MySQL tmpdir on /dev/shm with SELinux
Posted
by smorfnip
on Server Fault
See other posts from Server Fault
or by smorfnip
Published on 2009-11-05T16:27:01Z
Indexed on
2010/04/10
0:03 UTC
Read the original article
Hit count: 615
On RHEL5, I have a small MySQL database that has to write temp files. To speed up this process, I would like to move the temporary directory to /dev/shm by putting the following line into my.cnf:
tmpdir=/dev/shm/mysqltmp
I can create /dev/shm/mysqltmp just fine and do
chown mysql:mysql /dev/shm/mysqltmp
chcon --reference /tmp/ /dev/shm/mysqltmp
I've tried to make SELinux happy by applying the same settings that are in effect for /tmp/ (and /var/tmp/), which is presumably where MySQL is writing its tmp files if tmpdir is undefined.
The problem is that SELinux complains about MySQL having access to that directory. I get the following in /var/log/messages:
SELinux is preventing mysqld (mysqld_t) "getattr" to /dev/shm (tmpfs_t).
SELinux is a hard mistress. Details:
Source Context root:system_r:mysqld_t
Target Context system_u:object_r:tmpfs_t
Target Objects /dev/shm [ dir ]
Source mysqld
Source Path /usr/libexec/mysqld
Port <Unknown>
Host db.example.com
Source RPM Packages mysql-server-5.0.77-3.el5
Target RPM Packages
Policy RPM selinux-policy-2.4.6-255.el5_4.1
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall_file
Host Name db.example.com
Platform Linux db.example.com 2.6.18-164.2.1.el5 #1 SMP
Mon Sep 21 04:37:42 EDT 2009 x86_64 x86_64
Alert Count 46
First Seen Wed Nov 4 14:23:48 2009
Last Seen Thu Nov 5 09:46:00 2009
Local ID e746d880-18f6-43c1-b522-a8c0508a1775
ls -lZ /dev/shm shows
drwxrwxr-x mysql mysql system_u:object_r:tmp_t mysqltmp
and permissions for /dev/shm itself are
drwxrwxrwt root root system_u:object_r:tmpfs_t shm
I've also tried
chcon -R -t mysqld_t /dev/shm/mysqltmp
and setting the group on /dev/shm to mysql with no better results. Shouldn't it be enough to tell SELinux, hey, this is a temp directory just like MySQL was using before?
Short of turning off SELinux, how do I make this work? Do I need to edit SELinux policy files?
© Server Fault or respective owner