Bug 755256

Summary: Mysql server service fails to load with selinux enforcing
Product: [Fedora] Fedora Reporter: Thomas Drake-Brockman <thomas>
Component: mysqlAssignee: Tom Lane <tgl>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 16CC: hhorak, tgl, wb8rcr
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-11-21 07:37:21 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Last 50 lines of /var/log/messages after service failed to load.
none
Last 50 lines of /var/log/audit/audit.log after service failed to load. none

Description Thomas Drake-Brockman 2011-11-20 05:01:32 UTC 
User-Agent:       Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.106 Safari/535.2

When I attempt to start the mysql service (either by using the service or systemctl commands) it fails. On inspection of system logs it apears that selinux is preventing mysql form loading. This is confirmed as it works with selinux set on permissive.

Reproducible: Always

Steps to Reproduce:
1. setenforce 1
2. yum install mysql-server
3. service mysqld start OR systemctl start mysqld.service
Actual Results:  
`systemctl start mysqld.service` returns:
"Job failed. See system logs and 'systemctl status' for details."

`systectl status mysqld.service` returns:
"mysqld.service - MySQL database server
	  Loaded: loaded (/lib/systemd/system/mysqld.service; disabled)
	  Active: failed since Sun, 20 Nov 2011 12:58:16 +0800; 1min 9s ago
	 Process: 7319 ExecStartPost=/usr/libexec/mysqld-wait-ready $MAINPID (code=exited, status=0/SUCCESS)
	 Process: 8146 ExecStart=/usr/bin/mysqld_safe --nowatch --basedir=/usr (code=exited, status=127)
	 Process: 8130 ExecStartPre=/usr/libexec/mysqld-prepare-db-dir (code=exited, status=0/SUCCESS)
	Main PID: 7318 (code=exited, status=0/SUCCESS)
	  CGroup: name=systemd:/system/mysqld.service"

Expected Results:  
`systemctl start mysqld.service` should return with no output.

`systectl status mysqld.service` should return:
"mysqld.service - MySQL database server
	  Loaded: loaded (/lib/systemd/system/mysqld.service; disabled)
	  Active: active (running) since Sun, 20 Nov 2011 12:59:54 +0800; 31s ago
	 Process: 8354 ExecStartPost=/usr/libexec/mysqld-wait-ready $MAINPID (code=exited, status=0/SUCCESS)
	 Process: 8203 ExecStart=/usr/bin/mysqld_safe --nowatch --basedir=/usr (code=exited, status=0/SUCCESS)
	 Process: 8187 ExecStartPre=/usr/libexec/mysqld-prepare-db-dir (code=exited, status=0/SUCCESS)
	Main PID: 8353 (mysqld)
	  CGroup: name=systemd:/system/mysqld.service
		  └ 8353 /usr/libexec/mysqld --basedir=/usr --datadir=/var/lib/mysql --plugin-dir=/usr/lib64/mysql/plugin --log-error=/var/log/mysqld.log --pid-fil..."

This is a fresh DVD install of Fedora 16 x86_64 installed yesterday.
Comment 1 Thomas Drake-Brockman 2011-11-20 05:04:38 UTC 
Created attachment 534622 [details]
Last 50 lines of /var/log/messages after service failed to load.
Comment 2 Thomas Drake-Brockman 2011-11-20 05:05:20 UTC 
Created attachment 534623 [details]
Last 50 lines of /var/log/audit/audit.log after service failed to load.
Comment 3 John J. McDonough 2011-11-20 21:13:59 UTC 
FWIW - the problem can be resolved by following the instructions in SETroubleshoot, but that doesn't make it any less of a bug:

allow this access for now by executing:
# grep mysqld_safe /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Comment 4 Honza Horak 2011-11-21 07:37:21 UTC 

*** This bug has been marked as a duplicate of bug 753816 ***
Comment 5 Honza Horak 2011-11-21 07:45:31 UTC 
This issue should be fixed by https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-56.fc16
Feel free to re-open it if the problem persists.