[debian-mysql] Bug#801746: mysql-server-5.6: Please run restorecon on directories you create (at boot and postinst) so it works with SE Linux
Russell Coker
russell at coker.com.au
Thu Oct 15 02:19:23 UTC 2015
On Wed, 14 Oct 2015 11:35:25 PM Robie Basak wrote:
> These sounds like quite a maintenance burden to me. It seems almost
> certain to me that this will regress if packaging changes, as it's
> unlikely that maintainers will remember to keep all the restorecon calls
> up to date.
Every feature which is not actively used by the package maintainer is at risk
of regression. But there are ways of making this easier.
Every directory that is in a Debian package has it's context set by dpkg. So
if you were to add /var/lib/mysql/mysql and /var/log/mysql to the package then
they would have their context set correctly.
For /var/run directories if you add them to a systemd-tmpfiles configuration
they will get the right context. Add a file named /usr/lib/tmpfiles.d/mysql-
server.conf with the following contents:
D /var/run/mysqld 0755 mysql root
With those changes (adding directories to packages and using systemd-tmpfiles)
there would be no risk of regression and no SE Linux specific code in your
package.
Systemd is now the default init system in Debian so eventually you have to
write a systemd service file for mysql. When you do that you have to use the
tmpfiles.d configuration which will solve this issue. I'd be happy if you just
told everyone who uses MySQL on SE Linux to use systemd and didn't bother
fixing the old SysVInit script. But while MySQL users are forced to start the
daemon in the old way it would be good to make it work properly on SE Linux.
> Is there documentation somewhere that explains why this is the right way
> to approach this? Is there any consensus across Debian that you can
> refer to that says that this is the right thing to do?
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=801752
I consider all the other packages that have such patches to be indication of
consensus of support for this. In a comment on the above bug Jaldhar has
committed to making a similar change to Dovecot. That's just the latest bug
report of this nature that I've filed.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
More information about the pkg-mysql-maint
mailing list