[debian-mysql] Bug#801746: mysql-server-5.6: Please run restorecon on directories you create (at boot and postinst) so it works with SE Linux
Russell Coker
russell at coker.com.au
Wed Oct 14 06:39:00 UTC 2015
Package: mysql-server-5.6
Version: 5.6.25-4
Severity: normal
Tags: patch
The below patch is one way of giving correct SE Linux labels to the critical MySQL
directories. If you add something like this to the package then it should just work
on SE Linux systems. If restorecon is installed it should in all situations work
without error.
--- /etc/init.d/mysql.orig 2015-10-14 17:01:49.978070080 +1100
+++ /etc/init.d/mysql 2015-10-14 17:01:51.534109169 +1100
@@ -104,6 +104,7 @@
else
# Could be removed during boot
test -e /var/run/mysqld || install -m 755 -o mysql -g root -d /var/run/mysqld
+ [ -x /sbin/restorecon ] && /sbin/restorecon /var/run/mysqld
# Start MySQL!
su - mysql -s /bin/sh -c "/usr/bin/mysqld_safe > /dev/null 2>&1 &"
--- /var/lib/dpkg/info/mysql-server-5.6.postinst.orig 2015-10-14 17:05:33.007672611 +1100
+++ /var/lib/dpkg/info/mysql-server-5.6.postinst 2015-10-14 17:28:39.048604104 +1100
@@ -96,9 +96,18 @@
# Ensure the existence and right permissions for the database and
# log files.
- if [ ! -d "$mysql_statedir" -a ! -L "$mysql_statedir" ]; then mkdir "$mysql_statedir"; fi
- if [ ! -d "$mysql_statedir/mysql" -a ! -L "$mysql_statedir/mysql" ]; then mkdir "$mysql_statedir/mysql"; fi
- if [ ! -d "$mysql_logdir" -a ! -L "$mysql_logdir" ]; then mkdir "$mysql_logdir"; fi
+ if [ ! -d "$mysql_statedir" -a ! -L "$mysql_statedir" ]; then
+ mkdir "$mysql_statedir"
+ [ -x /sbin/restorecon ] && /sbin/restorecon "$mysql_statedir"
+ fi
+ if [ ! -d "$mysql_statedir/mysql" -a ! -L "$mysql_statedir/mysql" ]; then
+ mkdir "$mysql_statedir/mysql"
+ [ -x /sbin/restorecon ] && /sbin/restorecon "$mysql_statedir/mysql"
+ fi
+ if [ ! -d "$mysql_logdir" -a ! -L "$mysql_logdir" ]; then
+ mkdir "$mysql_logdir"
+ [ -x /sbin/restorecon ] && /sbin/restorecon "$mysql_logdir"
+ fi
# When creating an ext3 jounal on an already mounted filesystem like e.g.
# /var/lib/mysql, you get a .journal file that is not modifyable by chown.
# The mysql_datadir must not be writable by the mysql user under any
-- System Information:
Debian Release: stretch/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.2.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: systemd (via /run/systemd/system)
Versions of packages mysql-server-5.6 depends on:
ii adduser 3.113+nmu3
ii debconf [debconf-2.0] 1.5.57
ii init-system-helpers 1.23
ii initscripts 2.88dsf-59.2
ii libaio1 0.3.110-2
ii libc6 2.19-22
ii libdbi-perl 1.633-1
ii libgcc1 1:5.2.1-19
ii libstdc++6 5.2.1-19
ii libwrap0 7.6.q-25
ii lsb-base 9.20150917
ii mysql-client-5.6 5.6.25-4
ii mysql-common 5.6.25-4
ii mysql-server-core-5.6 5.6.25-4
ii passwd 1:4.2-3
ii perl 5.20.2-6
ii psmisc 22.21-2.1
ii zlib1g 1:1.2.8.dfsg-2+b1
Versions of packages mysql-server-5.6 recommends:
pn libhtml-template-perl <none>
Versions of packages mysql-server-5.6 suggests:
ii bsd-mailx [mailx] 8.1.2-0.20150408cvs-1
ii heirloom-mailx [mailx] 12.5-5
pn tinyca <none>
-- Configuration Files:
/etc/init.d/mysql changed:
set -e
set -u
${DEBIAN_SCRIPT_DEBUG:+ set -v -x}
test -x /usr/bin/mysqld_safe || exit 0
.. /lib/lsb/init-functions
SELF=$(cd $(dirname $0); pwd -P)/$(basename $0)
CONF=/etc/mysql/my.cnf
MYADMIN="/usr/bin/mysqladmin --defaults-file=/etc/mysql/debian.cnf"
ERR_LOGGER="logger -p daemon.err -t /etc/init.d/mysql -i"
cd /
umask 077
export HOME=/etc/mysql/
mysqld_get_param() {
/usr/sbin/mysqld --print-defaults \
| tr " " "\n" \
| grep -- "--$1" \
| tail -n 1 \
| cut -d= -f2
}
sanity_checks() {
# check for config file
if [ ! -r /etc/mysql/my.cnf ]; then
log_warning_msg "$0: WARNING: /etc/mysql/my.cnf cannot be read. See README.Debian.gz"
echo "WARNING: /etc/mysql/my.cnf cannot be read. See README.Debian.gz" | $ERR_LOGGER
fi
# check for diskspace shortage
datadir=`mysqld_get_param datadir`
if LC_ALL=C BLOCKSIZE= df --portability $datadir/. | tail -n 1 | awk '{ exit ($4>4096) }'; then
log_failure_msg "$0: ERROR: The partition with $datadir is too full!"
echo "ERROR: The partition with $datadir is too full!" | $ERR_LOGGER
exit 1
fi
}
mysqld_status () {
ping_output=`$MYADMIN ping 2>&1`; ping_alive=$(( ! $? ))
ps_alive=0
pidfile=`mysqld_get_param pid-file`
if [ -f "$pidfile" ] && ps `cat $pidfile` >/dev/null 2>&1; then ps_alive=1; fi
if [ "$1" = "check_alive" -a $ping_alive = 1 ] ||
[ "$1" = "check_dead" -a $ping_alive = 0 -a $ps_alive = 0 ]; then
return 0 # EXIT_SUCCESS
else
if [ "$2" = "warn" ]; then
echo -e "$ps_alive processes alive and '$MYADMIN ping' resulted in\n$ping_output\n" | $ERR_LOGGER -p daemon.debug
fi
return 1 # EXIT_FAILURE
fi
}
case "${1:-''}" in
'start')
sanity_checks;
# Start daemon
log_daemon_msg "Starting MySQL database server" "mysqld"
if mysqld_status check_alive nowarn; then
log_progress_msg "already running"
log_end_msg 0
else
# Could be removed during boot
test -e /var/run/mysqld || install -m 755 -o mysql -g root -d /var/run/mysqld
[ -x /sbin/restorecon ] && /sbin/restorecon /var/run/mysqld
# Start MySQL!
su - mysql -s /bin/sh -c "/usr/bin/mysqld_safe > /dev/null 2>&1 &"
# 6s was reported in #352070 to be too few when using ndbcluster
# 14s was reported in #736452 to be too few with large installs
for i in $(seq 1 30); do
sleep 1
if mysqld_status check_alive nowarn ; then break; fi
log_progress_msg "."
done
if mysqld_status check_alive warn; then
log_end_msg 0
# Now start mysqlcheck or whatever the admin wants.
output=$(/etc/mysql/debian-start)
[ -n "$output" ] && log_action_msg "$output"
else
log_end_msg 1
log_failure_msg "Please take a look at the syslog"
fi
fi
;;
'stop')
# * As a passwordless mysqladmin (e.g. via ~/.my.cnf) must be possible
# at least for cron, we can rely on it here, too. (although we have
# to specify it explicit as e.g. sudo environments points to the normal
# users home and not /root)
log_daemon_msg "Stopping MySQL database server" "mysqld"
if ! mysqld_status check_dead nowarn; then
set +e
shutdown_out=`$MYADMIN shutdown 2>&1`; r=$?
set -e
if [ "$r" -ne 0 ]; then
log_end_msg 1
[ "$VERBOSE" != "no" ] && log_failure_msg "Error: $shutdown_out"
log_daemon_msg "Killing MySQL database server by signal" "mysqld"
killall -15 mysqld
server_down=
for i in 1 2 3 4 5 6 7 8 9 10; do
sleep 1
if mysqld_status check_dead nowarn; then server_down=1; break; fi
done
if test -z "$server_down"; then killall -9 mysqld; fi
fi
fi
if ! mysqld_status check_dead warn; then
log_end_msg 1
log_failure_msg "Please stop MySQL manually and read /usr/share/doc/mysql-server-5.6/README.Debian.gz!"
exit -1
else
log_end_msg 0
fi
;;
'restart')
set +e; $SELF stop; set -e
$SELF start
;;
'reload'|'force-reload')
log_daemon_msg "Reloading MySQL database server" "mysqld"
$MYADMIN reload
log_end_msg 0
;;
'status')
if mysqld_status check_alive nowarn; then
log_action_msg "$($MYADMIN version)"
else
log_action_msg "MySQL is stopped."
exit 3
fi
;;
*)
echo "Usage: $SELF start|stop|restart|reload|force-reload|status"
exit 1
;;
esac
exit 0
-- debconf information:
mysql-server-5.6/start_on_boot: true
mysql-server/error_setting_password:
mysql-server-5.6/postrm_remove_databases: false
mysql-server/no_upgrade_when_using_ndb:
mysql-server/password_mismatch:
mysql-server-5.6/really_downgrade: false
mysql-server-5.6/nis_warning:
More information about the pkg-mysql-maint
mailing list