SELinux and LD_PRELOAD (or: testing TokuDB on Percona Server)
Posted Sep 19 2014, 05:55 by William Shallum [updated Sep 19 2014, 06:02]
I was testing TokuDB on Percona Server 5.6 in a VM running CentOS 6. The OS has SELinux enforcing.
Instructions for installing are here: http://www.percona.com/doc/percona-server/5.6/tokudb/tokudb_installation.html
The commands required to install the TokuDB engine are:
INSTALL PLUGIN tokudb SONAME 'ha_tokudb.so';
INSTALL PLUGIN tokudb_file_map SONAME 'ha_tokudb.so';
INSTALL PLUGIN tokudb_fractal_tree_info SONAME 'ha_tokudb.so';
INSTALL PLUGIN tokudb_fractal_tree_block_map SONAME 'ha_tokudb.so';
INSTALL PLUGIN tokudb_trx SONAME 'ha_tokudb.so';
INSTALL PLUGIN tokudb_locks SONAME 'ha_tokudb.so';
INSTALL PLUGIN tokudb_lock_waits SONAME 'ha_tokudb.so';However the first one always fails with this error in the mysql log file:
[ERROR] TokuDB is not initialized because jemalloc is not loadedI checked mysqld_safe and the script coming with Percona Server already seems to preload libjemalloc.
I checked in the /proc/$mysqld_pid/environ and LD_PRELOAD already contains the path to jemalloc, but in /proc/$mysqld_pid/maps there is no jemalloc library.
Checking the audit log, there are no deny entries. However running with setenforce 0 results in jemalloc getting loaded.
The reason for this is that mysqld_safe transitions from mysqld_safe_t to mysqld_t when it runs mysqld and selinux when transitioning ignores LD_PRELOAD by default (details here: http://blog.siphos.be/2011/04/selinux-and-noatsecure-or-why-portage-complains-about-ld_preload-and-libsandbox-so/)
To fix:
module mysqld_safe_preload 0.1;
require {
type mysqld_safe_t;
type mysqld_t;
class process { noatsecure } ;
}
allow mysqld_safe_t mysqld_t:process { noatsecure };This ensures that AT_SECURE is not set by SELinux when mysqld_safe_t executes mysqld and transitions to mysqld_t.