MySQL tmpdir on /dev/shm with SELinux

filesMySQLrhel5selinux

On RHEL5, I have a small MySQL database that has to write temp files. To speed up this process, I would like to move the temporary directory to /dev/shm by putting the following line into my.cnf:

tmpdir=/dev/shm/mysqltmp

I can create /dev/shm/mysqltmp just fine and do

chown mysql:mysql /dev/shm/mysqltmp
chcon --reference /tmp/ /dev/shm/mysqltmp

I've tried to make SELinux happy by applying the same settings that are in effect for /tmp/ (and /var/tmp/), which is presumably where MySQL is writing its tmp files if tmpdir is undefined.

The problem is that SELinux complains about MySQL having access to that directory. I get the following in /var/log/messages:

SELinux is preventing mysqld (mysqld_t) "getattr" to /dev/shm (tmpfs_t).

SELinux is a hard mistress. Details:

Source Context                root:system_r:mysqld_t
Target Context                system_u:object_r:tmpfs_t
Target Objects                /dev/shm [ dir ]
Source                        mysqld
Source Path                   /usr/libexec/mysqld
Port                          <Unknown>
Host                          db.example.com
Source RPM Packages           mysql-server-5.0.77-3.el5
Target RPM Packages           
Policy RPM                    selinux-policy-2.4.6-255.el5_4.1
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall_file
Host Name                     db.example.com
Platform                      Linux db.example.com 2.6.18-164.2.1.el5 #1 SMP
                              Mon Sep 21 04:37:42 EDT 2009 x86_64 x86_64
Alert Count                   46
First Seen                    Wed Nov  4 14:23:48 2009
Last Seen                     Thu Nov  5 09:46:00 2009
Local ID                      e746d880-18f6-43c1-b522-a8c0508a1775

ls -lZ /dev/shm shows

drwxrwxr-x  mysql mysql system_u:object_r:tmp_t          mysqltmp

and permissions for /dev/shm itself are

drwxrwxrwt  root root  system_u:object_r:tmpfs_t        shm

I've also tried

chcon -R -t mysqld_t /dev/shm/mysqltmp

and setting the group on /dev/shm to mysql with no better results. Shouldn't it be enough to tell SELinux, hey, this is a temp directory just like MySQL was using before?

Short of turning off SELinux, how do I make this work? Do I need to edit SELinux policy files?

Best Answer

SELinux is preventing mysqld (mysqld_t) "getattr" to /dev/shm (tmpfs_t).

This means, that SELinux deny access to /dev/shm dir, which is a parent of /dev/shm/mysqltmp.

ls -lZd /tmp/
drwxrwxrwt 3 system_u:object_r:tmp_t:s0
ls -lZd /dev/shm
drwxrwxrwt  root root system_u:object_r:tmpfs_t:s0

You have 3 options:

1) Change /dev/shm type label from tmpfs_t to tmp_t

2) Run SELinux in permissive mode, and collect all denies in /var/log/audit/audit.log

tail -n 0 -f /var/log/audit/audit.log | audit2allow -m myMySQL -o myMySQL.te
checkmodule -M -m myMySQL.te -o myMySQL.mod
semodule_package -m myMySQL.mod -o myMySQL.pp

You should check, if myMySQL.te contains only necessary allows. Finally, you load module into kernel semodule -i myMySQL.pp

3) Disable SELinux protection for MySQL setsebool -P mysqld_disable_trans=on

Best Answer

Related Solutions

Mysql – How to allow MySQL connections through SELinux

Mysql – Changing MySQL tmpdir kills InnoDB functionality

Related Topic