Add SELinux checks from distribution-specific spec file, missed in

previous. Convert some shell bits to standard 2-space indent, 80 columns, etc.

Add SELinux checks from distribution-specific spec file, missed in
previous. Convert some shell bits to standard 2-space indent, 80 columns, etc.
99b5ca1f · Jonathan Perkin · 9c960ecf · 99b5ca1f
Commit 99b5ca1f authored Jun 01, 2010 by Jonathan Perkin
Hide whitespace changes
Inline Side-by-side

Showing with 87 additions and 37 deletions

support-files/mysql.spec.sh support-files/mysql.spec.sh +87 -37

No files found.
--- a/support-files/mysql.spec.sh
+++ b/support-files/mysql.spec.sh
@@ -415,8 +415,9 @@ mkdir debug
                  -e 's/ -ip / /' \
                  -e 's/^ //' \
                  -e 's/ $//'`
-  # XXX: MYSQL_UNIX_ADDR should be in cmake/* but mysql_version is included before
+  # XXX: MYSQL_UNIX_ADDR should be in cmake/* but mysql_version is included
-  # XXX: install_layout so we can't just set it based on INSTALL_LAYOUT=RPM
+  # XXX: before install_layout so we can't just set it based on
+  # XXX: INSTALL_LAYOUT=RPM
  ${CMAKE} ../%{src_dir} -DBUILD_CONFIG=mysql_release -DINSTALL_LAYOUT=RPM \
           -DCMAKE_BUILD_TYPE=Debug \
           -DMYSQL_UNIX_ADDR="/var/lib/mysql/mysql.sock" \
@@ -429,8 +430,9 @@ mkdir debug
 mkdir release
 (
  cd release
-  # XXX: MYSQL_UNIX_ADDR should be in cmake/* but mysql_version is included before
+  # XXX: MYSQL_UNIX_ADDR should be in cmake/* but mysql_version is included
-  # XXX: install_layout so we can't just set it based on INSTALL_LAYOUT=RPM
+  # XXX: before install_layout so we can't just set it based on
+  # XXX: INSTALL_LAYOUT=RPM
  ${CMAKE} ../%{src_dir} -DBUILD_CONFIG=mysql_release -DINSTALL_LAYOUT=RPM \
           -DCMAKE_BUILD_TYPE=RelWithDebInfo \
           -DMYSQL_UNIX_ADDR="/var/lib/mysql/mysql.sock" \
@@ -487,8 +489,10 @@ install -d $RBR%{_sbindir}
 mv -v $RBR/%{_libdir}/*.a $RBR/%{_libdir}/mysql/
 # Install logrotate and autostart
-install -m 644 $MBD/release/support-files/mysql-log-rotate $RBR%{_sysconfdir}/logrotate.d/mysql
+install -m 644 $MBD/release/support-files/mysql-log-rotate \
-install -m 755 $MBD/release/support-files/mysql.server $RBR%{_sysconfdir}/init.d/mysql
+  $RBR%{_sysconfdir}/logrotate.d/mysql
+install -m 755 $MBD/release/support-files/mysql.server \
+  $RBR%{_sysconfdir}/init.d/mysql
 # Create a symlink "rcmysql", pointing to the init.script. SuSE users
 # will appreciate that, as all services usually offer this.
@@ -506,7 +510,8 @@ install -m 600 $MBD/%{src_dir}/support-files/RHEL4-SElinux/mysql.{fc,te} \
 # Even though this is a shared library, put it under /usr/lib*/mysql, so it
 # doesn't conflict with possible shared lib by the same name in /usr/lib*.  See
 # `mysql_config --variable=pkglibdir` and mysqld_safe for how this is used.
-install -m 644 "%{malloc_lib_source}" "$RBR%{_libdir}/mysql/%{malloc_lib_target}"
+install -m 644 "%{malloc_lib_source}" \
+  "$RBR%{_libdir}/mysql/%{malloc_lib_target}"
 %endif
 # Remove man pages we explicitly do not want to package, avoids 'unpackaged
@@ -530,15 +535,19 @@ if [ $? -eq 0 -a -n "$installed" ]; then
  myvendor='%{mysql_vendor}'
  myversion='%{mysql_version}'
-  old_family=`echo $version   | sed -n -e 's,^\([1-9][0-9]*\.[0-9][0-9]*\)\..*$,\1,p'`
+  old_family=`echo $version \
-  new_family=`echo $myversion | sed -n -e 's,^\([1-9][0-9]*\.[0-9][0-9]*\)\..*$,\1,p'`
+    | sed -n -e 's,^\([1-9][0-9]*\.[0-9][0-9]*\)\..*$,\1,p'`
+  new_family=`echo $myversion \
+    | sed -n -e 's,^\([1-9][0-9]*\.[0-9][0-9]*\)\..*$,\1,p'`
  [ -z "$vendor" ] && vendor='<unknown>'
  [ -z "$old_family" ] && old_family="<unrecognized version $version>"
  [ -z "$new_family" ] && new_family="<bad package specification: version $myversion>"
  error_text=
-  if [ "$vendor" != "$myoldvendor" -a "$vendor" != "$myvendor_2" -a "$vendor" != "$myvendor" ]; then
+  if [ "$vendor" != "$myoldvendor" \
+    -a "$vendor" != "$myvendor_2" \
+    -a "$vendor" != "$myvendor" ]; then
    error_text="$error_text
 The current MySQL server package is provided by a different
 vendor ($vendor) than $myoldvendor, $myvendor_2, or $myvendor.
@@ -588,9 +597,9 @@ fi
 # Shut down a previously installed server first
 if [ -x %{_sysconfdir}/init.d/mysql ] ; then
-        %{_sysconfdir}/init.d/mysql stop > /dev/null 2>&1
+  %{_sysconfdir}/init.d/mysql stop > /dev/null 2>&1
-        echo "Giving mysqld 5 seconds to exit nicely"
+  echo "Giving mysqld 5 seconds to exit nicely"
-        sleep 5
+  sleep 5
 fi
 %post -n MySQL-server%{product_suffix}
@@ -608,10 +617,10 @@ if [ ! -d $mysql_datadir/test ] ; then mkdir $mysql_datadir/test; fi
 # ----------------------------------------------------------------------
 # use insserv for older SuSE Linux versions
 if [ -x /sbin/insserv ] ; then
-        /sbin/insserv %{_sysconfdir}/init.d/mysql
+  /sbin/insserv %{_sysconfdir}/init.d/mysql
 # use chkconfig on Enterprise Linux and newer SuSE releases
 elif [ -x /sbin/chkconfig ] ; then
-        /sbin/chkconfig --add mysql
+  /sbin/chkconfig --add mysql
 fi
 # ----------------------------------------------------------------------
@@ -619,8 +628,10 @@ fi
 # exists.
 # ----------------------------------------------------------------------
 groupadd -r %{mysqld_group} 2> /dev/null || true
-useradd -M -r -d $mysql_datadir -s /bin/bash -c "MySQL server" -g %{mysqld_group} %{mysqld_user} 2> /dev/null || true
+useradd -M -r -d $mysql_datadir -s /bin/bash -c "MySQL server" \
-# The user may already exist, make sure it has the proper group nevertheless (BUG#12823)
+  -g %{mysqld_group} %{mysqld_user} 2> /dev/null || true
+# The user may already exist, make sure it has the proper group nevertheless
+# (BUG#12823)
 usermod -g %{mysqld_group} %{mysqld_user} 2> /dev/null || true
 # ----------------------------------------------------------------------
@@ -649,32 +660,66 @@ chown -R %{mysqld_user}:%{mysqld_group} $mysql_datadir
 # ----------------------------------------------------------------------
 chmod -R og-rw $mysql_datadir/mysql
+# ----------------------------------------------------------------------
+# install SELinux files - but don't override existing ones
+# ----------------------------------------------------------------------
+SETARGETDIR=/etc/selinux/targeted/src/policy
+SEDOMPROG=$SETARGETDIR/domains/program
+SECONPROG=$SETARGETDIR/file_contexts/program
+if [ -f /etc/redhat-release ] \
+ && (grep -q "Red Hat Enterprise Linux .. release 4" /etc/redhat-release \
+ || grep -q "CentOS release 4" /etc/redhat-release) ; then
+  echo
+  echo
+  echo 'Notes regarding SELinux on this platform:'
+  echo '========================================='
+  echo
+  echo 'The default policy might cause server startup to fail because it is'
+  echo 'not allowed to access critical files.  In this case, please update'
+  echo 'your installation.'
+  echo
+  echo 'The default policy might also cause inavailability of SSL related'
+  echo 'features because the server is not allowed to access /dev/random'
+  echo 'and /dev/urandom. If this is a problem, please do the following:'
+  echo
+  echo '  1) install selinux-policy-targeted-sources from your OS vendor'
+  echo '  2) add the following two lines to '$SEDOMPROG/mysqld.te':'
+  echo '       allow mysqld_t random_device_t:chr_file read;'
+  echo '       allow mysqld_t urandom_device_t:chr_file read;'
+  echo '  3) cd to '$SETARGETDIR' and issue the following command:'
+  echo '       make load'
+  echo
+  echo
+fi
+if [ -x sbin/restorecon ] ; then
+  sbin/restorecon -R var/lib/mysql
+fi
 # Restart in the same way that mysqld will be started normally.
-%{_sysconfdir}/init.d/mysql start
+if [ -x %{_sysconfdir}/init.d/mysql ] ; then
+  %{_sysconfdir}/init.d/mysql start
+  echo "Giving mysqld 2 seconds to start"
+  sleep 2
+fi
 # Allow mysqld_safe to start mysqld and print a message before we exit
 sleep 2
-#echo "Thank you for installing the MySQL Community Server! For Production
-#systems, we recommend MySQL Enterprise, which contains enterprise-ready
-#software, intelligent advisory services, and full production support with
-#scheduled service packs and more.  Visit www.mysql.com/enterprise for more
-#information."
 %preun -n MySQL-server%{product_suffix}
 if [ $1 = 0 ] ; then
-        # Stop MySQL before uninstalling it
+  # Stop MySQL before uninstalling it
-        if [ -x %{_sysconfdir}/init.d/mysql ] ; then
+  if [ -x %{_sysconfdir}/init.d/mysql ] ; then
-                %{_sysconfdir}/init.d/mysql stop > /dev/null
+    %{_sysconfdir}/init.d/mysql stop > /dev/null
-                # Remove autostart of MySQL
+    # Remove autostart of MySQL
-                # For older SuSE Linux versions
+    # For older SuSE Linux versions
-                if [ -x /sbin/insserv ] ; then
+    if [ -x /sbin/insserv ] ; then
-                        /sbin/insserv -r %{_sysconfdir}/init.d/mysql
+      /sbin/insserv -r %{_sysconfdir}/init.d/mysql
-                # use chkconfig on Enterprise Linux and newer SuSE releases
+    # use chkconfig on Enterprise Linux and newer SuSE releases
-                elif [ -x /sbin/chkconfig ] ; then
+    elif [ -x /sbin/chkconfig ] ; then
-                        /sbin/chkconfig --del mysql
+      /sbin/chkconfig --del mysql
-                fi
+    fi
-        fi
+  fi
 fi
 # We do not remove the mysql user since it may still own a lot of
@@ -684,7 +729,8 @@ fi
 # Clean up the BuildRoot after build is done
 # ----------------------------------------------------------------------
 %clean
-[ "$RPM_BUILD_ROOT" != "/" ] && [ -d $RPM_BUILD_ROOT ] && rm -rf $RPM_BUILD_ROOT;
+[ "$RPM_BUILD_ROOT" != "/" ] && [ -d $RPM_BUILD_ROOT ] \
+  && rm -rf $RPM_BUILD_ROOT;
 ##############################################################################
 #  Files section
@@ -865,6 +911,10 @@ fi
 # merging BK trees)
 ##############################################################################
 %changelog
+* Tue Jun 1 2010 Jonathan Perkin <jonathan.perkin@oracle.com>
+- Implement SELinux checks from distribution-specific spec file.
 * Wed May 12 2010 Jonathan Perkin <jonathan.perkin@oracle.com>
 - Large number of changes to build using CMake