Description of problem: mysql-workbench-community-6.3.10-1.fc27.x86_64 mysql-community-common-8.0.4-0.1.rc.fc27.x86_64 mysql-community-libs-8.0.4-0.1.rc.fc27.x86_64 mysql57-community-release-fc27-10.noarch mysql-community-client-8.0.4-0.1.rc.fc27.x86_64 mysql-community-server-8.0.4-0.1.rc.fc27.x86_64 selinux-policy-targeted-3.13.1-283.21.fc27.noarch selinux-policy-3.13.1-283.21.fc27.noarch setroubleshoot-server-3.3.15-1.fc27.x86_64 setroubleshoot-3.3.15-1.fc27.x86_64 setroubleshoot-plugins-3.3.9-3.fc27.noarch update to mysql 8.0.4 SELinux is preventing mysqld from using the 'sys_nice' capabilities. ***** Plugin catchall (100. confidence) suggests ************************** Si cree que mysqld debería tener la capacidad de sys_nice de forma predeterminada. Then debería reportar esto como un error. Puede generar un módulo de política local para permitir este acceso. Do permita el acceso temporalmente ejecutando: # ausearch -c 'mysqld' --raw | audit2allow -M mi-mysqld # semodule -X 300 -i mi-mysqld.pp Additional Information: Source Context system_u:system_r:mysqld_t:s0 Target Context system_u:system_r:mysqld_t:s0 Target Objects Unknown [ capability ] Source mysqld Source Path mysqld Port <Desconocido> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.21.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.14.14-300.fc27.x86_64 #1 SMP Fri Jan 19 13:19:54 UTC 2018 x86_64 x86_64 Alert Count 1095 First Seen 2018-02-01 10:46:40 CET Last Seen 2018-02-01 12:36:37 CET Local ID 15c9c979-5c2f-4650-a27a-91e54915a9f9 Raw Audit Messages type=AVC msg=audit(1517484997.191:5218): avc: denied { sys_nice } for pid=27326 comm="mysqld" capability=23 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:mysqld_t:s0 tclass=capability permissive=0 Hash: mysqld,mysqld_t,mysqld_t,capability,sys_nice Version-Release number of selected component: selinux-policy-3.13.1-283.21.fc27.noarch Additional info: component: selinux-policy reporter: libreport-2.9.3 hashmarkername: setroubleshoot kernel: 4.14.14-300.fc27.x86_64 type: libreport
Hi Mysql folks, Does mysql using sys_nice capability? CAP_SYS_NICE * Raise process nice value (nice(2), setpriority(2)) and change the nice value for arbi‐ trary processes; * set real-time scheduling policies for calling process, and set scheduling policies and priorities for arbitrary processes (sched_setscheduler(2), sched_setparam(2), shed_setattr(2)); * set CPU affinity for arbitrary processes (sched_setaffinity(2)); * set I/O scheduling class and priority for arbitrary processes (ioprio_set(2)); * apply migrate_pages(2) to arbitrary processes and allow processes to be migrated to arbitrary nodes; * apply move_pages(2) to arbitrary processes; * use the MPOL_MF_MOVE_ALL flag with mbind(2) and move_pages(2). Thanks, Lukas.
*** Bug 1573032 has been marked as a duplicate of this bug. ***
mysql-workbench-community-6.3.10-1.fc27.x86_64 mysql-connector-python3-8.0.11-1.fc28.x86_64 mysql-community-server-8.0.11-1.fc28.x86_64 mysql-shell-8.0.11-1.fc28.x86_64 mysql-community-client-8.0.11-1.fc28.x86_64 mysql80-community-release-fc28-1.noarch mysql-community-libs-8.0.11-1.fc28.x86_64 mysql-connector-java-8.0.11-1.fc28.noarch mysql-community-common-8.0.11-1.fc28.x86_64 selinux-policy-3.14.1-21.fc28.noarch selinux-policy-targeted-3.14.1-21.fc28.noarch setroubleshoot-3.3.17-1.fc28.x86_64 setroubleshoot-plugins-3.3.9-3.fc28.noarch setroubleshoot-server-3.3.17-1.fc28.x86_64 I'm in F28 beta now and with the inminent release of MYSQL 8 (GA) some days ago this still happen .... Regards.,
*** Bug 1579160 has been marked as a duplicate of this bug. ***
Looking at the packages carefully, those are coming from upstream, in Fedora we have community-mysql, so re-assigning. I think we should check whether the same issue is also seen in case of community-mysql packages.
I think this is due to MySQL WL#9467 - Resource Groups commit: https://github.com/mysql/mysql-server/commit/c47051b4be2110ed6225860448fe8657cf500a4a WorkLog: https://dev.mysql.com/worklog/task/?id=9467 which is new in MySQL 8.0. The move to /usr/bin and this sys_nice issue should be fixed in selinux-policy I think?
FYI: move to /usr/bin/ is https://bugzilla.redhat.com/show_bug.cgi?id=1584643
In downstream community-mysql we are missing cap_sys_nice on mysqld binary. Therefore we dont see selinux AVCs. But resource groups dont work. Reproduce: # dnf install community-mysql-server # systemctl start mysql Connect to mysql server and create resource group and apply: mysql> CREATE RESOURCE GROUP rg1 TYPE = USER VCPU = 0 THREAD_PRIORITY = 19; mysql> SET RESOURCE GROUP rg1; Maybe here should be some error message about "there is not capability set on binary". But currently I cant see any visible clue that groups dont work. Only thread nice doesnt change, while you are connected to mysql server, on mysql server run: # ps -T ax -o ni,cmd | grep mysqld | grep '^ 19 ' <empty> # systemctl stop mysqld After you set capability on binary: # setcap cap_sys_nice+ep /usr/libexec/mysqld # systemctl start mysqld AVCs appear. Now if you try to set resource group in current login session: mysql> SET RESOURCE GROUP rg1; # ps -T ax -o ni,cmd | grep mysqld | grep '^ 19 ' 19 /usr/libexec/mysqld --basedir=/usr Seems it works, but these log entries appears in mysql log: 2018-08-29T13:30:08.980728Z 8 [ERROR] [MY-010985] [Server] Setting thread priority 0 to thread id 1099 failed. (error code 0 - Success). 2018-08-29T13:30:08.980765Z 8 [Warning] [MY-010979] [Server] Unable to apply resource group controller USR_default. Creating and installing selinux module from audited errors allows setting resource groups without errors: audit2allow -a -M test semodule -i test.pp
Fix pushed to the repo; rebuilds are on the way.
finally works in F28 follow process : https://bugzilla.redhat.com/show_bug.cgi?id=1629380 https://bugs.mysql.com/bug.php?id=92476 Thx fedora folks... regards mysql-connector-python3-8.0.12-1.fc28.x86_64 mysql-connector-java-8.0.12-1.fc28.noarch mysql-community-client-8.0.12-1.fc28.x86_64 mysql-community-common-8.0.12-1.fc28.x86_64 mysql-workbench-community-8.0.12-1.fc28.x86_64 mysql-connector-python-8.0.12-1.fc28.x86_64 mysql-community-server-8.0.12-1.fc28.x86_64 mysql-community-libs-8.0.12-1.fc28.x86_64 mysql80-community-release-fc28-1.noarch mysql-shell-8.0.12-1.fc28.x86_64 selinux-policy-targeted-3.14.1-42.fc28.noarch selinux-policy-3.14.1-42.fc28.noarch selinux-policy-devel-3.14.1-42.fc28.noarch setroubleshoot-server-3.3.17-1.fc28.x86_64 setroubleshoot-plugins-3.3.9-3.fc28.noarch setroubleshoot-3.3.17-1.fc28.x86_64
community-mysql-8.0.13-1.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-c82fc3e109
community-mysql-8.0.13-1.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-c82fc3e109
community-mysql-8.0.13-1.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.