MySQL SELinux冲突Fedora 19

Question

I've successfully installed MySQL 5.6 on my F19. Although the installation was successful, I'm unable to start the mysql service.

When I ran

service mysql start

It returns the following error:

Starting MySQL..The server quit without updating PID file (/var/lib/mysql/sandboxlabs.pid). 

I disabled SELinux (permissive mode), and the service started smoothly. But I did some research about disabling SELinux, and found that disabling SELinux is a bad idea. So, is there any way to add custom MySQL policy? Or should I leave the SELinux to permissive mode?

Answer 1

The full answer depends on your server configuration and how you're using MySQL. However, it's completely feasible to modify your SELinux policy to allow MySQL to run. In most cases, this sort of operation can be performed with a small number of shell commands.

Start by looking at /var/log/audit/audit.log. You can use audit2allow to generate a permission-granting policy around the log messages themselves. On Fedora 19, this utility is in the policycoreutils yum package.

The command

    # grep mysql /var/log/audit/audit.log | audit2allow

...will output the policy code that would need to be compiled in order to allow the mysql operations that were prevented and logged in audit.log. You can review this output to determine whether you'd like to incorporate such permissions into your system's policy. It can be a bit esoteric but you can usually make out a few file permissions that mysql would need in order to run.

To enable these changes, you need to create the policy module as a compiled module:

    # grep mysql /var/log/audit/audit.log | audit2allow -M mysql

...will output the saved plaintext code to mysql.te and the compiled policy code to mysql.pp. You can then use the semodule tool to import this into your system's policy.

    # semodule -i mysql.pp

Once you've done this, try starting mysqld again. You might need to repeat this process a few times since mysqld might still falter on some new access permission that wasn't logged in previous runs. This is because the server daemon encounters these permission checks sequentially and if it gets tripped on one, it won't encounter the others until you allow access to the initial ones. Have patience -- sometimes you will need to create mysql1.pp mysql2.pp mysql3.pp ... and so on.

If you're really interested in combining these into a unified policy, you can take the .te files and "glue" these together to create a unified .te file. Compiling this file is only slightly more work -- you need the Makefile from /usr/share/selinux/devel/Makefile in order to convert this into a .pp file.

For more information:

If you're a more graphical type, there's also a great article by RedHat magazine on compiling policy here . There's also a great blog article which takes you through the creation of a policy here . Note the emphasis on using /usr/share/selinux/devel/Makefile to compile your own .te, .fc, and .if files (selinux source written in M4).