Bug 1613898

Summary: mysqld_safe-scl-help is not able to exec mysqld_safe
Product: Red Hat Enterprise Linux 7 Reporter: Jakub Jančo <jjanco>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.6CC: lvrabec, mgrepl, mmalik, plautrba, ssekidde, vmojzis
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-10-30 10:08:25 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
Add can_exec none

Description Jakub Jančo 2018-08-08 13:47:19 UTC
Created attachment 1474352 [details]
Add can_exec

Description of problem:
SELinux denies starting of MySQL daemon from collection rh-mysql57 and rh-mariadb100. both collections behave same.

Version-Release number of selected component (if applicable):
3.13.1-212

How reproducible:
easy always

Steps to Reproduce:
1. Run RHEL-7.6 instance
2. add rh-scl repo [1]
3a. yum install rh-mysql57-mysql-server
3b. yum install rh-mariadb100-mariadb-server
4a. systemctl start rh-mysql57-mysqld
4b. systemctl start rh-mariadb100-mariadb

Actual results:
# systemctl start rh-mariadb100-mariadb
Job for rh-mariadb100-mariadb.service failed because the control process exited with error code. See "systemctl status rh-mariadb100-mariadb.service" and "journalctl -xe" for details.

# ausearch -m avc
----
time->Wed Aug  8 09:26:19 2018
type=PROCTITLE msg=audit(1533734779.130:534): proctitle=2F62696E2F7368002F6F70742F72682F72682D6D6172696164623130302F726F6F742F7573722F6C6962657865632F6D7973716C645F736166652D73636C2D68656C70657200656E61626C650072682D6D617269616462313030002D2D002F6F70742F72682F72682D6D6172696164623130302F726F6F742F7573722F62696E
type=SYSCALL msg=audit(1533734779.130:534): arch=c000003e syscall=59 success=no exit=-13 a0=beb150 a1=beb4e0 a2=bebad0 a3=7ffe9d61b7e0 items=0 ppid=1 pid=18657 auid=4294967295 uid=27 gid=27 euid=27 suid=27 fsuid=27 egid=27 sgid=27 fsgid=27 tty=(none) ses=4294967295 comm="mysqld_safe-scl" exe="/usr/bin/bash" subj=system_u:system_r:mysqld_safe_t:s0 key=(null)
type=AVC msg=audit(1533734779.130:534): avc:  denied  { execute_no_trans } for  pid=18657 comm="mysqld_safe-scl" path="/opt/rh/rh-mariadb100/root/usr/bin/mysqld_safe" dev="vda1" ino=18874987 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:mysqld_safe_exec_t:s0 tclass=file permissive=0


Expected results:
Daemon started.

Additional info:
[1] https://gitlab.cee.redhat.com/platform-eng-core-services/internal-repos/raw/master/rhscl/rhscl-rhel-7.repo

Patch of patch included.

Comment 2 Jakub Jančo 2018-08-09 09:25:46 UTC
This is valid for rh-mysql56 instead of rh-mysql57

Comment 6 errata-xmlrpc 2018-10-30 10:08:25 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3111