[debian-mysql] Bug#801746: mysql-server-5.6: Please run restorecon on directories you create (at boot and postinst) so it works with SE Linux

Russell Coker russell at coker.com.au
Thu Oct 15 02:19:23 UTC 2015 

On Wed, 14 Oct 2015 11:35:25 PM Robie Basak wrote:
> These sounds like quite a maintenance burden to me. It seems almost
> certain to me that this will regress if packaging changes, as it's
> unlikely that maintainers will remember to keep all the restorecon calls
> up to date.

Every feature which is not actively used by the package maintainer is at risk 
of regression.  But there are ways of making this easier.

Every directory that is in a Debian package has it's context set by dpkg.  So 
if you were to add /var/lib/mysql/mysql and /var/log/mysql to the package then 
they would have their context set correctly.

For /var/run directories if you add them to a systemd-tmpfiles configuration 
they will get the right context.  Add a file named /usr/lib/tmpfiles.d/mysql-
server.conf with the following contents:
D /var/run/mysqld 0755 mysql root

With those changes (adding directories to packages and using systemd-tmpfiles) 
there would be no risk of regression and no SE Linux specific code in your 
package.

Systemd is now the default init system in Debian so eventually you have to 
write a systemd service file for mysql.  When you do that you have to use the 
tmpfiles.d configuration which will solve this issue.  I'd be happy if you just 
told everyone who uses MySQL on SE Linux to use systemd and didn't bother 
fixing the old SysVInit script.  But while MySQL users are forced to start the 
daemon in the old way it would be good to make it work properly on SE Linux.

> Is there documentation somewhere that explains why this is the right way
> to approach this? Is there any consensus across Debian that you can
> refer to that says that this is the right thing to do?

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=801752

I consider all the other packages that have such patches to be indication of 
consensus of support for this.  In a comment on the above bug Jaldhar has 
committed to making a similar change to Dovecot.  That's just the latest bug 
report of this nature that I've filed.

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/

More information about the pkg-mysql-maint mailing list