Bug 1540946

Summary:	SELinux is preventing mysqld from using the 'sys_nice' capabilities.
Product:	[Fedora] Fedora	Reporter:	Héctor Louzao <louzaoh>
Component:	community-mysql	Assignee:	Michal Schorm <mschorm>
Status:	CLOSED ERRATA	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	27	CC:	dwalsh, extras-orphan, hhorak, jstanek, lsalgados, lvrabec, mgrepl, mschorm, plautrba, terje.rosten, tgl
Target Milestone:	---
Target Release:	---
Hardware:	x86_64
OS:	Unspecified
Whiteboard:	abrt_hash:041e04b306406a6ba642b3875b5aa1f16f0ccc66b29572fb1f603dc6a647d20c;VARIANT_ID=workstation;
Fixed In Version:	community-mysql-8.0.13-1.fc29	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:
Clones:	1628814 (view as bug list)		Environment:
Last Closed:	2018-11-10 03:18:14 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:	1593639, 1629041
Bug Blocks:	1628814, 1628815

Description Héctor Louzao 2018-02-01 11:38:05 UTC

Description of problem:
mysql-workbench-community-6.3.10-1.fc27.x86_64
mysql-community-common-8.0.4-0.1.rc.fc27.x86_64
mysql-community-libs-8.0.4-0.1.rc.fc27.x86_64
mysql57-community-release-fc27-10.noarch
mysql-community-client-8.0.4-0.1.rc.fc27.x86_64
mysql-community-server-8.0.4-0.1.rc.fc27.x86_64

selinux-policy-targeted-3.13.1-283.21.fc27.noarch
selinux-policy-3.13.1-283.21.fc27.noarch

setroubleshoot-server-3.3.15-1.fc27.x86_64
setroubleshoot-3.3.15-1.fc27.x86_64
setroubleshoot-plugins-3.3.9-3.fc27.noarch

update to mysql 8.0.4
SELinux is preventing mysqld from using the 'sys_nice' capabilities.

*****  Plugin catchall (100. confidence) suggests   **************************

Si cree que mysqld debería tener la capacidad de sys_nice de forma predeterminada.
Then debería reportar esto como un error.
Puede generar un módulo de política local para permitir este acceso.
Do
permita el acceso temporalmente ejecutando:
# ausearch -c 'mysqld' --raw | audit2allow -M mi-mysqld
# semodule -X 300 -i mi-mysqld.pp

Additional Information:
Source Context                system_u:system_r:mysqld_t:s0
Target Context                system_u:system_r:mysqld_t:s0
Target Objects                Unknown [ capability ]
Source                        mysqld
Source Path                   mysqld
Port                          <Desconocido>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-283.21.fc27.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.14.14-300.fc27.x86_64 #1 SMP Fri
                              Jan 19 13:19:54 UTC 2018 x86_64 x86_64
Alert Count                   1095
First Seen                    2018-02-01 10:46:40 CET
Last Seen                     2018-02-01 12:36:37 CET
Local ID                      15c9c979-5c2f-4650-a27a-91e54915a9f9

Raw Audit Messages
type=AVC msg=audit(1517484997.191:5218): avc:  denied  { sys_nice } for  pid=27326 comm="mysqld" capability=23  scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:mysqld_t:s0 tclass=capability permissive=0


Hash: mysqld,mysqld_t,mysqld_t,capability,sys_nice

Version-Release number of selected component:
selinux-policy-3.13.1-283.21.fc27.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.9.3
hashmarkername: setroubleshoot
kernel:         4.14.14-300.fc27.x86_64
type:           libreport

Comment 1 Lukas Vrabec 2018-02-01 13:17:06 UTC

Hi Mysql folks, 

Does mysql using sys_nice capability? 

       CAP_SYS_NICE
              * Raise process nice value (nice(2), setpriority(2)) and change the nice value for arbi‐
                trary processes;
              * set real-time scheduling policies for calling process, and set scheduling policies and
                priorities   for   arbitrary   processes   (sched_setscheduler(2),  sched_setparam(2),
                shed_setattr(2));
              * set CPU affinity for arbitrary processes (sched_setaffinity(2));
              * set I/O scheduling class and priority for arbitrary processes (ioprio_set(2));
              * apply migrate_pages(2) to arbitrary processes and allow processes to  be  migrated  to
                arbitrary nodes;
              * apply move_pages(2) to arbitrary processes;
              * use the MPOL_MF_MOVE_ALL flag with mbind(2) and move_pages(2).

Thanks,
Lukas.

Comment 2 Luis Salgado Sandoval 2018-04-29 22:52:57 UTC

*** Bug 1573032 has been marked as a duplicate of this bug. ***

Comment 3 Héctor Louzao 2018-04-30 14:18:17 UTC

mysql-workbench-community-6.3.10-1.fc27.x86_64
mysql-connector-python3-8.0.11-1.fc28.x86_64
mysql-community-server-8.0.11-1.fc28.x86_64
mysql-shell-8.0.11-1.fc28.x86_64
mysql-community-client-8.0.11-1.fc28.x86_64
mysql80-community-release-fc28-1.noarch
mysql-community-libs-8.0.11-1.fc28.x86_64
mysql-connector-java-8.0.11-1.fc28.noarch
mysql-community-common-8.0.11-1.fc28.x86_64

selinux-policy-3.14.1-21.fc28.noarch
selinux-policy-targeted-3.14.1-21.fc28.noarch

setroubleshoot-3.3.17-1.fc28.x86_64
setroubleshoot-plugins-3.3.9-3.fc28.noarch
setroubleshoot-server-3.3.17-1.fc28.x86_64

I'm in F28 beta now and with the inminent release of MYSQL 8 (GA) some days ago this still happen ....

Regards.,

Comment 4 Lukas Vrabec 2018-05-21 13:08:47 UTC

*** Bug 1579160 has been marked as a duplicate of this bug. ***

Comment 5 Honza Horak 2018-06-05 10:05:02 UTC

Looking at the packages carefully, those are coming from upstream, in Fedora we have community-mysql, so re-assigning. I think we should check whether the same issue is also seen in case of community-mysql packages.

Comment 6 Terje Røsten 2018-06-05 17:23:02 UTC

I think this is due to MySQL WL#9467 - Resource Groups

commit:
 https://github.com/mysql/mysql-server/commit/c47051b4be2110ed6225860448fe8657cf500a4a

WorkLog:
 https://dev.mysql.com/worklog/task/?id=9467

which is new in MySQL 8.0. 

The move to /usr/bin and this sys_nice issue should be fixed in  selinux-policy
I think?

Comment 7 Terje Røsten 2018-06-05 17:25:31 UTC

FYI: move to /usr/bin/ is

 https://bugzilla.redhat.com/show_bug.cgi?id=1584643

Comment 8 Jakub Jančo 2018-08-29 14:10:13 UTC

In downstream community-mysql we are missing cap_sys_nice on mysqld binary. Therefore we dont see selinux AVCs. But resource groups dont work.

Reproduce:
# dnf install community-mysql-server
# systemctl start mysql
Connect to mysql server and create resource group and apply:
mysql> CREATE RESOURCE GROUP rg1
  TYPE = USER
  VCPU = 0
  THREAD_PRIORITY = 19;
mysql> SET RESOURCE GROUP rg1;

Maybe here should be some error message about "there is not capability set on binary". But currently I cant see any visible clue that groups dont work. Only thread nice doesnt change, while you are connected to mysql server, on mysql server run:
# ps -T ax -o ni,cmd | grep mysqld | grep '^ 19 '
<empty>

# systemctl stop mysqld
After you set capability on binary:
# setcap cap_sys_nice+ep /usr/libexec/mysqld
# systemctl start mysqld
AVCs appear.

Now if you try to set resource group in current login session:
mysql> SET RESOURCE GROUP rg1;
# ps -T ax -o ni,cmd | grep mysqld | grep '^ 19 '
 19 /usr/libexec/mysqld --basedir=/usr

Seems it works, but these log entries appears in mysql log:

2018-08-29T13:30:08.980728Z 8 [ERROR] [MY-010985] [Server] Setting thread priority 0 to thread id 1099 failed. (error code 0 - Success).
2018-08-29T13:30:08.980765Z 8 [Warning] [MY-010979] [Server] Unable to apply resource group controller USR_default.

Creating and installing selinux module from audited errors allows setting resource groups without errors:
audit2allow -a -M test
semodule -i test.pp

Comment 9 Michal Schorm 2018-09-06 05:20:17 UTC

Fix pushed to the repo; rebuilds are on the way.

Comment 10 Héctor Louzao 2018-10-01 14:47:22 UTC

finally works in F28 follow process :

https://bugzilla.redhat.com/show_bug.cgi?id=1629380

https://bugs.mysql.com/bug.php?id=92476

Thx fedora folks...

regards

mysql-connector-python3-8.0.12-1.fc28.x86_64
mysql-connector-java-8.0.12-1.fc28.noarch
mysql-community-client-8.0.12-1.fc28.x86_64
mysql-community-common-8.0.12-1.fc28.x86_64
mysql-workbench-community-8.0.12-1.fc28.x86_64
mysql-connector-python-8.0.12-1.fc28.x86_64
mysql-community-server-8.0.12-1.fc28.x86_64
mysql-community-libs-8.0.12-1.fc28.x86_64
mysql80-community-release-fc28-1.noarch
mysql-shell-8.0.12-1.fc28.x86_64

selinux-policy-targeted-3.14.1-42.fc28.noarch
selinux-policy-3.14.1-42.fc28.noarch
selinux-policy-devel-3.14.1-42.fc28.noarch

setroubleshoot-server-3.3.17-1.fc28.x86_64
setroubleshoot-plugins-3.3.9-3.fc28.noarch
setroubleshoot-3.3.17-1.fc28.x86_64

Comment 11 Fedora Update System 2018-10-31 13:02:08 UTC

community-mysql-8.0.13-1.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-c82fc3e109

Comment 12 Fedora Update System 2018-10-31 18:52:36 UTC

community-mysql-8.0.13-1.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-c82fc3e109

Comment 13 Fedora Update System 2018-11-10 03:18:14 UTC

community-mysql-8.0.13-1.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.