Bug 754072

Summary: mysqld does not start with selinux in enforcing mode
Product: [Fedora] Fedora Reporter: David Downing <dave.downing>
Component: mysqlAssignee: Tom Lane <tgl>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 16CC: deron.meranda, dew, dietervandenbroeck, hhorak, jfarre, richardfearn, tgl
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 759679 (view as bug list) Environment:
Last Closed: 2011-11-17 16:12:13 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description David Downing 2011-11-15 11:05:24 UTC 
Description of problem:
MySQL service fails to start if selinux in enforcing mode

Version-Release number of selected component (if applicable):
mysql-5.5.16-3.fc16.x86_64

How reproducible:
Always with all current updates applied

Steps to Reproduce:
1. setenforce enforcing
2. systemctl start mysqld.service
3.
  
Actual results:
"Job failed. See system logs and 'systemctl status' for details."

# systemctl status mysqld.service 
mysqld.service - MySQL database server
	  Loaded: loaded (/lib/systemd/system/mysqld.service; enabled)
	  Active: failed since Tue, 15 Nov 2011 10:55:37 +0000; 17s ago
	 Process: 1433 ExecStartPost=/usr/libexec/mysqld-wait-ready $MAINPID (code=exited, status=0/SUCCESS)
	 Process: 9490 ExecStart=/usr/bin/mysqld_safe --nowatch --basedir=/usr (code=exited, status=127)
	 Process: 9474 ExecStartPre=/usr/libexec/mysqld-prepare-db-dir (code=exited, status=0/SUCCESS)
	Main PID: 1430 (code=exited, status=0/SUCCESS)
	  CGroup: name=systemd:/system/mysqld.service

From /var/log/messages:

Nov 13 12:23:11 laptop systemd[1]: mysqld.service: control process exited, code=exited status=127
Nov 13 12:23:11 laptop systemd[1]: mysqld.service holdoff time over, scheduling restart.
Nov 13 12:23:11 laptop systemd[1]: Unit mysqld.service entered failed state.
Nov 13 12:23:11 laptop mysqld_safe[1363]: /bin/sh: error while loading shared libraries: cannot apply additional memory protection after relocation: Permission denied

Expected results:
mysql service should start

Additional info:

mysql starts when selinux is in permissive mode 

# setenforce permissive
# systemctl start mysqld.service 
# systemctl status mysqld.service 
mysqld.service - MySQL database server
	  Loaded: loaded (/lib/systemd/system/mysqld.service; enabled)
	  Active: active (running) since Tue, 15 Nov 2011 11:02:51 +0000; 6s ago
	 Process: 9739 ExecStartPost=/usr/libexec/mysqld-wait-ready $MAINPID (code=exited, status=0/SUCCESS)
	 Process: 9588 ExecStart=/usr/bin/mysqld_safe --nowatch --basedir=/usr (code=exited, status=0/SUCCESS)
	 Process: 9572 ExecStartPre=/usr/libexec/mysqld-prepare-db-dir (code=exited, status=0/SUCCESS)
	Main PID: 9738 (mysqld)
	  CGroup: name=systemd:/system/mysqld.service
		  └ 9738 /usr/libexec/mysqld --basedir=/usr --datadir=/var/lib/mysql --plugin-dir=/usr/lib64/mysql/plugin --log-error=...
Comment 1 David Downing 2011-11-15 11:09:36 UTC 
Forgot to add that
# restorecon -r /
makes no difference.
Comment 2 Deron Meranda 2011-11-16 08:21:21 UTC 
I am seeing this to. Immediately after upgrading from F15 to F16, mysqld would start fine. However after updating all the system packages I am now getting an SELinux AVC error. I don't know what in particular may have changed

I am using the SELinux Targeted policy in enforcing mode. In particular,

selinux-policy-targeted-3.10.0-55.fc16.noarch

The errors getting logged are:

Nov 16 03:10:37 beryl kernel: [ 3201.542880] type=1400 audit(1321431037.652:22): avc:  denied  { read } for  pid=4498 comm="mysqld_safe" path="/bin/bash" dev=dm-0 ino=5505036 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file

Nov 16 03:10:37 beryl mysqld_safe[4498]: /bin/sh: error while loading shared libraries: cannot apply additional memory protection after relocation: Permission denied


The SELinux booleans related to MySQL are set as:

allow_user_mysql_connect --> off
mysql_connect_any --> off
Comment 3 Dieter Vandenbroeck 2011-11-16 10:01:38 UTC 
Same problem here.

[Dieter@DieterLaptop ~]$ rpm -qa | grep mysql
mysql-server-5.5.16-3.fc16.x86_64
mysql-libs-5.5.16-3.fc16.x86_64
mysql-5.5.16-3.fc16.x86_64
mysql-utilities-1.0.1-0.5.2.35.fc16.noarch
[Dieter@DieterLaptop ~]$ rpm -qa | grep selinux
libselinux-python-2.1.6-4.fc16.x86_64
libselinux-2.1.6-4.fc16.x86_64
selinux-policy-targeted-3.10.0-55.fc16.noarch
selinux-policy-3.10.0-55.fc16.noarch
libselinux-utils-2.1.6-4.fc16.x86_64
libselinux-2.1.6-4.fc16.i686

It looks like this bug is caused by http://bugzilla.redhat.com/show_bug.cgi?id=753816
Comment 4 Tom Lane 2011-11-17 15:34:13 UTC 
*** Bug 754672 has been marked as a duplicate of this bug. ***
Comment 5 Tom Lane 2011-11-17 15:36:00 UTC 
Please see whether your issue isn't fixed by
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-56.fc16
Comment 6 Tom Lane 2011-11-17 15:39:25 UTC 
*** Bug 753851 has been marked as a duplicate of this bug. ***
Comment 7 Dieter Vandenbroeck 2011-11-17 15:48:38 UTC 
selinux-policy-3.10.0-56.fc16 fixes the bug. Problem solved
Comment 8 Tom Lane 2011-11-17 16:12:13 UTC 
OK, thanks for the followup.

*** This bug has been marked as a duplicate of bug 753816 ***
Comment 9 Donald Edward Winslow 2011-11-17 21:56:08 UTC 
selinux-policy-3.10.0-56.fc16 fixed it for me, too.

Donald
Comment 10 David Downing 2011-11-17 22:05:54 UTC 
As the original submitter of this bug I am beginning to feel a bit left out!

# yum clean all && yum --enablerepo=updates-testing update selinux-policy

just gives me "No Packages marked for Update"

# rpm -q selinux-policy
selinux-policy-3.10.0-55.fc16.noarch
Comment 11 Donald Edward Winslow 2011-11-17 22:11:34 UTC 
David,

The update is available at https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-56.fc16 or on koji.

Donald
Comment 12 Deron Meranda 2011-11-17 22:14:19 UTC 
The updated packages haven't yet shown up in the updates-testing repository
yet. I don't know if it is just a natural repo-push delay, or they are still
waiting on confirmation that it fixes all the other bugs not related to mysql.

You can download the RPM files directly from the Fedora build system at

http://koji.fedoraproject.org/koji/buildinfo?buildID=274347

and install them using plain rpm, e.g., "rpm -Uvh"
Comment 13 Donald Edward Winslow 2011-11-17 22:15:25 UTC 
You can influence how quickly the bugs get pushed to testing by adding karma at:
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-56.fc16

Donald
Comment 14 David Downing 2011-11-17 23:25:43 UTC 
Fixed for me too and added the karma.