Bug 1687867

Summary: mysql/mariadb fails to start in pacemaker cluster
Product: Red Hat Enterprise Linux 8 Reporter: Patrik Hagara <phagara>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: high    
Version: 8.0CC: lvrabec, mmalik, plautrba, ssekidde, zpytela
Target Milestone: rcKeywords: Patch, Regression, TestBlocker
Target Release: 8.2   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1715805 (view as bug list) Environment:
Last Closed: 2020-04-28 16:40:35 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1673107, 1682526    
Bug Blocks:    

Description Patrik Hagara 2019-03-12 14:00:07 UTC 
Description of problem:

a mysql/mariadb service in pacemaker cluster is unable to start with the following avc denials:


> type=PROCTITLE msg=audit(03/12/2019 14:02:22.391:3121) : proctitle=/bin/sh /usr/bin/mysqld_safe --defaults-file=/etc/my.cnf --pid-file=/var/run/mysql/mysqld.pid --socket=/var/lib/mysql/mysql.sock 
> type=PATH msg=audit(03/12/2019 14:02:22.391:3121) : item=0 name=/ inode=128 dev=fd:00 mode=dir,555 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:root_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
> type=CWD msg=audit(03/12/2019 14:02:22.391:3121) : cwd=/var/lib/pacemaker/cores 
> type=SYSCALL msg=audit(03/12/2019 14:02:22.391:3121) : arch=x86_64 syscall=faccessat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x55e227b2d910 a2=W_OK a3=0x1 items=1 ppid=9864 pid=9986 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=mysqld_safe exe=/usr/bin/bash subj=system_u:system_r:mysqld_safe_t:s0 key=(null) 
> type=AVC msg=audit(03/12/2019 14:02:22.391:3121) : avc:  denied  { dac_override } for  pid=9986 comm=mysqld_safe capability=dac_override  scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:system_r:mysqld_safe_t:s0 tclass=capability permissive=0 
> ----
> type=PROCTITLE msg=audit(03/12/2019 14:02:22.584:3122) : proctitle=/usr/libexec/mysqld --defaults-file=/etc/my.cnf --basedir=/usr --datadir=/var/lib/mysql --plugin-dir=/usr/lib64/mariadb/plugin - 
> type=PATH msg=audit(03/12/2019 14:02:22.584:3122) : item=0 name=/var/lib/mysql/ inode=5259923 dev=fd:00 mode=dir,755 ouid=mysql ogid=mysql rdev=00:00 obj=system_u:object_r:mysqld_db_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
> type=CWD msg=audit(03/12/2019 14:02:22.584:3122) : cwd=/var/lib/pacemaker/cores 
> type=SYSCALL msg=audit(03/12/2019 14:02:22.584:3122) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x7ffd94309600 a2=O_RDWR|O_CREAT|O_CLOEXEC a3=0x1b6 items=1 ppid=9986 pid=10098 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=mysqld exe=/usr/libexec/mysqld subj=system_u:system_r:mysqld_t:s0 key=(null) 
> type=AVC msg=audit(03/12/2019 14:02:22.584:3122) : avc:  denied  { dac_override } for  pid=10098 comm=mysqld capability=dac_override  scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:mysqld_t:s0 tclass=capability permissive=0 


with permissive mode enabled:

> type=PROCTITLE msg=audit(03/12/2019 13:38:32.989:3040) : proctitle=/bin/sh /usr/bin/mysqld_safe --defaults-file=/etc/my.cnf --pid-file=/var/run/mysql/mysqld.pid --socket=/var/lib/mysql/mysql.sock
> type=PATH msg=audit(03/12/2019 13:38:32.989:3040) : item=0 name=/ inode=128 dev=fd:00 mode=dir,555 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:root_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
> type=CWD msg=audit(03/12/2019 13:38:32.989:3040) : cwd=/var/lib/pacemaker/cores
> type=SYSCALL msg=audit(03/12/2019 13:38:32.989:3040) : arch=x86_64 syscall=faccessat success=yes exit=0 a0=0xffffff9c a1=0x558ad0aa4910 a2=W_OK a3=0x1 items=1 ppid=2879 pid=2999 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=mysqld_safe exe=/usr/bin/bash subj=system_u:system_r:mysqld_safe_t:s0 key=(null)
> type=AVC msg=audit(03/12/2019 13:38:32.989:3040) : avc:  denied  { dac_override } for  pid=2999 comm=mysqld_safe capability=dac_override  scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:system_r:mysqld_safe_t:s0 tclass=capability permissive=1
> ----
> type=PROCTITLE msg=audit(03/12/2019 13:38:33.184:3041) : proctitle=/usr/libexec/mysqld --defaults-file=/etc/my.cnf --basedir=/usr --datadir=/var/lib/mysql --plugin-dir=/usr/lib64/mariadb/plugin -
> type=PATH msg=audit(03/12/2019 13:38:33.184:3041) : item=1 name=/var/lib/mysql/virt-047.lower-test inode=5259927 dev=fd:00 mode=file,660 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:mysqld_db_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
> type=PATH msg=audit(03/12/2019 13:38:33.184:3041) : item=0 name=/var/lib/mysql/ inode=5259923 dev=fd:00 mode=dir,755 ouid=mysql ogid=mysql rdev=00:00 obj=system_u:object_r:mysqld_db_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
> type=CWD msg=audit(03/12/2019 13:38:33.184:3041) : cwd=/var/lib/pacemaker/cores
> type=SYSCALL msg=audit(03/12/2019 13:38:33.184:3041) : arch=x86_64 syscall=openat success=yes exit=3 a0=0xffffff9c a1=0x7ffc7ed57e20 a2=O_RDWR|O_CREAT|O_CLOEXEC a3=0x1b6 items=2 ppid=2999 pid=3111 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=mysqld exe=/usr/libexec/mysqld subj=system_u:system_r:mysqld_t:s0 key=(null)
> type=AVC msg=audit(03/12/2019 13:38:33.184:3041) : avc:  denied  { dac_override } for  pid=3111 comm=mysqld capability=dac_override  scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:mysqld_t:s0 tclass=capability permissive=1
> ----
> type=PROCTITLE msg=audit(03/12/2019 13:38:33.330:3042) : proctitle=/usr/libexec/mysqld --defaults-file=/etc/my.cnf --basedir=/usr --datadir=/var/lib/mysql --plugin-dir=/usr/lib64/mariadb/plugin -                                           
> type=PATH msg=audit(03/12/2019 13:38:33.330:3042) : item=1 name=/var/run/mysql/mysqld.pid inode=295606 dev=00:16 mode=file,660 ouid=mysql ogid=mysql rdev=00:00 obj=system_u:object_r:cluster_var_run_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
> type=PATH msg=audit(03/12/2019 13:38:33.330:3042) : item=0 name=/var/run/mysql/ inode=266787 dev=00:16 mode=dir,751 ouid=mysql ogid=mysql rdev=00:00 obj=system_u:object_r:cluster_var_run_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
> type=CWD msg=audit(03/12/2019 13:38:33.330:3042) : cwd=/var/lib/mysql
> type=SYSCALL msg=audit(03/12/2019 13:38:33.330:3042) : arch=x86_64 syscall=openat success=yes exit=25 a0=0xffffff9c a1=0x55aac3b02180 a2=O_WRONLY|O_CREAT|O_TRUNC|O_CLOEXEC a3=0x1b4 items=2 ppid=2999 pid=3111 auid=unset uid=mysql gid=mysql euid=mysql suid=mysql fsuid=mysql egid=mysql sgid=mysql fsgid=mysql tty=(none) ses=unset comm=mysqld exe=/usr/libexec/mysqld subj=system_u:system_r:mysqld_t:s0 key=(null)
> type=AVC msg=audit(03/12/2019 13:38:33.330:3042) : avc:  denied  { write } for  pid=3111 comm=mysqld path=/run/mysql/mysqld.pid dev="tmpfs" ino=295606 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:cluster_var_run_t:s0tclass=file permissive=1
> type=AVC msg=audit(03/12/2019 13:38:33.330:3042) : avc:  denied  { create } for  pid=3111 comm=mysqld name=mysqld.pid scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:cluster_var_run_t:s0 tclass=file permissive=1
> type=AVC msg=audit(03/12/2019 13:38:33.330:3042) : avc:  denied  { add_name } for  pid=3111 comm=mysqld name=mysqld.pid scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:cluster_var_run_t:s0 tclass=dir permissive=1
> type=AVC msg=audit(03/12/2019 13:38:33.330:3042) : avc:  denied  { write } for  pid=3111 comm=mysqld name=mysql dev="tmpfs" ino=266787 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:cluster_var_run_t:s0 tclass=dir permissive=1


This seems to be caused by removal of the dac_override capability. Pacemaker uses its own resource agent script (component resource-agents) for starting mysqld (not systemctl).


Version-Release number of selected component (if applicable):
selinux-policy-3.14.1-61.el8.noarch

How reproducible:
always

Steps to Reproduce:
1. configure an ocf:heartbeat:mysql resource in a pacemaker cluster
2.
3.

Actual results:
resource fails to start when selinux is in enforcing mode

Expected results:
no AVCs, resource starts and works

Additional info:
Comment 16 errata-xmlrpc 2020-04-28 16:40:35 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:1773