subject:"Bug#801746\: mysql\-server\-5.6\: Please run restorecon on directories you create \(at boot and postinst\) so it works with SE Linux"

Bug#801746: mysql-server-5.6: Please run restorecon on directories you create (at boot and postinst) so it works with SE Linux

2015-10-19 Thread Russell Coker

On Thu, 15 Oct 2015, Robie Basak  wrote:
> > For /var/run directories if you add them to a systemd-tmpfiles
> > configuration they will get the right context.  Add a file named
> > /usr/lib/tmpfiles.d/mysql- server.conf with the following contents:
> > D /var/run/mysqld 0755 mysql root
> 
> This sounds like a better route to me.
> 
> Given that we're using systemd, should we adjust your patch to do what
> you described above instead before applying? That is, ship
> /var/lib/mysql and /var/log/mysql using dh_installdirs (if I understand
> you correctly)? The systemd service already uses RuntimeDirectory so
> will this cause the right thing to happen, or do we still need a
> /usr/lib/tmpfiles.d entry?

Yes using dh_installdirs should do it for everything other than /var/run.

If the RuntimeDirectory option causes systemd to create the directory then it 
should be created correctly.

-- 
My Main Blog http://etbe.coker.com.au/
My Documents Bloghttp://doc.coker.com.au/

Bug#801746: mysql-server-5.6: Please run restorecon on directories you create (at boot and postinst) so it works with SE Linux

2015-10-15 Thread Robie Basak

Hi Russell,

Thank you for explaining this to me.

On Thu, Oct 15, 2015 at 01:19:23PM +1100, Russell Coker wrote:
> Every directory that is in a Debian package has it's context set by dpkg.  So 
> if you were to add /var/lib/mysql/mysql and /var/log/mysql to the package 
> then 
> they would have their context set correctly.
> 
> For /var/run directories if you add them to a systemd-tmpfiles configuration 
> they will get the right context.  Add a file named /usr/lib/tmpfiles.d/mysql-
> server.conf with the following contents:
> D /var/run/mysqld 0755 mysql root

This sounds like a better route to me.

> With those changes (adding directories to packages and using 
> systemd-tmpfiles) 
> there would be no risk of regression and no SE Linux specific code in your 
> package.
> 
> Systemd is now the default init system in Debian so eventually you have to 
> write a systemd service file for mysql.  When you do that you have to use the 
> tmpfiles.d configuration which will solve this issue.  I'd be happy if you 
> just 
> told everyone who uses MySQL on SE Linux to use systemd and didn't bother 
> fixing the old SysVInit script.  But while MySQL users are forced to start 
> the 
> daemon in the old way it would be good to make it work properly on SE Linux.

We are actually already using systemd:
https://anonscm.debian.org/cgit/pkg-mysql/mysql-5.6.git/tree/debian/mysql-server-5.6.mysql.service

Given that we're using systemd, should we adjust your patch to do what
you described above instead before applying? That is, ship
/var/lib/mysql and /var/log/mysql using dh_installdirs (if I understand
you correctly)? The systemd service already uses RuntimeDirectory so
will this cause the right thing to happen, or do we still need a
/usr/lib/tmpfiles.d entry?

Robie


signature.asc
Description: Digital signature

Bug#801746: mysql-server-5.6: Please run restorecon on directories you create (at boot and postinst) so it works with SE Linux

2015-10-14 Thread Russell Coker

Package: mysql-server-5.6
Version: 5.6.25-4
Severity: normal
Tags: patch

The below patch is one way of giving correct SE Linux labels to the critical 
MySQL
directories.  If you add something like this to the package then it should just 
work
on SE Linux systems.  If restorecon is installed it should in all situations 
work
without error.

--- /etc/init.d/mysql.orig  2015-10-14 17:01:49.978070080 +1100
+++ /etc/init.d/mysql   2015-10-14 17:01:51.534109169 +1100
@@ -104,6 +104,7 @@
else
# Could be removed during boot
test -e /var/run/mysqld || install -m 755 -o mysql -g root -d 
/var/run/mysqld
+   [ -x /sbin/restorecon ] && /sbin/restorecon /var/run/mysqld
 
# Start MySQL! 
su - mysql -s /bin/sh -c "/usr/bin/mysqld_safe > /dev/null 2>&1 &"
--- /var/lib/dpkg/info/mysql-server-5.6.postinst.orig   2015-10-14 
17:05:33.007672611 +1100
+++ /var/lib/dpkg/info/mysql-server-5.6.postinst2015-10-14 
17:28:39.048604104 +1100
@@ -96,9 +96,18 @@
 
 # Ensure the existence and right permissions for the database and
 # log files.
-if [ ! -d "$mysql_statedir"   -a ! -L "$mysql_statedir"   ]; then 
mkdir "$mysql_statedir"; fi
-if [ ! -d "$mysql_statedir/mysql" -a ! -L "$mysql_statedir/mysql" ]; then 
mkdir "$mysql_statedir/mysql"; fi
-if [ ! -d "$mysql_logdir" -a ! -L "$mysql_logdir" ]; then 
mkdir "$mysql_logdir"; fi
+if [ ! -d "$mysql_statedir"   -a ! -L "$mysql_statedir"   ]; then
+   mkdir "$mysql_statedir"
+   [ -x /sbin/restorecon ] && /sbin/restorecon "$mysql_statedir"
+fi
+if [ ! -d "$mysql_statedir/mysql" -a ! -L "$mysql_statedir/mysql" ]; then
+   mkdir "$mysql_statedir/mysql"
+   [ -x /sbin/restorecon ] && /sbin/restorecon "$mysql_statedir/mysql"
+fi
+if [ ! -d "$mysql_logdir" -a ! -L "$mysql_logdir" ]; then
+   mkdir "$mysql_logdir"
+   [ -x /sbin/restorecon ] && /sbin/restorecon "$mysql_logdir"
+fi
 # When creating an ext3 jounal on an already mounted filesystem like e.g.
 # /var/lib/mysql, you get a .journal file that is not modifyable by chown.
 # The mysql_datadir must not be writable by the mysql user under any

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.2.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: systemd (via /run/systemd/system)

Versions of packages mysql-server-5.6 depends on:
ii  adduser3.113+nmu3
ii  debconf [debconf-2.0]  1.5.57
ii  init-system-helpers1.23
ii  initscripts2.88dsf-59.2
ii  libaio10.3.110-2
ii  libc6  2.19-22
ii  libdbi-perl1.633-1
ii  libgcc11:5.2.1-19
ii  libstdc++6 5.2.1-19
ii  libwrap0   7.6.q-25
ii  lsb-base   9.20150917
ii  mysql-client-5.6   5.6.25-4
ii  mysql-common   5.6.25-4
ii  mysql-server-core-5.6  5.6.25-4
ii  passwd 1:4.2-3
ii  perl   5.20.2-6
ii  psmisc 22.21-2.1
ii  zlib1g 1:1.2.8.dfsg-2+b1

Versions of packages mysql-server-5.6 recommends:
pn  libhtml-template-perl  

Versions of packages mysql-server-5.6 suggests:
ii  bsd-mailx [mailx]   8.1.2-0.20150408cvs-1
ii  heirloom-mailx [mailx]  12.5-5
pn  tinyca  

-- Configuration Files:
/etc/init.d/mysql changed:
set -e
set -u
${DEBIAN_SCRIPT_DEBUG:+ set -v -x}
test -x /usr/bin/mysqld_safe || exit 0
.. /lib/lsb/init-functions
SELF=$(cd $(dirname $0); pwd -P)/$(basename $0)
CONF=/etc/mysql/my.cnf
MYADMIN="/usr/bin/mysqladmin --defaults-file=/etc/mysql/debian.cnf"
ERR_LOGGER="logger -p daemon.err -t /etc/init.d/mysql -i"
cd /
umask 077
export HOME=/etc/mysql/
mysqld_get_param() {
/usr/sbin/mysqld --print-defaults \
| tr " " "\n" \
| grep -- "--$1" \
| tail -n 1 \
| cut -d= -f2
}
sanity_checks() {
  # check for config file
  if [ ! -r /etc/mysql/my.cnf ]; then
log_warning_msg "$0: WARNING: /etc/mysql/my.cnf cannot be read. See 
README.Debian.gz"
echo"WARNING: /etc/mysql/my.cnf cannot be read. See 
README.Debian.gz" | $ERR_LOGGER
  fi
  # check for diskspace shortage
  datadir=`mysqld_get_param datadir`
  if LC_ALL=C BLOCKSIZE= df --portability $datadir/. | tail -n 1 | awk '{ exit 
($4>4096) }'; then
log_failure_msg "$0: ERROR: The partition with $datadir is too full!"
echo"ERROR: The partition with $datadir is too full!" | 
$ERR_LOGGER
exit 1
  fi
}
mysqld_status () {
ping_output=`$MYADMIN ping 2>&1`; ping_alive=$(( ! $? ))
ps_alive=0
pidfile=`mysqld_get_param pid-file`
if [ -f "$pidfile" ] && ps `cat $pidfile` >/dev/null 2>&1; then ps_alive=1; 
fi

if [ "$1" =

Bug#801746: mysql-server-5.6: Please run restorecon on directories you create (at boot and postinst) so it works with SE Linux

2015-10-14 Thread Robie Basak

Hi Russell,

Thank you for the patch.

These sounds like quite a maintenance burden to me. It seems almost
certain to me that this will regress if packaging changes, as it's
unlikely that maintainers will remember to keep all the restorecon calls
up to date.

Please note that I am not familiar with SE Linux nor the Debian
packaging implications of it.

Is there documentation somewhere that explains why this is the right way
to approach this? Is there any consensus across Debian that you can
refer to that says that this is the right thing to do?

Thanks,

Robie


signature.asc
Description: Digital signature

Bug#801746: mysql-server-5.6: Please run restorecon on directories you create (at boot and postinst) so it works with SE Linux

2015-10-14 Thread Russell Coker

On Wed, 14 Oct 2015 11:35:25 PM Robie Basak wrote:
> These sounds like quite a maintenance burden to me. It seems almost
> certain to me that this will regress if packaging changes, as it's
> unlikely that maintainers will remember to keep all the restorecon calls
> up to date.

Every feature which is not actively used by the package maintainer is at risk 
of regression.  But there are ways of making this easier.

Every directory that is in a Debian package has it's context set by dpkg.  So 
if you were to add /var/lib/mysql/mysql and /var/log/mysql to the package then 
they would have their context set correctly.

For /var/run directories if you add them to a systemd-tmpfiles configuration 
they will get the right context.  Add a file named /usr/lib/tmpfiles.d/mysql-
server.conf with the following contents:
D /var/run/mysqld 0755 mysql root

With those changes (adding directories to packages and using systemd-tmpfiles) 
there would be no risk of regression and no SE Linux specific code in your 
package.

Systemd is now the default init system in Debian so eventually you have to 
write a systemd service file for mysql.  When you do that you have to use the 
tmpfiles.d configuration which will solve this issue.  I'd be happy if you just 
told everyone who uses MySQL on SE Linux to use systemd and didn't bother 
fixing the old SysVInit script.  But while MySQL users are forced to start the 
daemon in the old way it would be good to make it work properly on SE Linux.

> Is there documentation somewhere that explains why this is the right way
> to approach this? Is there any consensus across Debian that you can
> refer to that says that this is the right thing to do?

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=801752

I consider all the other packages that have such patches to be indication of 
consensus of support for this.  In a comment on the above bug Jaldhar has 
committed to making a similar change to Dovecot.  That's just the latest bug 
report of this nature that I've filed.

-- 
My Main Blog http://etbe.coker.com.au/
My Documents Bloghttp://doc.coker.com.au/

Bug#801746: mysql-server-5.6: Please run restorecon on directories you create (at boot and postinst) so it works with SE Linux

Bug#801746: mysql-server-5.6: Please run restorecon on directories you create (at boot and postinst) so it works with SE Linux

Bug#801746: mysql-server-5.6: Please run restorecon on directories you create (at boot and postinst) so it works with SE Linux

Bug#801746: mysql-server-5.6: Please run restorecon on directories you create (at boot and postinst) so it works with SE Linux

Bug#801746: mysql-server-5.6: Please run restorecon on directories you create (at boot and postinst) so it works with SE Linux

5 matches

Site Navigation

Mail list logo

Footer information