Bug 800907

Summary: avc denial , comm="mysqld_safe" path="/bin/bash; mysqld cannot start
Product: Red Hat Enterprise Linux 7 Reporter: Petr Sklenar <psklenar>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact: Milos Malik <mmalik>
Severity: unspecified Docs Contact:
Priority: high    
Version: 7.0CC: hhorak, mgrepl, mmalik
Target Milestone: rcKeywords: Regression
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.10.0-96.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-13 11:41:04 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Petr Sklenar 2012-03-07 13:53:59 UTC 
Description of problem:
try start / stop default configuration for mysqld,
mysqld cannot start

Version-Release number of selected component (if applicable):
mysql-server-5.5.16-3.el7.x86_64
selinux-policy-3.10.0-56.el7.noarch

How reproducible:
deterministic

Steps to Reproduce:
1. service mysqld stop
2. service mysqld start
# mysqld is not running
  
Actual results:
[root@nec-em6 bz675906-client-long-line-backslash-regression]# service mysqld stop
Redirecting to /bin/systemctl  stop mysqld.service
[root@nec-em6 bz675906-client-long-line-backslash-regression]# service mysqld start
Redirecting to /bin/systemctl  start mysqld.service
type=AVC msg=audit(1331127781.467:1073): avc:  denied  { read } for  pid=18407 comm="mysqld_safe" path="/bin/bash" dev=dm-1 ino=396701 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
Job failed. See system logs and 'systemctl status' for details.
[root@nec-em6 bz675906-client-long-line-backslash-regression]# type=AVC msg=audit(1331127781.846:1075): avc:  denied  { read } for  pid=18464 comm="mysqld_safe" path="/bin/bash" dev=dm-1 ino=396701 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
type=AVC msg=audit(1331127782.204:1077): avc:  denied  { read } for  pid=18520 comm="mysqld_safe" path="/bin/bash" dev=dm-1 ino=396701 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
type=AVC msg=audit(1331127782.571:1079): avc:  denied  { read } for  pid=18576 comm="mysqld_safe" path="/bin/bash" dev=dm-1 ino=396701 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
type=AVC msg=audit(1331127782.937:1081): avc:  denied  { read } for  pid=18631 comm="mysqld_safe" path="/bin/bash" dev=dm-1 ino=396701 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
type=AVC msg=audit(1331127783.299:1083): avc:  denied  { read } for  pid=18686 comm="mysqld_safe" path="/bin/bash" dev=dm-1 ino=396701 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file

Expected results:
no denial
service can start successfully

Additional info:
Comment 1 Daniel Walsh 2012-03-07 18:59:38 UTC 
Fixed in selinux-policy-3.10.0-96
Comment 2 Milos Malik 2012-03-28 07:03:10 UTC 
Together with AVCs following lines appear in /var/log/messages:

Mar 28 09:58:27 pokus mysqld_safe[1288]: /bin/sh: error while loading shared libraries: cannot apply additional memory protection after relocation: Permission denied
Mar 28 09:58:27 pokus systemd[1]: mysqld.service: control process exited, code=exited status=127
Mar 28 09:58:27 pokus systemd[1]: mysqld.service holdoff time over, scheduling restart.
Mar 28 09:58:27 pokus systemd[1]: Job pending for unit, delaying automatic restart.
Mar 28 09:58:27 pokus systemd[1]: Unit mysqld.service entered failed state.
Mar 28 09:58:27 pokus systemd[1]: mysqld.service start request repeated too quickly, refusing to start.
Comment 4 Ludek Smid 2014-06-13 11:41:04 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.