Flash cache causing selinux errors

[Norman Elton]

We're running server 5.1.57 on a RHEL6 box. We've changed our data
directory to /raid/mysql, and relabeled that directory to
system_u:object_r:mysqld_db_t:s0 as per RedHat's directions (http://
tinyurl.com/295npgn). Unfortunately, the server fails to start. In my
audit log, I see some suspicious looking errors:

type=AVC msg=audit(1311768923.574:64695): avc: denied { read } for
pid=9047 comm="mysqld" name="dm-2" dev=devtmpfs ino=11525
scontext=unconfined_u:system_r:mysqld_t:s0
tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
type=AVC msg=audit(1311768923.574:64695): avc: denied { open } for
pid=9047 comm="mysqld" name="dm-2" dev=devtmpfs ino=11525
scontext=unconfined_u:system_r:mysqld_t:s0
tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
type=AVC msg=audit(1311768923.574:64696): avc: denied { write } for
pid=9047 comm="mysqld" path="/dev/dm-2" dev=devtmpfs ino=11525
scontext=unconfined_u:system_r:mysqld_t:s0
tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
type=AVC msg=audit(1311768923.574:64696): avc: denied { sys_rawio }
for pid=9047 comm="mysqld" capability=17
scontext=unconfined_u:system_r:mysqld_t:s0
tcontext=unconfined_u:system_r:mysqld_t:s0 tclass=capability

At this point, the server stops. A little research indicates this may
be flashcache firing up. Is it possible to run the Percona server
without flashcache? Any other ideas?

Thanks!

Norman

[Aurimas Mikalauskas]

Norman,

this is most likely a wrong assumption, you are probably just seeing this informational message which seems like an error:

https://bugs.launchpad.net/percona-server/+bug/747032

what I think is actually happening is your security system (SELinux?) blocking access to /raid/mysql for MySQL, you should either properly configure the security system or disable it altogether.

Aurimas

> --
> You received this message because you are subscribed to the Google Groups "Percona Discussion" group.
> To post to this group, send email to percona-d...@googlegroups.com.
> To unsubscribe from this group, send email to percona-discuss...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/percona-discussion?hl=en.
>

--
Aurimas Mikalauskas, Principal Consultant, Percona Inc.
Lithuania, Eastern Europe (GMT +2)
+1 888 401 3401 | Aurimas x503 | 24x7 Help x911

Join us at Percona Live London!
http://www.percona.com/live/london-2011/

[Aurimas Mikalauskas]

I may have spoken too soon and in fact I have missed the subject, sorry about that. What is dm-2 exactly in your case? Can you run mysqld under strace and see what it is actually trying to open here?

Aurimas

[Norman Elton]

Aurimas,

I fear you may have been right. My knowledge of device-mapper is
pretty anemic, but it appears that dm-2 points to the logical volume
mounted to /raid, the partition containing /raid/mysql (my datadir).
So perhaps MySQL is just trying to write to its own data directory,
which should theoretically be allowed, but for whatever reason, is
not.

Any other ideas? I fear I may be about to jump down a SELinux rabbit-hole.

Norman

[Baron Schwartz]

Norman,

My experience with SELinux is that it is best to disable it. SELinux
can not only be extremely difficult to administer and configure, but
anecdotally, it causes a pretty significant performance impact on
MySQL. And it's not clear to me that the attack vectors it
theoretically helps prevent are worth the trade-off. I fear that a
system administrator who fights with SELinux to get MySQL working may
actually leave the system in an unknown or unclean state, and end up
making the system less secure, through failed attempts to fix it.

- Baron