Bug 753896

Summary: SELinux breaks mysql-server
Product: [Fedora] Fedora Reporter: Aleksander Zdyb <o_ojo>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 16CC: dominick.grift, dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-11-17 21:26:21 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Aleksander Zdyb 2011-11-14 19:33:00 UTC 
SELinux in enforcing mode prevents clients to connect mysql socket and even starting the service.


Version-Release number of selected component (if applicable):
selinux-policy-3.10.0-55.fc16.noarch
libselinux-2.1.6-4.fc16.x86_64
libselinux-2.1.6-4.fc16.i686
selinux-policy-targeted-3.10.0-55.fc16.noarch
mysql-server-5.5.16-3.fc16.x86_64
mysql-libs-5.5.16-3.fc16.x86_64


How reproducible: always


Steps to Reproduce:
1. Set SELinux to Enforcing
2. Start mysql-server (`systemct start mysqld.service`)
  
Actual results:
# systemctl start mysqld.service
Job failed. See system logs and 'systemctl status' for details.

# systemctl status mysqld.service
mysqld.service - MySQL database server
	  Loaded: loaded (/lib/systemd/system/mysqld.service; disabled)
	  Active: failed since Mon, 14 Nov 2011 19:48:57 +0100; 6s ago
	 Process: 7247 ExecStart=/usr/bin/mysqld_safe --nowatch --basedir=/usr (code=exited, status=127)
	 Process: 7231 ExecStartPre=/usr/libexec/mysqld-prepare-db-dir (code=exited, status=0/SUCCESS)
	  CGroup: name=systemd:/system/mysqld.service



Expected results:
Service should be started.

Additional info:
If I load the service manually (`/usr/bin/mysqld_safe --nowatch --basedir=/usr`), it's started, but no client can connect to socket. Switching SELinux to permissive mode solves the problem.

The issue may be duplicate or connected with https://bugzilla.redhat.com/show_bug.cgi?id=753816
Comment 1 Miroslav Grepl 2011-11-15 08:39:15 UTC 
What AVC msgs are you getting?
Comment 2 Aleksander Zdyb 2011-11-15 16:39:12 UTC 
Sorry, but I don't know what to look for. In audit log I've got only this:

# cat audit/audit.log|grep mysql
type=SERVICE_START msg=audit(1318435113.754:73): user pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=': comm="mysqld" exe="/bin/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_STOP msg=audit(1318527563.604:428): user pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=': comm="mysqld" exe="/bin/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_START msg=audit(1318527567.226:429): user pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=': comm="mysqld" exe="/bin/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_START msg=audit(1319469961.119:107): user pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=': comm="mysqld" exe="/bin/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_START msg=audit(1319732313.471:190): user pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=': comm="mysqld" exe="/bin/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_START msg=audit(1320256991.062:126): user pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=': comm="mysqld" exe="/bin/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_START msg=audit(1320574339.181:286): user pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=': comm="mysqld" exe="/bin/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_STOP msg=audit(1320774786.544:1300): user pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=': comm="mysqld" exe="/bin/systemd" hostname=? addr=? terminal=? res=success'

and I've even don't know if it's relevant.
Comment 3 Daniel Walsh 2011-11-16 20:46:46 UTC 
None of those are AVC'S Those are all good.

Did you change any of the default settings?  Did you move the location of your mysql database?

ausearch -m avc 

Will list all AVC's
Comment 4 Aleksander Zdyb 2011-11-17 14:57:18 UTC 
(In reply to comment #3)
> Did you change any of the default settings?  Did you move the location of your
> mysql database?

No, nothing changed and nothing moved.

> ausearch -m avc 
> Will list all AVC's

There is nothing related to mysql and the newest AVC is from time, the problem didn't yet existed. In fact, all of them are from F15 version and none is dated after November, 8, when I upgraded (using preupgrade) to F16.

Just to be clear: it didn't break after upgrading the system. It worked for a day or two.

Is there anything I can do that may help to solve the problem?
Comment 5 Daniel Walsh 2011-11-17 18:58:38 UTC 
Could you make sure audit is running.

service auditd status

Turn it back on, I am not sure it runs after update.
Comment 6 Aleksander Zdyb 2011-11-17 19:52:05 UTC 
(In reply to comment #5)
> Could you make sure audit is running.
> service auditd status
> Turn it back on, I am not sure it runs after update.

You were right, Daniel. auditd was down for unknown reason (I didn't touch it).

I turned it on, and tried to start mysqld again. Now I've got those AVCs:


----
time->Thu Nov 17 20:40:11 2011
type=SYSCALL msg=audit(1321558811.710:12): arch=c000003e syscall=10 success=no exit=-13 a0=6d9000 a1=1000 a2=1 a3=7fff6f6eb550 items=0 ppid=1 pid=20575 auid=4294967295 uid=27 gid=27 euid=27 suid=27 fsuid=27 egid=27 sgid=27 fsgid=27 tty=(none) ses=4294967295 comm="mysqld_safe" exe="/bin/bash" subj=system_u:system_r:mysqld_safe_t:s0 key=(null)
type=AVC msg=audit(1321558811.710:12): avc:  denied  { read } for  pid=20575 comm="mysqld_safe" path="/bin/bash" dev=sda7 ino=5164 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
----
time->Thu Nov 17 20:40:11 2011
type=SYSCALL msg=audit(1321558811.918:14): arch=c000003e syscall=10 success=no exit=-13 a0=6d9000 a1=1000 a2=1 a3=7fff6b9fe860 items=0 ppid=1 pid=20596 auid=4294967295 uid=27 gid=27 euid=27 suid=27 fsuid=27 egid=27 sgid=27 fsgid=27 tty=(none) ses=4294967295 comm="mysqld_safe" exe="/bin/bash" subj=system_u:system_r:mysqld_safe_t:s0 key=(null)
type=AVC msg=audit(1321558811.918:14): avc:  denied  { read } for  pid=20596 comm="mysqld_safe" path="/bin/bash" dev=sda7 ino=5164 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
----
time->Thu Nov 17 20:40:12 2011
type=SYSCALL msg=audit(1321558812.131:16): arch=c000003e syscall=10 success=no exit=-13 a0=6d9000 a1=1000 a2=1 a3=7fff3e79a580 items=0 ppid=1 pid=20614 auid=4294967295 uid=27 gid=27 euid=27 suid=27 fsuid=27 egid=27 sgid=27 fsgid=27 tty=(none) ses=4294967295 comm="mysqld_safe" exe="/bin/bash" subj=system_u:system_r:mysqld_safe_t:s0 key=(null)
type=AVC msg=audit(1321558812.131:16): avc:  denied  { read } for  pid=20614 comm="mysqld_safe" path="/bin/bash" dev=sda7 ino=5164 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
----
time->Thu Nov 17 20:40:12 2011
type=SYSCALL msg=audit(1321558812.368:18): arch=c000003e syscall=10 success=no exit=-13 a0=6d9000 a1=1000 a2=1 a3=7fff24818290 items=0 ppid=1 pid=20632 auid=4294967295 uid=27 gid=27 euid=27 suid=27 fsuid=27 egid=27 sgid=27 fsgid=27 tty=(none) ses=4294967295 comm="mysqld_safe" exe="/bin/bash" subj=system_u:system_r:mysqld_safe_t:s0 key=(null)
type=AVC msg=audit(1321558812.368:18): avc:  denied  { read } for  pid=20632 comm="mysqld_safe" path="/bin/bash" dev=sda7 ino=5164 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
----
time->Thu Nov 17 20:40:12 2011
type=SYSCALL msg=audit(1321558812.583:20): arch=c000003e syscall=10 success=no exit=-13 a0=6d9000 a1=1000 a2=1 a3=7fffe2816310 items=0 ppid=1 pid=20650 auid=4294967295 uid=27 gid=27 euid=27 suid=27 fsuid=27 egid=27 sgid=27 fsgid=27 tty=(none) ses=4294967295 comm="mysqld_safe" exe="/bin/bash" subj=system_u:system_r:mysqld_safe_t:s0 key=(null)
type=AVC msg=audit(1321558812.583:20): avc:  denied  { read } for  pid=20650 comm="mysqld_safe" path="/bin/bash" dev=sda7 ino=5164 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
----
time->Thu Nov 17 20:40:12 2011
type=SYSCALL msg=audit(1321558812.797:22): arch=c000003e syscall=10 success=no exit=-13 a0=6d9000 a1=1000 a2=1 a3=7fff5ca19b50 items=0 ppid=1 pid=20669 auid=4294967295 uid=27 gid=27 euid=27 suid=27 fsuid=27 egid=27 sgid=27 fsgid=27 tty=(none) ses=4294967295 comm="mysqld_safe" exe="/bin/bash" subj=system_u:system_r:mysqld_safe_t:s0 key=(null)
type=AVC msg=audit(1321558812.797:22): avc:  denied  { read } for  pid=20669 comm="mysqld_safe" path="/bin/bash" dev=sda7 ino=5164 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file


Now it looks like duplicate of: https://bugzilla.redhat.com/show_bug.cgi?id=753816

I will check if selinux-policy-3.10.0-56.fc16 fixes the problem as soon as it gets to my updates mirror.
Comment 7 Daniel Walsh 2011-11-17 21:26:21 UTC 
Yup I believe you are correct.

*** This bug has been marked as a duplicate of bug 753816 ***
Comment 8 Aleksander Zdyb 2011-11-18 17:10:48 UTC 
Now I can confirm that the problem is fixed with selinux-policy-3.10.0-56.fc16.
Comment 9 Daniel Walsh 2011-11-18 17:59:35 UTC 
Update karma.