Bug 1218952 - mysql and postgres can't write logs??
Summary: mysql and postgres can't write logs??
Keywords:
Status: CLOSED EOL
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 23
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-05-06 09:32 UTC by Robin Powell
Modified: 2016-12-20 13:39 UTC (History)
5 users (show)

Fixed In Version: selinux-policy-3.13.1-128.4.fc22
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-12-20 13:39:11 UTC


Attachments (Terms of Use)

Description Robin Powell 2015-05-06 09:32:51 UTC
I want to be clear: this is *obviously absurd*.  There's no way you'd release with a bug like this, even with unconfined disabled.  Something must be wonky on my system.  But I don't know a better way to contact y'all, so...

I'm running a host with unconfined disabled as I mentioned.  I have *just* upgraded to F21, and rebooted, and did a restorecon -R / , and now neither mariadb nor postgresql can write their logs or databases!

Here's the audit2allow -R:

rlpowell@morji> cat /tmp/avcs_mysql| audit2allow -R

require {
        type mysqld_db_t;
        type mysqld_log_t;
        type init_t;
        class dir { write add_name };
        class file { setattr read create write getattr open };
}

#============= init_t ==============
allow init_t mysqld_db_t:file { read getattr open };
allow init_t mysqld_log_t:dir { write add_name };
allow init_t mysqld_log_t:file { write getattr open create setattr };
antivirus_domain_template(init_t)
rlpowell@morji> cat /tmp/avcs_psql |  audit2allow -R

require {
        type postgresql_db_t;
        type init_t;
        class file { read getattr open };
}

#============= init_t ==============
allow init_t postgresql_db_t:file { read getattr open };

The AVCs are at  http://paste.fedoraproject.org/218910/90472814 and  http://paste.fedoraproject.org/218911/04743143

Help?

Comment 1 Miroslav Grepl 2015-05-12 14:46:32 UTC
What does

# ps -efZ |grep mariadb

It looks it could come from unit files?

Comment 2 Robin Powell 2015-05-15 00:31:12 UTC
rlpowell@morji> ps -efZ |grep mariadb
system_u:system_r:mysqld_t:s0   mysql     3914  3746  3 May06 ?        05:18:56 /usr/libexec/mysqld --basedir=/usr --datadir=/var/lib/mysql --plugin-dir=/usr/lib64/mysql/plugin --log-error=/var/log/mariadb/mariadb.log --pid-file=/var/run/mariadb/mariadb.pid --socket=/var/lib/mysql/mysql.sock --port=3306

Comment 3 Robin Powell 2015-05-15 00:31:41 UTC
I'm not sure if that question about unit files was a question I was supposed to answer?

Comment 4 Robin Powell 2015-05-27 23:21:35 UTC
Any thoughts here?  Having a Fedora upgrade completely break my system is frustrating.

Comment 5 Robin Powell 2015-05-28 19:20:46 UTC
In case it helps:

rlpowell@morji> find /lib/systemd | grep -i maria | xargs ls -lZ
-rw-r--r--. root root staff_u:object_r:mysqld_unit_file_t:s0 /lib/systemd/system/mariadb.service
-rw-r--r--. root root staff_u:object_r:mysqld_unit_file_t:s0 /lib/systemd/system/mariadb.service.d/mysql-compat.conf

/lib/systemd/system/mariadb.service.d:
-rw-r--r--. root root staff_u:object_r:mysqld_unit_file_t:s0 mysql-compat.conf
rlpowell@morji> find /lib/systemd | grep -i mysql | xargs ls -lZ
-rw-r--r--. root root staff_u:object_r:mysqld_unit_file_t:s0 /lib/systemd/system/mariadb.service.d/mysql-compat.conf
-rw-r--r--. root root staff_u:object_r:mysqld_unit_file_t:s0 /lib/systemd/system/mysqld.service
rlpowell@morji> find /lib/systemd | grep -i post | xargs ls -lZ
-rw-r--r--. root root system_u:object_r:systemd_unit_file_t:s0 /lib/systemd/system/postgresql.service
rlpowell@morji>

Comment 6 Robin Powell 2015-06-20 07:54:05 UTC
Upgraded to F22 and did a big reinstall:

Reinstalled:
  libselinux.x86_64 2.3-10.fc22                         libselinux-python.x86_64 2.3-10.fc22                libselinux-ruby.x86_64 2.3-10.fc22                       libselinux-utils.x86_64 2.3-10.fc22
  mariadb.x86_64 1:10.0.19-2.fc22                       mariadb-common.x86_64 1:10.0.19-2.fc22              mariadb-config.x86_64 1:10.0.19-2.fc22                   mariadb-errmsg.x86_64 1:10.0.19-2.fc22
  mariadb-libs.x86_64 1:10.0.19-2.fc22                  mariadb-server.x86_64 1:10.0.19-2.fc22              postgresql.x86_64 9.4.3-1.fc22                           postgresql-libs.x86_64 9.4.3-1.fc22
  postgresql-server.x86_64 9.4.3-1.fc22                 postgresql-upgrade.x86_64 9.4.3-1.fc22              rpm-plugin-selinux.x86_64 4.12.0.1-9.fc22                selinux-policy.noarch 3.13.1-128.1.fc22
  selinux-policy-devel.noarch 3.13.1-128.1.fc22         selinux-policy-doc.noarch 3.13.1-128.1.fc22         selinux-policy-targeted.noarch 3.13.1-128.1.fc22         systemd.x86_64 219-18.fc22
  systemd-compat-libs.x86_64 219-18.fc22                systemd-journal-gateway.x86_64 219-18.fc22          systemd-libs.x86_64 219-18.fc22                          systemd-python.x86_64 219-18.fc22


-- and it seems to be fine now.  No idea what the hell.

Comment 7 Robin Powell 2015-06-23 05:25:50 UTC
Aaaand now it's back again:

type=AVC msg=audit(06/22/2015 22:23:25.776:4296) : avc:  denied  { getattr } for  pid=1839 comm=mysql-prepare-d path=/var/log/mariadb/mariadb.log dev="vda2" ino=655783 scontext=system_u:system_r:init_t:s0 t
context=system_u:object_r:mysqld_log_t:s0 tclass=file permissive=0

And my entire database system is once again broken.  What is going *on*?

Comment 8 Robin Powell 2015-06-23 05:29:13 UTC
More detail:

type=AVC msg=audit(06/22/2015 22:28:23.928:5882) : avc:  denied  { write } for  pid=2128 comm=touch name=mariadb.log dev="vda2" ino=655783 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:mysqld_log_t:s0 tclass=file permissive=0
type=AVC msg=audit(06/22/2015 22:28:23.928:5883) : avc:  denied  { write } for  pid=2128 comm=touch name=mariadb.log dev="vda2" ino=655783 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:mysqld_log_t:s0 tclass=file permissive=0
type=AVC msg=audit(06/22/2015 22:28:23.930:5885) : avc:  denied  { getattr } for  pid=2099 comm=mysql-prepare-d path=/var/log/mariadb/mariadb.log dev="vda2" ino=655783 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:mysqld_log_t:s0 tclass=file permissive=0


Jun 22 22:28:29 morji.digitalkingdom.org systemd[1]: Starting MariaDB 10.0 database server...
Jun 22 22:28:29 morji.digitalkingdom.org mysql-prepare-db-dir[2192]: touch: cannot touch '/var/log/mariadb/mariadb.log': Permission denied
Jun 22 22:28:29 morji.digitalkingdom.org mysql-prepare-db-dir[2192]: The log file /var/log/mariadb/mariadb.log could not be created.
Jun 22 22:28:29 morji.digitalkingdom.org mysql-prepare-db-dir[2192]: The daemon will be run under mysql:mysql
Jun 22 22:28:29 morji.digitalkingdom.org systemd[1]: mariadb.service: control process exited, code=exited status=1
Jun 22 22:28:29 morji.digitalkingdom.org systemd[1]: Failed to start MariaDB 10.0 database server.
Jun 22 22:28:29 morji.digitalkingdom.org systemd[1]: Unit mariadb.service entered failed state.
Jun 22 22:28:29 morji.digitalkingdom.org systemd[1]: mariadb.service failed.

Comment 9 Robin Powell 2015-06-23 05:30:38 UTC
And here's a test with setenforce 0:

type=AVC msg=audit(06/22/2015 22:29:41.433:6210) : avc:  denied  { connectto } for  pid=2578 comm=mysqladmin path=/var/lib/mysql/mysql.sock scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:mysqld_t:s0 tclass=unix_stream_socket permissive=1
type=AVC msg=audit(06/22/2015 22:29:41.433:6210) : avc:  denied  { write } for  pid=2578 comm=mysqladmin name=mysql.sock dev="vda2" ino=359 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:mysqld_var_run_t:s0 tclass=sock_file permissive=1
type=AVC msg=audit(06/22/2015 22:29:42.504:6227) : avc:  denied  { getattr } for  pid=2581 comm=mysql-check-upg path=/var/lib/mysql/mysql_upgrade_info dev="vda2" ino=758 scontext=system_u:system_r:init_t:s0 tcontext=staff_u:object_r:mysqld_db_t:s0 tclass=file permissive=1
type=AVC msg=audit(06/22/2015 22:29:42.505:6228) : avc:  denied  { read } for  pid=2581 comm=mysql-check-upg name=mysql_upgrade_info dev="vda2" ino=758 scontext=system_u:system_r:init_t:s0 tcontext=staff_u:object_r:mysqld_db_t:s0 tclass=file permissive=1
type=AVC msg=audit(06/22/2015 22:29:42.508:6231) : avc:  denied  { open } for  pid=2605 comm=cat path=/var/lib/mysql/mysql_upgrade_info dev="vda2" ino=758 scontext=system_u:system_r:init_t:s0 tcontext=staff_u:object_r:mysqld_db_t:s0 tclass=file permissive=1
type=AVC msg=audit(06/22/2015 22:29:50.081:6338) : avc:  denied  { open } for  pid=2732 comm=touch path=/var/log/mariadb/mariadb.log dev="vda2" ino=655783 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:mysqld_log_t:s0 tclass=file permissive=1
type=AVC msg=audit(06/22/2015 22:29:50.081:6338) : avc:  denied  { write } for  pid=2732 comm=touch name=mariadb.log dev="vda2" ino=655783 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:mysqld_log_t:s0 tclass=file permissive=1
type=AVC msg=audit(06/22/2015 22:29:50.084:6340) : avc:  denied  { getattr } for  pid=2733 comm=chown path=/var/log/mariadb/mariadb.log dev="vda2" ino=655783 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:mysqld_log_t:s0 tclass=file permissive=1
type=AVC msg=audit(06/22/2015 22:29:50.084:6341) : avc:  denied  { setattr } for  pid=2733 comm=chown name=mariadb.log dev="vda2" ino=655783 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:mysqld_log_t:s0 tclass=file permissive=1
type=AVC msg=audit(06/22/2015 22:29:52.167:6439) : avc:  denied  { connectto } for  pid=2951 comm=mysqladmin path=/var/lib/mysql/mysql.sock scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:mysqld_t:s0 tclass=unix_stream_socket permissive=1
type=AVC msg=audit(06/22/2015 22:29:52.167:6439) : avc:  denied  { write } for  pid=2951 comm=mysqladmin name=mysql.sock dev="vda2" ino=359 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:mysqld_var_run_t:s0 tclass=sock_file permissive=1
type=AVC msg=audit(06/22/2015 22:29:52.211:6456) : avc:  denied  { getattr } for  pid=2954 comm=mysql-check-upg path=/var/lib/mysql/mysql_upgrade_info dev="vda2" ino=758 scontext=system_u:system_r:init_t:s0 tcontext=staff_u:object_r:mysqld_db_t:s0 tclass=file permissive=1
type=AVC msg=audit(06/22/2015 22:29:52.211:6457) : avc:  denied  { read } for  pid=2954 comm=mysql-check-upg name=mysql_upgrade_info dev="vda2" ino=758 scontext=system_u:system_r:init_t:s0 tcontext=staff_u:object_r:mysqld_db_t:s0 tclass=file permissive=1
type=AVC msg=audit(06/22/2015 22:29:52.213:6460) : avc:  denied  { open } for  pid=2977 comm=cat path=/var/lib/mysql/mysql_upgrade_info dev="vda2" ino=758 scontext=system_u:system_r:init_t:s0 tcontext=staff_u:object_r:mysqld_db_t:s0 tclass=file permissive=1
type=AVC msg=audit(06/22/2015 22:30:16.476:6565) : avc:  denied  { open } for  pid=3105 comm=touch path=/var/log/mariadb/mariadb.log dev="vda2" ino=655783 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:mysqld_log_t:s0 tclass=file permissive=1
type=AVC msg=audit(06/22/2015 22:30:16.476:6565) : avc:  denied  { write } for  pid=3105 comm=touch name=mariadb.log dev="vda2" ino=655783 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:mysqld_log_t:s0 tclass=file permissive=1
type=AVC msg=audit(06/22/2015 22:30:16.479:6567) : avc:  denied  { getattr } for  pid=3106 comm=chown path=/var/log/mariadb/mariadb.log dev="vda2" ino=655783 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:mysqld_log_t:s0 tclass=file permissive=1
type=AVC msg=audit(06/22/2015 22:30:16.479:6568) : avc:  denied  { setattr } for  pid=3106 comm=chown name=mariadb.log dev="vda2" ino=655783 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:mysqld_log_t:s0 tclass=file permissive=1
type=AVC msg=audit(06/22/2015 22:30:16.504:6571) : avc:  denied  { noatsecure } for  pid=3110 comm=mysqld_safe scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:mysqld_safe_t:s0 tclass=process permissive=1

Comment 10 Robin Powell 2015-06-23 06:46:51 UTC
More information:

1.  rlpowell@morji> sudo ls -lZ /var/log/mariadb/mariadb.log
-rw-r-----. 1 mysql mysql system_u:object_r:mysqld_log_t:s0 73403 Jun 22 23:35 /var/log/mariadb/mariadb.log
rlpowell@morji>


2.  If I enable the unconfined module, these issues *do* go away.  So, it looks like this may actually be a real issue, and not just something insane on my system.

3.  The postgres side of things:


type=AVC msg=audit(06/22/2015 23:46:32.558:25479) : avc:  denied  { noatsecure } for  pid=17302 comm=sudo scontext=staff_u:staff_r:staff_t:s0 tcontext=staff_u:staff_r:staff_sudo_t:s0 tclass=process permissive=1
type=AVC msg=audit(06/22/2015 23:46:32.558:25479) : avc:  denied  { siginh } for  pid=17302 comm=sudo scontext=staff_u:staff_r:staff_t:s0 tcontext=staff_u:staff_r:staff_sudo_t:s0 tclass=process permissive=1
type=AVC msg=audit(06/22/2015 23:46:32.558:25479) : avc:  denied  { rlimitinh } for  pid=17302 comm=sudo scontext=staff_u:staff_r:staff_t:s0 tcontext=staff_u:staff_r:staff_sudo_t:s0 tclass=process permissive=1
type=AVC msg=audit(06/22/2015 23:46:32.573:25482) : avc:  denied  { net_admin } for  pid=17302 comm=sudo capability=net_admin  scontext=staff_u:staff_r:staff_sudo_t:s0 tcontext=staff_u:staff_r:staff_sudo_t:s0 tclass=capability permissive=1
type=AVC msg=audit(06/22/2015 23:46:32.577:25483) : avc:  denied  { write } for  pid=17302 comm=sudo path=/run/systemd/sessions/1.ref dev="tmpfs" ino=18006 scontext=staff_u:staff_r:staff_sudo_t:s0 tcontext=system_u:object_r:systemd_logind_sessions_t:s0 tclass=fifo_file permissive=1
type=AVC msg=audit(06/22/2015 23:46:32.581:25486) : avc:  denied  { noatsecure } for  pid=17303 comm=sesh scontext=staff_u:staff_r:staff_sudo_t:s0 tcontext=staff_u:unconfined_r:unconfined_t:s0 tclass=process permissive=1
type=AVC msg=audit(06/22/2015 23:46:32.581:25486) : avc:  denied  { siginh } for  pid=17303 comm=sesh scontext=staff_u:staff_r:staff_sudo_t:s0 tcontext=staff_u:unconfined_r:unconfined_t:s0 tclass=process permissive=1
type=AVC msg=audit(06/22/2015 23:46:32.581:25486) : avc:  denied  { rlimitinh } for  pid=17303 comm=sesh scontext=staff_u:staff_r:staff_sudo_t:s0 tcontext=staff_u:unconfined_r:unconfined_t:s0 tclass=process permissive=1
type=AVC msg=audit(06/22/2015 23:46:32.651:25504) : avc:  denied  { getattr } for  pid=17320 comm=postgresql-chec path=/var/lib/pgsql/data/PG_VERSION dev="vda2" ino=532543 scontext=system_u:system_r:init_t:s0 tcontext=staff_u:object_r:postgresql_db_t:s0 tclass=file permissive=1
type=AVC msg=audit(06/22/2015 23:46:32.652:25506) : avc:  denied  { open } for  pid=17321 comm=cat path=/var/lib/pgsql/data/PG_VERSION dev="vda2" ino=532543 scontext=system_u:system_r:init_t:s0 tcontext=staff_u:object_r:postgresql_db_t:s0 tclass=file permissive=1
type=AVC msg=audit(06/22/2015 23:46:32.652:25506) : avc:  denied  { read } for  pid=17321 comm=cat name=PG_VERSION dev="vda2" ino=532543 scontext=system_u:system_r:init_t:s0 tcontext=staff_u:object_r:postgresql_db_t:s0 tclass=file permissive=1
type=AVC msg=audit(06/22/2015 23:46:32.657:25507) : avc:  denied  { noatsecure } for  pid=17323 comm=postgresql-ctl scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:postgresql_t:s0 tclass=process permissive=1
type=AVC msg=audit(06/22/2015 23:46:32.657:25507) : avc:  denied  { rlimitinh } for  pid=17323 comm=postgresql-ctl scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:postgresql_t:s0 tclass=process permissive=1

Comment 11 Lukas Vrabec 2015-06-23 11:58:22 UTC
Hi, 

The main problem is that your maraidb deamon running under init_t domain not in mariadb_t domain. I'm going to reproduce this issue.

Comment 12 Lukas Vrabec 2015-06-23 14:15:38 UTC
commit 6096d7c24f1c9f9da5ddca613bcbc9ff7708a00d
Author: Lukas Vrabec <lvrabec@redhat.com>
Date:   Tue Jun 23 16:00:07 2015 +0200

    Add postgresql support for systemd unit files.

Comment 13 Robin Powell 2015-06-24 05:11:24 UTC
Yay thank you!  Does that mean that both the potsgres and mysql issues are fixed in that policy version?

Comment 14 Lukas Vrabec 2015-06-24 08:18:02 UTC
Hi, 
Please test it with http://koji.fedoraproject.org/koji/buildinfo?buildID=664643 this package. Before tests please use restorecon to fix labels in your system.

Comment 15 Fedora Update System 2015-06-30 07:33:45 UTC
selinux-policy-3.13.1-128.4.fc22 has been submitted as an update for Fedora 22.
https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-128.4.fc22

Comment 16 Fedora Update System 2015-06-30 20:20:55 UTC
Package selinux-policy-3.13.1-128.4.fc22:
* should fix your issue,
* was pushed to the Fedora 22 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.13.1-128.4.fc22'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2015-10974/selinux-policy-3.13.1-128.4.fc22
then log in and leave karma (feedback).

Comment 17 Fedora Update System 2015-07-10 19:15:00 UTC
selinux-policy-3.13.1-128.4.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 18 Robin Powell 2016-04-22 20:15:05 UTC
So I'm sorry that I didn't test this earlier, but I had a hacky fix in place and I got busy, but it doesn't actually seem to be fixed.

I'm on Fedora 23 now, and I've upgraded everything, and did a restorecon -Rv /* (more or less; I excluded /proc and stuff)

    rlpowell@morji> sudo dnf list installed '*selinux*'                                                                                                                                                                  Last metadata expiration check: 2:41:07 ago on Fri Apr 22 10:31:49 2016.
    Installed Packages                                                                                                                                                                                                   docker-selinux.x86_64             2:1.9.1-9.gitee06d03.fc23     @updates
    libselinux.x86_64                 2.4-4.fc23                    @fedora                                                                                                                                              libselinux-python.x86_64          2.4-4.fc23                    @fedora
    libselinux-python3.x86_64         2.4-4.fc23                    @fedora                                                                                                                                              libselinux-ruby.x86_64            2.4-4.fc23                    @fedora
    libselinux-utils.x86_64           2.4-4.fc23                    @fedora                                                                                                                                              rpm-plugin-selinux.x86_64         4.13.0-0.rc1.12.fc23          @updates
    selinux-policy.noarch             3.13.1-158.14.fc23            @updates                                                                                                                                             selinux-policy-devel.noarch       3.13.1-158.14.fc23            @updates
    selinux-policy-doc.noarch         3.13.1-158.14.fc23            @updates                                                                                                                                             selinux-policy-targeted.noarch    3.13.1-158.14.fc23            @updates


But when I set dontaudit off and setenforce 0 and do "sudo service mysqld restart", I get the AVCs below.  And, in fact, mysql can't run.

I've re-opened the ticket; let me know if I should open a new one.


type=AVC msg=audit(04/22/2016 12:58:35.789:441286) : avc:  denied  { write } for  pid=31271 comm=touch name=mariadb.log dev="vda2" ino=655783 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:mysqld_
log_t:s0 tclass=file permissive=1
type=AVC msg=audit(04/22/2016 12:58:35.789:441287) : avc:  denied  { open } for  pid=31271 comm=touch path=/var/log/mariadb/mariadb.log dev="vda2" ino=655783 scontext=system_u:system_r:init_t:s0 tcontext=system_u:
object_r:mysqld_log_t:s0 tclass=file permissive=1
type=AVC msg=audit(04/22/2016 12:58:35.790:441288) : avc:  denied  { getattr } for  pid=31272 comm=chown path=/var/log/mariadb/mariadb.log dev="vda2" ino=655783 scontext=system_u:system_r:init_t:s0 tcontext=system
_u:object_r:mysqld_log_t:s0 tclass=file permissive=1
type=AVC msg=audit(04/22/2016 12:58:35.790:441289) : avc:  denied  { setattr } for  pid=31272 comm=chown name=mariadb.log dev="vda2" ino=655783 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:mysql
d_log_t:s0 tclass=file permissive=1
type=AVC msg=audit(04/22/2016 12:58:36.840:441290) : avc:  denied  { write } for  pid=31485 comm=mysqladmin name=mysql.sock dev="vda2" ino=655831 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:mys
qld_var_run_t:s0 tclass=sock_file permissive=1
type=AVC msg=audit(04/22/2016 12:59:56.678:441307) : avc:  denied  { noatsecure } for  pid=31553 comm=hostname scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:hostname_t:s0 tclass=process permissiv
e=1
type=AVC msg=audit(04/22/2016 12:59:56.772:441309) : avc:  denied  { write } for  pid=31624 comm=touch name=mariadb.log dev="vda2" ino=655783 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:mysqld_
log_t:s0 tclass=file permissive=1
type=AVC msg=audit(04/22/2016 12:59:56.772:441310) : avc:  denied  { open } for  pid=31624 comm=touch path=/var/log/mariadb/mariadb.log dev="vda2" ino=655783 scontext=system_u:system_r:init_t:s0 tcontext=system_u:
object_r:mysqld_log_t:s0 tclass=file permissive=1
type=AVC msg=audit(04/22/2016 12:59:56.774:441311) : avc:  denied  { getattr } for  pid=31625 comm=chown path=/var/log/mariadb/mariadb.log dev="vda2" ino=655783 scontext=system_u:system_r:init_t:s0 tcontext=system
_u:object_r:mysqld_log_t:s0 tclass=file permissive=1
type=AVC msg=audit(04/22/2016 12:59:56.774:441312) : avc:  denied  { setattr } for  pid=31625 comm=chown name=mariadb.log dev="vda2" ino=655783 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:mysql
d_log_t:s0 tclass=file permissive=1
type=AVC msg=audit(04/22/2016 12:59:56.776:441313) : avc:  denied  { rlimitinh } for  pid=31627 comm=restorecon scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:setfiles_t:s0 tclass=process permissi
ve=1
type=AVC msg=audit(04/22/2016 12:59:56.776:441314) : avc:  denied  { noatsecure } for  pid=31627 comm=restorecon scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:setfiles_t:s0 tclass=process permiss
ive=1
type=AVC msg=audit(04/22/2016 12:59:56.795:441315) : avc:  denied  { rlimitinh } for  pid=31629 comm=mysqld_safe scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:mysqld_safe_t:s0 tclass=process perm
issive=1
type=AVC msg=audit(04/22/2016 12:59:56.678:441306) : avc:  denied  { rlimitinh } for  pid=31553 comm=hostname scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:hostname_t:s0 tclass=process permissive
=1
type=AVC msg=audit(04/22/2016 12:59:56.795:441316) : avc:  denied  { noatsecure } for  pid=31629 comm=mysqld_safe scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:mysqld_safe_t:s0 tclass=process per
missive=1
type=AVC msg=audit(04/22/2016 12:59:56.886:441317) : avc:  denied  { rlimitinh } for  pid=31809 comm=mysqld scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:system_r:mysqld_t:s0 tclass=process permiss
ive=1
type=AVC msg=audit(04/22/2016 12:59:56.886:441318) : avc:  denied  { siginh } for  pid=31809 comm=mysqld scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:system_r:mysqld_t:s0 tclass=process permissive
=1
type=AVC msg=audit(04/22/2016 12:59:56.886:441319) : avc:  denied  { noatsecure } for  pid=31809 comm=mysqld scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:system_r:mysqld_t:s0 tclass=process permis
sive=1
type=AVC msg=audit(04/22/2016 12:59:57.830:441320) : avc:  denied  { write } for  pid=31837 comm=mysqladmin name=mysql.sock dev="vda2" ino=655831 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:mys
qld_var_run_t:s0 tclass=sock_file permissive=1
type=AVC msg=audit(04/22/2016 12:59:57.831:441321) : avc:  denied  { connectto } for  pid=31837 comm=mysqladmin path=/var/lib/mysql/mysql.sock scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:mysqld
_t:s0 tclass=unix_stream_socket permissive=1
type=AVC msg=audit(04/22/2016 12:59:57.853:441322) : avc:  denied  { rlimitinh } for  pid=31847 comm=hostname scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:hostname_t:s0 tclass=process permissive
=1
type=AVC msg=audit(04/22/2016 12:59:57.853:441323) : avc:  denied  { noatsecure } for  pid=31847 comm=hostname scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:hostname_t:s0 tclass=process permissiv
e=1

Comment 19 Robin Powell 2016-04-22 20:16:08 UTC
Oh, I also did a systemctl daemon-reexec, just in case.  I have not done a full reboot, but I could if you  want.

Comment 20 Robin Powell 2016-04-27 05:14:14 UTC
Should I open a new ticket?

Comment 21 Fedora End Of Life 2016-11-24 11:46:19 UTC
This message is a reminder that Fedora 23 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 23. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '23'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 23 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 22 Fedora End Of Life 2016-12-20 13:39:11 UTC
Fedora 23 changed to end-of-life (EOL) status on 2016-12-20. Fedora 23 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.


Note You need to log in before you can comment on or make changes to this bug.