[debian-mysql] Bug#801746: mysql-server-5.6: Please run restorecon on directories you create (at boot and postinst) so it works with SE Linux

Russell Coker russell at coker.com.au
Wed Oct 14 06:39:00 UTC 2015


Package: mysql-server-5.6
Version: 5.6.25-4
Severity: normal
Tags: patch

The below patch is one way of giving correct SE Linux labels to the critical MySQL
directories.  If you add something like this to the package then it should just work
on SE Linux systems.  If restorecon is installed it should in all situations work
without error.

--- /etc/init.d/mysql.orig	2015-10-14 17:01:49.978070080 +1100
+++ /etc/init.d/mysql	2015-10-14 17:01:51.534109169 +1100
@@ -104,6 +104,7 @@
 	else
 	    # Could be removed during boot
 	    test -e /var/run/mysqld || install -m 755 -o mysql -g root -d /var/run/mysqld
+	    [ -x /sbin/restorecon ] && /sbin/restorecon /var/run/mysqld
 
 	    # Start MySQL! 
   	    su - mysql -s /bin/sh -c "/usr/bin/mysqld_safe > /dev/null 2>&1 &"
--- /var/lib/dpkg/info/mysql-server-5.6.postinst.orig	2015-10-14 17:05:33.007672611 +1100
+++ /var/lib/dpkg/info/mysql-server-5.6.postinst	2015-10-14 17:28:39.048604104 +1100
@@ -96,9 +96,18 @@
 
     # Ensure the existence and right permissions for the database and
     # log files.
-    if [ ! -d "$mysql_statedir"       -a ! -L "$mysql_statedir"       ]; then mkdir "$mysql_statedir"; fi
-    if [ ! -d "$mysql_statedir/mysql" -a ! -L "$mysql_statedir/mysql" ]; then mkdir "$mysql_statedir/mysql"; fi
-    if [ ! -d "$mysql_logdir"         -a ! -L "$mysql_logdir"         ]; then mkdir "$mysql_logdir"; fi
+    if [ ! -d "$mysql_statedir"       -a ! -L "$mysql_statedir"       ]; then
+	mkdir "$mysql_statedir"
+	[ -x /sbin/restorecon ] && /sbin/restorecon "$mysql_statedir"
+    fi
+    if [ ! -d "$mysql_statedir/mysql" -a ! -L "$mysql_statedir/mysql" ]; then
+	mkdir "$mysql_statedir/mysql"
+	[ -x /sbin/restorecon ] && /sbin/restorecon "$mysql_statedir/mysql"
+    fi
+    if [ ! -d "$mysql_logdir"         -a ! -L "$mysql_logdir"         ]; then
+	mkdir "$mysql_logdir"
+	[ -x /sbin/restorecon ] && /sbin/restorecon "$mysql_logdir"
+    fi
     # When creating an ext3 jounal on an already mounted filesystem like e.g.
     # /var/lib/mysql, you get a .journal file that is not modifyable by chown.
     # The mysql_datadir must not be writable by the mysql user under any

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.2.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: systemd (via /run/systemd/system)

Versions of packages mysql-server-5.6 depends on:
ii  adduser                3.113+nmu3
ii  debconf [debconf-2.0]  1.5.57
ii  init-system-helpers    1.23
ii  initscripts            2.88dsf-59.2
ii  libaio1                0.3.110-2
ii  libc6                  2.19-22
ii  libdbi-perl            1.633-1
ii  libgcc1                1:5.2.1-19
ii  libstdc++6             5.2.1-19
ii  libwrap0               7.6.q-25
ii  lsb-base               9.20150917
ii  mysql-client-5.6       5.6.25-4
ii  mysql-common           5.6.25-4
ii  mysql-server-core-5.6  5.6.25-4
ii  passwd                 1:4.2-3
ii  perl                   5.20.2-6
ii  psmisc                 22.21-2.1
ii  zlib1g                 1:1.2.8.dfsg-2+b1

Versions of packages mysql-server-5.6 recommends:
pn  libhtml-template-perl  <none>

Versions of packages mysql-server-5.6 suggests:
ii  bsd-mailx [mailx]       8.1.2-0.20150408cvs-1
ii  heirloom-mailx [mailx]  12.5-5
pn  tinyca                  <none>

-- Configuration Files:
/etc/init.d/mysql changed:
set -e
set -u
${DEBIAN_SCRIPT_DEBUG:+ set -v -x}
test -x /usr/bin/mysqld_safe || exit 0
.. /lib/lsb/init-functions
SELF=$(cd $(dirname $0); pwd -P)/$(basename $0)
CONF=/etc/mysql/my.cnf
MYADMIN="/usr/bin/mysqladmin --defaults-file=/etc/mysql/debian.cnf"
ERR_LOGGER="logger -p daemon.err -t /etc/init.d/mysql -i"
cd /
umask 077
export HOME=/etc/mysql/
mysqld_get_param() {
	/usr/sbin/mysqld --print-defaults \
		| tr " " "\n" \
		| grep -- "--$1" \
		| tail -n 1 \
		| cut -d= -f2
}
sanity_checks() {
  # check for config file
  if [ ! -r /etc/mysql/my.cnf ]; then
    log_warning_msg "$0: WARNING: /etc/mysql/my.cnf cannot be read. See README.Debian.gz"
    echo                "WARNING: /etc/mysql/my.cnf cannot be read. See README.Debian.gz" | $ERR_LOGGER
  fi
  # check for diskspace shortage
  datadir=`mysqld_get_param datadir`
  if LC_ALL=C BLOCKSIZE= df --portability $datadir/. | tail -n 1 | awk '{ exit ($4>4096) }'; then
    log_failure_msg "$0: ERROR: The partition with $datadir is too full!"
    echo                "ERROR: The partition with $datadir is too full!" | $ERR_LOGGER
    exit 1
  fi
}
mysqld_status () {
    ping_output=`$MYADMIN ping 2>&1`; ping_alive=$(( ! $? ))
    ps_alive=0
    pidfile=`mysqld_get_param pid-file`
    if [ -f "$pidfile" ] && ps `cat $pidfile` >/dev/null 2>&1; then ps_alive=1; fi
    
    if [ "$1" = "check_alive"  -a  $ping_alive = 1 ] ||
       [ "$1" = "check_dead"   -a  $ping_alive = 0  -a  $ps_alive = 0 ]; then
	return 0 # EXIT_SUCCESS
    else
  	if [ "$2" = "warn" ]; then
  	    echo -e "$ps_alive processes alive and '$MYADMIN ping' resulted in\n$ping_output\n" | $ERR_LOGGER -p daemon.debug
	fi
  	return 1 # EXIT_FAILURE
    fi
}
case "${1:-''}" in
  'start')
	sanity_checks;
	# Start daemon
	log_daemon_msg "Starting MySQL database server" "mysqld"
	if mysqld_status check_alive nowarn; then
	   log_progress_msg "already running"
	   log_end_msg 0
	else
	    # Could be removed during boot
	    test -e /var/run/mysqld || install -m 755 -o mysql -g root -d /var/run/mysqld
	    [ -x /sbin/restorecon ] && /sbin/restorecon /var/run/mysqld
	    # Start MySQL! 
  	    su - mysql -s /bin/sh -c "/usr/bin/mysqld_safe > /dev/null 2>&1 &"
	    # 6s was reported in #352070 to be too few when using ndbcluster
	    # 14s was reported in #736452 to be too few with large installs
	    for i in $(seq 1 30); do
                sleep 1
	        if mysqld_status check_alive nowarn ; then break; fi
		log_progress_msg "."
	    done
	    if mysqld_status check_alive warn; then
                log_end_msg 0
	        # Now start mysqlcheck or whatever the admin wants.
	        output=$(/etc/mysql/debian-start)
		[ -n "$output" ] && log_action_msg "$output"
	    else
	        log_end_msg 1
		log_failure_msg "Please take a look at the syslog"
	    fi
	fi
	;;
  'stop')
	# * As a passwordless mysqladmin (e.g. via ~/.my.cnf) must be possible
	# at least for cron, we can rely on it here, too. (although we have 
	# to specify it explicit as e.g. sudo environments points to the normal
	# users home and not /root)
	log_daemon_msg "Stopping MySQL database server" "mysqld"
	if ! mysqld_status check_dead nowarn; then
	  set +e
	  shutdown_out=`$MYADMIN shutdown 2>&1`; r=$?
	  set -e
	  if [ "$r" -ne 0 ]; then
	    log_end_msg 1
	    [ "$VERBOSE" != "no" ] && log_failure_msg "Error: $shutdown_out"
	    log_daemon_msg "Killing MySQL database server by signal" "mysqld"
	    killall -15 mysqld
            server_down=
	    for i in 1 2 3 4 5 6 7 8 9 10; do
              sleep 1
              if mysqld_status check_dead nowarn; then server_down=1; break; fi
            done
          if test -z "$server_down"; then killall -9 mysqld; fi
	  fi
        fi
        if ! mysqld_status check_dead warn; then
	  log_end_msg 1
	  log_failure_msg "Please stop MySQL manually and read /usr/share/doc/mysql-server-5.6/README.Debian.gz!"
	  exit -1
	else
	  log_end_msg 0
        fi
	;;
  'restart')
	set +e; $SELF stop; set -e
	$SELF start 
	;;
  'reload'|'force-reload')
  	log_daemon_msg "Reloading MySQL database server" "mysqld"
	$MYADMIN reload
	log_end_msg 0
	;;
  'status')
	if mysqld_status check_alive nowarn; then
	  log_action_msg "$($MYADMIN version)"
	else
	  log_action_msg "MySQL is stopped."
	  exit 3
	fi
  	;;
  *)
	echo "Usage: $SELF start|stop|restart|reload|force-reload|status"
	exit 1
	;;
esac
exit 0


-- debconf information:
  mysql-server-5.6/start_on_boot: true
  mysql-server/error_setting_password:
  mysql-server-5.6/postrm_remove_databases: false
  mysql-server/no_upgrade_when_using_ndb:
  mysql-server/password_mismatch:
  mysql-server-5.6/really_downgrade: false
  mysql-server-5.6/nis_warning:



More information about the pkg-mysql-maint mailing list