William Shallum

SELinux and LD_PRELOAD (or: testing TokuDB on Percona Server)

Posted Sep 19 2014, 05:55 by William Shallum [updated Sep 19 2014, 06:02]

I was testing TokuDB on Percona Server 5.6 in a VM running CentOS 6. The OS has SELinux enforcing.

Instructions for installing are here: http://www.percona.com/doc/percona-server/5.6/tokudb/tokudb_installation.html

The commands required to install the TokuDB engine are:

INSTALL PLUGIN tokudb SONAME 'ha_tokudb.so';
INSTALL PLUGIN tokudb_file_map SONAME 'ha_tokudb.so';
INSTALL PLUGIN tokudb_fractal_tree_info SONAME 'ha_tokudb.so';
INSTALL PLUGIN tokudb_fractal_tree_block_map SONAME 'ha_tokudb.so';
INSTALL PLUGIN tokudb_trx SONAME 'ha_tokudb.so';
INSTALL PLUGIN tokudb_locks SONAME 'ha_tokudb.so';
INSTALL PLUGIN tokudb_lock_waits SONAME 'ha_tokudb.so';

However the first one always fails with this error in the mysql log file:

[ERROR] TokuDB is not initialized because jemalloc is not loaded

I checked mysqld_safe and the script coming with Percona Server already seems to preload libjemalloc.

I checked in the /proc/$mysqld_pid/environ and LD_PRELOAD already contains the path to jemalloc, but in /proc/$mysqld_pid/maps there is no jemalloc library.

Checking the audit log, there are no deny entries. However running with setenforce 0 results in jemalloc getting loaded.

The reason for this is that mysqld_safe transitions from mysqld_safe_t to mysqld_t when it runs mysqld and selinux when transitioning ignores LD_PRELOAD by default (details here: http://blog.siphos.be/2011/04/selinux-and-noatsecure-or-why-portage-complains-about-ld_preload-and-libsandbox-so/)

To fix:

module mysqld_safe_preload 0.1;
require {
    type mysqld_safe_t;
    type mysqld_t;
    class process { noatsecure } ;
}
allow mysqld_safe_t mysqld_t:process { noatsecure };

This ensures that AT_SECURE is not set by SELinux when mysqld_safe_t executes mysqld and transitions to mysqld_t.