04:49 UTC

# /etc/init.d/mysql start 
Authenticating root.
Password: 
 * Starting mysql ...

stops not returning to prompt

# ls -lZ /run | grep mysql
drwxr-xr-x.  2 mysql root system_u:object_r:initrc_var_run_t         40 Jul 23 16:00 mysqld


Reproducible: Always

Comment 1 Sven Vermeulen (RETIRED) gentoo-dev

2012-07-23 20:26:23 UTC

From the label (initrc_var_run_t) I can imagine that the directory is created from the init script, but looking at dev-db/mysql/files/mysql.init I don't immediately see how this would be.

Can you take a look and see where it is created?

Comment 2 Amadeusz Sławiński 2012-07-23 21:52:13 UTC

Seems like you looked at wrong file
% equery b /etc/init.d/mysql 
 * Searching for /etc/init.d/mysql ... 
dev-db/mysql-init-scripts-2.0_pre1-r2 (/etc/init.d/mysql)

anyway from /etc/init.d/mysql

=>	MY_CNF="${MY_CNF:-/etc/${SVCNAME}/my.cnf}"
....
	local pidfile=$(get_config "${MY_CNF}" pid-file | tail -n1)
	local socket=$(get_config "${MY_CNF}" socket | tail -n1)
....
	start-stop-daemon \
		${DEBUG/*/"--verbose"} \
		--start \
		--exec "${basedir}"/sbin/mysqld \
		--pidfile "${pidfile}" \
		--background \
		--wait ${startup_early_timeout} \
		${tmpnice} \
		${tmpionice} \
		-- --defaults-file="${MY_CNF}" ${MY_ARGS}

and /etc/mysql/my.cnf

% cat /etc/mysql/my.cnf | grep pid-file
pid-file 					= /var/run/mysqld/mysqld.pid
% cat /etc/mysql/my.cnf | grep socket  
socket						= /var/run/mysqld/mysqld.sock
socket 						= /var/run/mysqld/mysqld.sock
# using "localhost" in connects uses sockets by default

It seems to correspond with files I can find inside it

# ls -Z /run/mysqld
system_u:object_r:initrc_var_run_t mysqld.pid
system_u:object_r:initrc_var_run_t mysqld.sock

Comment 3 Sven Vermeulen (RETIRED) gentoo-dev

2012-07-24 08:26:15 UTC

Will be in rev16

Comment 4 Sven Vermeulen (RETIRED) gentoo-dev

2012-07-28 09:26:06 UTC

Is in the 2.20120725-r1, now in hardened-dev overlay

Comment 5 Amadeusz Sławiński 2012-07-30 17:07:46 UTC

There is still minor problem

# /etc/init.d/mysql start
Authenticating root.
Password: 
 * Starting mysql ...
chown: changing ownership of ‘/var/run/mysqld’: Permission denied
 * Directory /var/run/mysqld for pidfile does not exist and cannot be created
 * ERROR: mysql failed to start

Both in enforcing and permissive:
Jul 30 18:58:03 lain kernel: [25498.604408] type=1400 audit(1343667483.272:119): avc:  denied  { setattr } for  pid=12554 comm="chown" name="mysqld" dev="tmpfs" ino=2611792 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:mysqld_var_run_t tclass=dir

After audit2allow everything works ok

Comment 6 Sven Vermeulen (RETIRED) gentoo-dev

2012-07-31 17:29:21 UTC

Thanks, I'll add this privilege to it as well

Comment 7 Sven Vermeulen (RETIRED) gentoo-dev

2012-08-14 18:57:25 UTC

r2 is now in hardened-dev overlay

Comment 8 Sven Vermeulen (RETIRED) gentoo-dev

2012-09-22 11:32:00 UTC

In main tree, ~arch'ed (rev 5)

Comment 9 Sven Vermeulen (RETIRED) gentoo-dev

2012-10-04 18:36:17 UTC

stabilized