Bug#801746: mysql-server-5.6: Please run restorecon on directories you create (at boot and postinst) so it works with SE Linux
On Thu, 15 Oct 2015, Robie Basakwrote: > > For /var/run directories if you add them to a systemd-tmpfiles > > configuration they will get the right context. Add a file named > > /usr/lib/tmpfiles.d/mysql- server.conf with the following contents: > > D /var/run/mysqld 0755 mysql root > > This sounds like a better route to me. > > Given that we're using systemd, should we adjust your patch to do what > you described above instead before applying? That is, ship > /var/lib/mysql and /var/log/mysql using dh_installdirs (if I understand > you correctly)? The systemd service already uses RuntimeDirectory so > will this cause the right thing to happen, or do we still need a > /usr/lib/tmpfiles.d entry? Yes using dh_installdirs should do it for everything other than /var/run. If the RuntimeDirectory option causes systemd to create the directory then it should be created correctly. -- My Main Blog http://etbe.coker.com.au/ My Documents Bloghttp://doc.coker.com.au/
Bug#801746: mysql-server-5.6: Please run restorecon on directories you create (at boot and postinst) so it works with SE Linux
Hi Russell, Thank you for explaining this to me. On Thu, Oct 15, 2015 at 01:19:23PM +1100, Russell Coker wrote: > Every directory that is in a Debian package has it's context set by dpkg. So > if you were to add /var/lib/mysql/mysql and /var/log/mysql to the package > then > they would have their context set correctly. > > For /var/run directories if you add them to a systemd-tmpfiles configuration > they will get the right context. Add a file named /usr/lib/tmpfiles.d/mysql- > server.conf with the following contents: > D /var/run/mysqld 0755 mysql root This sounds like a better route to me. > With those changes (adding directories to packages and using > systemd-tmpfiles) > there would be no risk of regression and no SE Linux specific code in your > package. > > Systemd is now the default init system in Debian so eventually you have to > write a systemd service file for mysql. When you do that you have to use the > tmpfiles.d configuration which will solve this issue. I'd be happy if you > just > told everyone who uses MySQL on SE Linux to use systemd and didn't bother > fixing the old SysVInit script. But while MySQL users are forced to start > the > daemon in the old way it would be good to make it work properly on SE Linux. We are actually already using systemd: https://anonscm.debian.org/cgit/pkg-mysql/mysql-5.6.git/tree/debian/mysql-server-5.6.mysql.service Given that we're using systemd, should we adjust your patch to do what you described above instead before applying? That is, ship /var/lib/mysql and /var/log/mysql using dh_installdirs (if I understand you correctly)? The systemd service already uses RuntimeDirectory so will this cause the right thing to happen, or do we still need a /usr/lib/tmpfiles.d entry? Robie signature.asc Description: Digital signature
Bug#801746: mysql-server-5.6: Please run restorecon on directories you create (at boot and postinst) so it works with SE Linux
Package: mysql-server-5.6 Version: 5.6.25-4 Severity: normal Tags: patch The below patch is one way of giving correct SE Linux labels to the critical MySQL directories. If you add something like this to the package then it should just work on SE Linux systems. If restorecon is installed it should in all situations work without error. --- /etc/init.d/mysql.orig 2015-10-14 17:01:49.978070080 +1100 +++ /etc/init.d/mysql 2015-10-14 17:01:51.534109169 +1100 @@ -104,6 +104,7 @@ else # Could be removed during boot test -e /var/run/mysqld || install -m 755 -o mysql -g root -d /var/run/mysqld + [ -x /sbin/restorecon ] && /sbin/restorecon /var/run/mysqld # Start MySQL! su - mysql -s /bin/sh -c "/usr/bin/mysqld_safe > /dev/null 2>&1 &" --- /var/lib/dpkg/info/mysql-server-5.6.postinst.orig 2015-10-14 17:05:33.007672611 +1100 +++ /var/lib/dpkg/info/mysql-server-5.6.postinst2015-10-14 17:28:39.048604104 +1100 @@ -96,9 +96,18 @@ # Ensure the existence and right permissions for the database and # log files. -if [ ! -d "$mysql_statedir" -a ! -L "$mysql_statedir" ]; then mkdir "$mysql_statedir"; fi -if [ ! -d "$mysql_statedir/mysql" -a ! -L "$mysql_statedir/mysql" ]; then mkdir "$mysql_statedir/mysql"; fi -if [ ! -d "$mysql_logdir" -a ! -L "$mysql_logdir" ]; then mkdir "$mysql_logdir"; fi +if [ ! -d "$mysql_statedir" -a ! -L "$mysql_statedir" ]; then + mkdir "$mysql_statedir" + [ -x /sbin/restorecon ] && /sbin/restorecon "$mysql_statedir" +fi +if [ ! -d "$mysql_statedir/mysql" -a ! -L "$mysql_statedir/mysql" ]; then + mkdir "$mysql_statedir/mysql" + [ -x /sbin/restorecon ] && /sbin/restorecon "$mysql_statedir/mysql" +fi +if [ ! -d "$mysql_logdir" -a ! -L "$mysql_logdir" ]; then + mkdir "$mysql_logdir" + [ -x /sbin/restorecon ] && /sbin/restorecon "$mysql_logdir" +fi # When creating an ext3 jounal on an already mounted filesystem like e.g. # /var/lib/mysql, you get a .journal file that is not modifyable by chown. # The mysql_datadir must not be writable by the mysql user under any -- System Information: Debian Release: stretch/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 4.2.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Init: systemd (via /run/systemd/system) Versions of packages mysql-server-5.6 depends on: ii adduser3.113+nmu3 ii debconf [debconf-2.0] 1.5.57 ii init-system-helpers1.23 ii initscripts2.88dsf-59.2 ii libaio10.3.110-2 ii libc6 2.19-22 ii libdbi-perl1.633-1 ii libgcc11:5.2.1-19 ii libstdc++6 5.2.1-19 ii libwrap0 7.6.q-25 ii lsb-base 9.20150917 ii mysql-client-5.6 5.6.25-4 ii mysql-common 5.6.25-4 ii mysql-server-core-5.6 5.6.25-4 ii passwd 1:4.2-3 ii perl 5.20.2-6 ii psmisc 22.21-2.1 ii zlib1g 1:1.2.8.dfsg-2+b1 Versions of packages mysql-server-5.6 recommends: pn libhtml-template-perl Versions of packages mysql-server-5.6 suggests: ii bsd-mailx [mailx] 8.1.2-0.20150408cvs-1 ii heirloom-mailx [mailx] 12.5-5 pn tinyca -- Configuration Files: /etc/init.d/mysql changed: set -e set -u ${DEBIAN_SCRIPT_DEBUG:+ set -v -x} test -x /usr/bin/mysqld_safe || exit 0 .. /lib/lsb/init-functions SELF=$(cd $(dirname $0); pwd -P)/$(basename $0) CONF=/etc/mysql/my.cnf MYADMIN="/usr/bin/mysqladmin --defaults-file=/etc/mysql/debian.cnf" ERR_LOGGER="logger -p daemon.err -t /etc/init.d/mysql -i" cd / umask 077 export HOME=/etc/mysql/ mysqld_get_param() { /usr/sbin/mysqld --print-defaults \ | tr " " "\n" \ | grep -- "--$1" \ | tail -n 1 \ | cut -d= -f2 } sanity_checks() { # check for config file if [ ! -r /etc/mysql/my.cnf ]; then log_warning_msg "$0: WARNING: /etc/mysql/my.cnf cannot be read. See README.Debian.gz" echo"WARNING: /etc/mysql/my.cnf cannot be read. See README.Debian.gz" | $ERR_LOGGER fi # check for diskspace shortage datadir=`mysqld_get_param datadir` if LC_ALL=C BLOCKSIZE= df --portability $datadir/. | tail -n 1 | awk '{ exit ($4>4096) }'; then log_failure_msg "$0: ERROR: The partition with $datadir is too full!" echo"ERROR: The partition with $datadir is too full!" | $ERR_LOGGER exit 1 fi } mysqld_status () { ping_output=`$MYADMIN ping 2>&1`; ping_alive=$(( ! $? )) ps_alive=0 pidfile=`mysqld_get_param pid-file` if [ -f "$pidfile" ] && ps `cat $pidfile` >/dev/null 2>&1; then ps_alive=1; fi if [ "$1" =
Bug#801746: mysql-server-5.6: Please run restorecon on directories you create (at boot and postinst) so it works with SE Linux
Hi Russell, Thank you for the patch. These sounds like quite a maintenance burden to me. It seems almost certain to me that this will regress if packaging changes, as it's unlikely that maintainers will remember to keep all the restorecon calls up to date. Please note that I am not familiar with SE Linux nor the Debian packaging implications of it. Is there documentation somewhere that explains why this is the right way to approach this? Is there any consensus across Debian that you can refer to that says that this is the right thing to do? Thanks, Robie signature.asc Description: Digital signature
Bug#801746: mysql-server-5.6: Please run restorecon on directories you create (at boot and postinst) so it works with SE Linux
On Wed, 14 Oct 2015 11:35:25 PM Robie Basak wrote: > These sounds like quite a maintenance burden to me. It seems almost > certain to me that this will regress if packaging changes, as it's > unlikely that maintainers will remember to keep all the restorecon calls > up to date. Every feature which is not actively used by the package maintainer is at risk of regression. But there are ways of making this easier. Every directory that is in a Debian package has it's context set by dpkg. So if you were to add /var/lib/mysql/mysql and /var/log/mysql to the package then they would have their context set correctly. For /var/run directories if you add them to a systemd-tmpfiles configuration they will get the right context. Add a file named /usr/lib/tmpfiles.d/mysql- server.conf with the following contents: D /var/run/mysqld 0755 mysql root With those changes (adding directories to packages and using systemd-tmpfiles) there would be no risk of regression and no SE Linux specific code in your package. Systemd is now the default init system in Debian so eventually you have to write a systemd service file for mysql. When you do that you have to use the tmpfiles.d configuration which will solve this issue. I'd be happy if you just told everyone who uses MySQL on SE Linux to use systemd and didn't bother fixing the old SysVInit script. But while MySQL users are forced to start the daemon in the old way it would be good to make it work properly on SE Linux. > Is there documentation somewhere that explains why this is the right way > to approach this? Is there any consensus across Debian that you can > refer to that says that this is the right thing to do? https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=801752 I consider all the other packages that have such patches to be indication of consensus of support for this. In a comment on the above bug Jaldhar has committed to making a similar change to Dovecot. That's just the latest bug report of this nature that I've filed. -- My Main Blog http://etbe.coker.com.au/ My Documents Bloghttp://doc.coker.com.au/