Running AlmaLinux 9.2 and MariaDB 10.11.
Trying to use in my.cnf:
tmpdir = /dev/shm
This works fine when PHP-FPM is connecting using TCP port.
Now trying to use faster Socket (/var/lib/mysql/mysql.sock) from PHP-FPM.
This doesn't work out of the box, but had to apply a workaround mentioned in https://jira.mariadb.org/browse/MDEV-30520:
chcon -t mysqld_exec_t /usr/sbin/mariadbd
After that MariaDB won't start, because it cannot access /dev/shm.
Then allowed access to tmpfs file context using mysqld_tmpfs.te policy per https://mariadb.com/kb/en/selinux/#allowing-access-to-the-tmpfs-file-context:
module mysqld_tmpfs 1.0;
require {
type tmpfs_t;
type mysqld_t;
class dir { write search read remove_name open getattr add_name };
class file { write getattr read lock create unlink open };
}
allow mysqld_t tmpfs_t:dir { write search read remove_name open getattr add_name };
allow mysqld_t tmpfs_t:file { write getattr read lock create unlink open };
MariaDB now runs, but when it tries to create temp files seeing the following errors using ausearch -c 'mariadbd' --raw:
type=AVC msg=audit(1690215382.357:58492): avc: denied { map } for pid=602807 comm="mariadbd" path="/dev/shm/#sql-temptable-932b7-22f-62.MAD" dev="tmpfs" ino=1183 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1690215382.357:58492): arch=c000003e syscall=9 success=no exit=-13 a0=0 a1=7 a2=3 a3=4001 items=0 ppid=1 pid=602807 auid=4294967295 uid=986 gid=985 euid=986 suid=986 fsuid=986 egid=985 sgid=985 fsgid=985 tty=(none) ses=4294967295 comm="mariadbd" exe="/usr/sbin/mariadbd" subj=system_u:system_r:mysqld_t:s0 key=(null)ARCH=x86_64 SYSCALL=mmap AUID="unset" UID="mysql" GID="mysql" EUID="mysql" SUID="mysql" FSUID="mysql" EGID="mysql" SGID="mysql" FSGID="mysql"
type=PROCTITLE msg=audit(1690215382.357:58492): proctitle="/usr/sbin/mariadbd"
or in human readable form:
SELinux is preventing /usr/sbin/mariadbd from map access on the file /dev/shm/#sql-temptable-932b7-22f-62.MAD.
***** Plugin restorecon_source (92.2 confidence) suggests *****************
If you want to fix the label.
/usr/sbin/mariadbd default label should be bin_t.
Then you can run restorecon.
Do
# /sbin/restorecon -v /usr/sbin/mariadbd
***** Plugin catchall_boolean (7.83 confidence) suggests ******************
If you want to allow domain to can mmap files
Then you must tell SELinux about this by enabling the 'domain_can_mmap_files' boolean.
Do
setsebool -P domain_can_mmap_files 1
***** Plugin catchall (1.41 confidence) suggests **************************
If you believe that mariadbd should be allowed map access on the #sql-temptable-932b7-22f-62.MAD file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'mariadbd' --raw | audit2allow -M my-mariadbd
# semodule -X 300 -i my-mariadbd.pp
Please advise.
tmpdirinto/dev/shmseems very wrong. Why do you do that?tmpdir = /dev/shmeditors started complaining things are slower.tmpdiron atmpfsis even remotely a good idea. Could you explain to me why you come to the conclusion that it is?