Bug 1715805

Summary: mysql/mariadb fails to start in pacemaker cluster
Product: Red Hat Enterprise Linux 7 Reporter: Patrik Hagara <phagara>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: low Docs Contact:
Priority: medium    
Version: 7.7CC: lvrabec, mmalik, plautrba, ssekidde, vmojzis, zpytela
Target Milestone: rc   
Target Release: 7.8   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-253.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1687867 Environment:
Last Closed: 2020-03-31 19:10:50 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Patrik Hagara 2019-05-31 10:43:14 UTC 
Description of problem:

the mysql cluster resource agent is unable to start with selinux in enforcing mode.

selinux logs with permissive mode:

time->Thu May 30 16:28:02 2019
type=PROCTITLE msg=audit(1559226482.257:436): proctitle=2F7573722F6C6962657865632F6D7973716C64002D2D64656661756C74732D66696C653D2F6574632F6D792E636E66002D2D626173656469723D2F757372002D2D646174616469723D2F7661722F6C69622F6D7973716C002D2D706C7567696E2D6469723D2F7573722F6C696236342F6D7973716C2F706C7567696E002D2D75
type=SYSCALL msg=audit(1559226482.257:436): arch=c000003e syscall=2 success=yes exit=16 a0=563a6e02f620 a1=241 a2=1b4 a3=8 items=0 ppid=7355 pid=7564 auid=4294967295 uid=27 gid=27 euid=27 suid=27 fsuid=27 egid=27 sgid=27 fsgid=27 tty=(none) ses=4294967295 comm="mysqld" exe="/usr/libexec/mysqld" subj=system_u:system_r:mysqld_t:s0 key=(null)
type=AVC msg=audit(1559226482.257:436): avc:  denied  { write } for  pid=7564 comm="mysqld" path="/run/mysql/mysqld.pid" dev="tmpfs" ino=96210 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:cluster_var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1559226482.257:436): avc:  denied  { create } for  pid=7564 comm="mysqld" name="mysqld.pid" scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:cluster_var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1559226482.257:436): avc:  denied  { add_name } for  pid=7564 comm="mysqld" name="mysqld.pid" scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:cluster_var_run_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1559226482.257:436): avc:  denied  { write } for  pid=7564 comm="mysqld" name="mysql" dev="tmpfs" ino=95774 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:cluster_var_run_t:s0 tclass=dir permissive=1
----
time->Thu May 30 16:28:31 2019
type=PROCTITLE msg=audit(1559226511.449:539): proctitle=2F7573722F6C6962657865632F6D7973716C64002D2D64656661756C74732D66696C653D2F6574632F6D792E636E66002D2D626173656469723D2F757372002D2D646174616469723D2F7661722F6C69622F6D7973716C002D2D706C7567696E2D6469723D2F7573722F6C696236342F6D7973716C2F706C7567696E002D2D75
type=SYSCALL msg=audit(1559226511.449:539): arch=c000003e syscall=87 success=yes exit=0 a0=563a6e02f620 a1=0 a2=563a6e02f620 a3=563a6edffd1c items=0 ppid=7355 pid=7564 auid=4294967295 uid=27 gid=27 euid=27 suid=27 fsuid=27 egid=27 sgid=27 fsgid=27 tty=(none) ses=4294967295 comm="mysqld" exe="/usr/libexec/mysqld" subj=system_u:system_r:mysqld_t:s0 key=(null)
type=AVC msg=audit(1559226511.449:539): avc:  denied  { unlink } for  pid=7564 comm="mysqld" name="mysqld.pid" dev="tmpfs" ino=96210 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:cluster_var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1559226511.449:539): avc:  denied  { remove_name } for  pid=7564 comm="mysqld" name="mysqld.pid" dev="tmpfs" ino=96210 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:cluster_var_run_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1559226511.449:539): avc:  denied  { write } for  pid=7564 comm="mysqld" name="mysql" dev="tmpfs" ino=95774 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:cluster_var_run_t:s0 tclass=dir permissive=1
----
time->Thu May 30 16:28:42 2019
type=PROCTITLE msg=audit(1559226522.262:577): proctitle=2F7573722F6C6962657865632F6D7973716C64002D2D64656661756C74732D66696C653D2F6574632F6D792E636E66002D2D626173656469723D2F757372002D2D646174616469723D2F7661722F6C69622F6D7973716C002D2D706C7567696E2D6469723D2F7573722F6C696236342F6D7973716C2F706C7567696E002D2D75
type=SYSCALL msg=audit(1559226522.262:577): arch=c000003e syscall=2 success=yes exit=16 a0=562856ddc620 a1=241 a2=1b4 a3=8 items=0 ppid=8539 pid=8755 auid=4294967295 uid=27 gid=27 euid=27 suid=27 fsuid=27 egid=27 sgid=27 fsgid=27 tty=(none) ses=4294967295 comm="mysqld" exe="/usr/libexec/mysqld" subj=system_u:system_r:mysqld_t:s0 key=(null)
type=AVC msg=audit(1559226522.262:577): avc:  denied  { write } for  pid=8755 comm="mysqld" path="/run/mysql/mysqld.pid" dev="tmpfs" ino=105767 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:cluster_var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1559226522.262:577): avc:  denied  { create } for  pid=8755 comm="mysqld" name="mysqld.pid" scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:cluster_var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1559226522.262:577): avc:  denied  { add_name } for  pid=8755 comm="mysqld" name="mysqld.pid" scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:cluster_var_run_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1559226522.262:577): avc:  denied  { write } for  pid=8755 comm="mysqld" name="mysql" dev="tmpfs" ino=95774 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:cluster_var_run_t:s0 tclass=dir permissive=1
----
time->Thu May 30 16:29:16 2019
type=PROCTITLE msg=audit(1559226556.443:694): proctitle=2F7573722F6C6962657865632F6D7973716C64002D2D64656661756C74732D66696C653D2F6574632F6D792E636E66002D2D626173656469723D2F757372002D2D646174616469723D2F7661722F6C69622F6D7973716C002D2D706C7567696E2D6469723D2F7573722F6C696236342F6D7973716C2F706C7567696E002D2D75
type=SYSCALL msg=audit(1559226556.443:694): arch=c000003e syscall=87 success=yes exit=0 a0=562856ddc620 a1=0 a2=562856ddc620 a3=562858bfbd1c items=0 ppid=8539 pid=8755 auid=4294967295 uid=27 gid=27 euid=27 suid=27 fsuid=27 egid=27 sgid=27 fsgid=27 tty=(none) ses=4294967295 comm="mysqld" exe="/usr/libexec/mysqld" subj=system_u:system_r:mysqld_t:s0 key=(null)
type=AVC msg=audit(1559226556.443:694): avc:  denied  { unlink } for  pid=8755 comm="mysqld" name="mysqld.pid" dev="tmpfs" ino=105767 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:cluster_var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1559226556.443:694): avc:  denied  { remove_name } for  pid=8755 comm="mysqld" name="mysqld.pid" dev="tmpfs" ino=105767 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:cluster_var_run_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1559226556.443:694): avc:  denied  { write } for  pid=8755 comm="mysqld" name="mysql" dev="tmpfs" ino=95774 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:cluster_var_run_t:s0 tclass=dir permissive=1

see https://bugzilla.redhat.com/show_bug.cgi?id=1687867 for details on how this was fixed for RHEL-8

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-249.el7.noarch

How reproducible:
always

Steps to Reproduce:
1. configure and start a pacemaker cluster
2. create a cluster resource using ocf:heartbeat:mysql resource agent
3.

Actual results:
mysql resource is unable to start due to selinux AVC denials

Expected results:
no AVCs, resource starts successfully and works

Additional info:
Comment 5 Milos Malik 2019-08-15 08:57:59 UTC 
Can you run the scenario on RHEL-7.7 after enabling the daemons_enable_cluster_mode boolean? It should work IMO.

# setsebool -P daemons_enable_cluster_mode on
Comment 6 Patrik Hagara 2019-08-15 15:43:59 UTC 
Yes, it does work.

testrun with daemons_enable_cluster_mode off (fail): https://beaker.cluster-qe.lab.eng.brq.redhat.com/bkr/jobs/99331
testrun with daemons_enable_cluster_mode on (pass): https://beaker.cluster-qe.lab.eng.brq.redhat.com/bkr/jobs/99332
Comment 9 errata-xmlrpc 2020-03-31 19:10:50 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:1007