MySQL SELinux conflict Fedora 19 -
i've installed mysql 5.6 on f19. although installation successful, i'm unable start mysql service.
when ran
service mysql start
it returns following error:
starting mysql..the server quit without updating pid file (/var/lib/mysql/sandboxlabs.pid).
i disabled selinux (permissive mode), , service started smoothly. did research disabling selinux, , found disabling selinux bad idea. so, there way add custom mysql policy? or should leave selinux permissive mode?
the full answer depends on server configuration , how you're using mysql. however, it's feasible modify selinux policy allow mysql run. in cases, sort of operation can performed small number of shell commands.
start looking @ /var/log/audit/audit.log. can use audit2allow
generate permission-granting policy around log messages themselves. on fedora 19, utility in policycoreutils
yum package.
the command
# grep mysql /var/log/audit/audit.log | audit2allow
...will output policy code need compiled in order allow mysql operations prevented , logged in audit.log. can review output determine whether you'd incorporate such permissions system's policy. can bit esoteric can make out few file permissions mysql need in order run.
to enable these changes, need create policy module compiled module:
# grep mysql /var/log/audit/audit.log | audit2allow -m mysql
...will output saved plaintext code mysql.te , compiled policy code mysql.pp. can use semodule
tool import system's policy.
# semodule -i mysql.pp
once you've done this, try starting mysqld again. might need repeat process few times since mysqld might still falter on new access permission wasn't logged in previous runs. because server daemon encounters these permission checks sequentially , if gets tripped on one, won't encounter others until allow access initial ones. have patience -- need create mysql1.pp mysql2.pp mysql3.pp ... , on.
if you're interested in combining these unified policy, can take .te files , "glue" these create unified .te file. compiling file more work -- need makefile /usr/share/selinux/devel/makefile
in order convert .pp file.
for more information:
if you're more graphical type, there's great article redhat magazine on compiling policy here. there's great blog article takes through creation of policy here. note emphasis on using /usr/share/selinux/devel/makefile compile own .te, .fc, , .if files (selinux source written in m4).
Comments
Post a Comment