mysql 의 data directory 변경 및 symbolic link 후 mysql 구동 에러

증상

/var/lib/mysql 을 /home/mysql 로 이동 및 ln -s /home/mysql /var/lib/mysql 로 symbolic link 후 다음 에러 발생

 

 Click here to expand...

type=AVC msg=audit(1382344900.461:183333): avc: denied { read } for pid=27573 comm="touch" name="mysql" dev=dm-0 ino=1837146 scontext=unconfined_u:system_r:mysqld_safe_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=lnk_file

Was caused by: Missing type enforcement (TE) allow rule.

You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1382344900.462:183335): avc: denied { read } for pid=27574 comm="chown" name="mysql" dev=dm-0 ino=1837146 scontext=unconfined_u:system_r:mysqld_safe_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=lnk_file

Was caused by:
Missing type enforcement (TE) allow rule.

You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1382344900.463:183337): avc: denied { read } for pid=27575 comm="chmod" name="mysql" dev=dm-0 ino=1837146 scontext=unconfined_u:system_r:mysqld_safe_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=lnk_file

Was caused by:
Missing type enforcement (TE) allow rule.

You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1382344900.464:183339): avc: denied { read } for pid=27270 comm="mysqld_safe" name="mysql" dev=dm-0 ino=1837146 scontext=unconfined_u:system_r:mysqld_safe_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=lnk_file

Was caused by:
Missing type enforcement (TE) allow rule.

You can use audit2allow to generate a loadable module to allow this access.

 

 

조치

  1. 관련 rule 조회

    sesearch --allow -s mysqld_safe_t | grep mysqld_db_t  
       allow mysqld_safe_t mysqld_db_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ; 
       allow mysqld_safe_t mysqld_db_t : dir { ioctl read write getattr lock add_name remove_name search open } ; 
       allow mysqld_safe_t mysqld_db_t : lnk_file { read getattr } ; 
       allow mysqld_safe_t mysqld_db_t : sock_file { getattr unlink } ; 
  2. You can allow mysqld_safe_t to read lnk_files with type mysqld_db_t:
  3. mysql 이 symbolic link 를 읽을수 있게 rule 추가

    1. audit2alow 로 처리

      echo "type=AVC msg=audit(1382344900.464:183339): avc: denied { read } for pid=27270 comm="mysqld_safe" name="mysql" dev=dm-0 ino=1837146 scontext=unconfined_u:system_r:mysqld_safe_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=lnk_file"|audit2allow -M my_mysqldsafe
       
      ******************** IMPORTANT ***********************
      To make this policy package active, execute:
      semodule -i my_mysqldsafe.pp
    2. semodule -i my_mysqldsafe.pp
  4. 위와 같이 해도 에러가 발생하여 확인해 보니 /home의 context 가 다음과 같음

    ls -ldZ /home/
    drwxr-xr-x. root root system_u:object_r:home_root_t:s0 /home/
  5. mysql_safe_t 가 home_root_t 를 읽을수 있게 rule 추가
    1. vi mysql_home_root_t.te

      module mysql_home_root_t 1.0;
      require {
              type mysqld_safe_t;
              type home_root_t;
              class dir {open read getattr };
      }
      #============= mysqld_safe_t ==============
      allow mysqld_safe_t home_root_t : dir { read open getattr } ;
    2. Compile the module
      1. checkmodule -M -m -o mysql_home_root_t.mod mysql_home_root_t.te 
    3. Create the package
      1. semodule_package -o mysql_home_root_t.pp -m mysql_home_root_t.mod
    4. Load the module into the kernel
      1. semodule -i mysql_home_root_t.pp
    5. service mysql restart 했더니 log 가 다음 내용으로 변경되어 있음

      type=AVC msg=audit(1382425111.686:477133): avc:  denied  { read } for  pid=2462 comm="mysqld" name="mysql" dev=dm-0 ino=1966475 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=lnk_file
              Was caused by:
                      Missing type enforcement (TE) allow rule.
                      You can use audit2allow to generate a loadable module to allow this access.
    6. audit2allow 로 rule 추가

      # echo type=AVC msg=audit\(1382425111.686:477133\): avc:  denied  { read } for  pid=2462 comm="mysqld" name="mysql" dev=dm-0 ino=1966475 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=lnk_file | audit2allow -M mysqld_polocy
       
    7. semodule -i mysqld_polocy.pp

  6. service mysql restart 로 정상구동 여부 확인

 

Ref