Bug 1540946 - SELinux is preventing mysqld from using the 'sys_nice' capabilities.
Summary: SELinux is preventing mysqld from using the 'sys_nice' capabilities.
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: community-mysql
Version: 27
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Michal Schorm
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:041e04b306406a6ba642b3875b5...
Keywords:
: 1573032 1579160 (view as bug list)
Depends On: 1593639 1629041
Blocks: 1628815 1628814
TreeView+ depends on / blocked
 
Reported: 2018-02-01 11:38 UTC by Héctor Louzao
Modified: 2018-11-10 03:18 UTC (History)
11 users (show)

(edit)
Clone Of:
: 1628814 (view as bug list)
(edit)
Last Closed: 2018-11-10 03:18:14 UTC

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Héctor Louzao 2018-02-01 11:38:05 UTC 
Description of problem:
mysql-workbench-community-6.3.10-1.fc27.x86_64
mysql-community-common-8.0.4-0.1.rc.fc27.x86_64
mysql-community-libs-8.0.4-0.1.rc.fc27.x86_64
mysql57-community-release-fc27-10.noarch
mysql-community-client-8.0.4-0.1.rc.fc27.x86_64
mysql-community-server-8.0.4-0.1.rc.fc27.x86_64

selinux-policy-targeted-3.13.1-283.21.fc27.noarch
selinux-policy-3.13.1-283.21.fc27.noarch

setroubleshoot-server-3.3.15-1.fc27.x86_64
setroubleshoot-3.3.15-1.fc27.x86_64
setroubleshoot-plugins-3.3.9-3.fc27.noarch

update to mysql 8.0.4
SELinux is preventing mysqld from using the 'sys_nice' capabilities.

*****  Plugin catchall (100. confidence) suggests   **************************

Si cree que mysqld debería tener la capacidad de sys_nice de forma predeterminada.
Then debería reportar esto como un error.
Puede generar un módulo de política local para permitir este acceso.
Do
permita el acceso temporalmente ejecutando:
# ausearch -c 'mysqld' --raw | audit2allow -M mi-mysqld
# semodule -X 300 -i mi-mysqld.pp

Additional Information:
Source Context                system_u:system_r:mysqld_t:s0
Target Context                system_u:system_r:mysqld_t:s0
Target Objects                Unknown [ capability ]
Source                        mysqld
Source Path                   mysqld
Port                          <Desconocido>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-283.21.fc27.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.14.14-300.fc27.x86_64 #1 SMP Fri
                              Jan 19 13:19:54 UTC 2018 x86_64 x86_64
Alert Count                   1095
First Seen                    2018-02-01 10:46:40 CET
Last Seen                     2018-02-01 12:36:37 CET
Local ID                      15c9c979-5c2f-4650-a27a-91e54915a9f9

Raw Audit Messages
type=AVC msg=audit(1517484997.191:5218): avc:  denied  { sys_nice } for  pid=27326 comm="mysqld" capability=23  scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:mysqld_t:s0 tclass=capability permissive=0


Hash: mysqld,mysqld_t,mysqld_t,capability,sys_nice

Version-Release number of selected component:
selinux-policy-3.13.1-283.21.fc27.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.9.3
hashmarkername: setroubleshoot
kernel:         4.14.14-300.fc27.x86_64
type:           libreport
Comment 1 Lukas Vrabec 2018-02-01 13:17:06 UTC 
Hi Mysql folks, 

Does mysql using sys_nice capability? 

       CAP_SYS_NICE
              * Raise process nice value (nice(2), setpriority(2)) and change the nice value for arbi‐
                trary processes;
              * set real-time scheduling policies for calling process, and set scheduling policies and
                priorities   for   arbitrary   processes   (sched_setscheduler(2),  sched_setparam(2),
                shed_setattr(2));
              * set CPU affinity for arbitrary processes (sched_setaffinity(2));
              * set I/O scheduling class and priority for arbitrary processes (ioprio_set(2));
              * apply migrate_pages(2) to arbitrary processes and allow processes to  be  migrated  to
                arbitrary nodes;
              * apply move_pages(2) to arbitrary processes;
              * use the MPOL_MF_MOVE_ALL flag with mbind(2) and move_pages(2).

Thanks,
Lukas.
Comment 2 Luis Salgado Sandoval 2018-04-29 22:52:57 UTC 
*** Bug 1573032 has been marked as a duplicate of this bug. ***
Comment 3 Héctor Louzao 2018-04-30 14:18:17 UTC 
mysql-workbench-community-6.3.10-1.fc27.x86_64
mysql-connector-python3-8.0.11-1.fc28.x86_64
mysql-community-server-8.0.11-1.fc28.x86_64
mysql-shell-8.0.11-1.fc28.x86_64
mysql-community-client-8.0.11-1.fc28.x86_64
mysql80-community-release-fc28-1.noarch
mysql-community-libs-8.0.11-1.fc28.x86_64
mysql-connector-java-8.0.11-1.fc28.noarch
mysql-community-common-8.0.11-1.fc28.x86_64

selinux-policy-3.14.1-21.fc28.noarch
selinux-policy-targeted-3.14.1-21.fc28.noarch

setroubleshoot-3.3.17-1.fc28.x86_64
setroubleshoot-plugins-3.3.9-3.fc28.noarch
setroubleshoot-server-3.3.17-1.fc28.x86_64

I'm in F28 beta now and with the inminent release of MYSQL 8 (GA) some days ago this still happen ....

Regards.,
Comment 4 Lukas Vrabec 2018-05-21 13:08:47 UTC 
*** Bug 1579160 has been marked as a duplicate of this bug. ***
Comment 5 Honza Horak 2018-06-05 10:05:02 UTC 
Looking at the packages carefully, those are coming from upstream, in Fedora we have community-mysql, so re-assigning. I think we should check whether the same issue is also seen in case of community-mysql packages.
Comment 6 Terje Røsten 2018-06-05 17:23:02 UTC 
I think this is due to MySQL WL#9467 - Resource Groups

commit:
 https://github.com/mysql/mysql-server/commit/c47051b4be2110ed6225860448fe8657cf500a4a

WorkLog:
 https://dev.mysql.com/worklog/task/?id=9467

which is new in MySQL 8.0. 

The move to /usr/bin and this sys_nice issue should be fixed in  selinux-policy
I think?
Comment 7 Terje Røsten 2018-06-05 17:25:31 UTC 
FYI: move to /usr/bin/ is

 https://bugzilla.redhat.com/show_bug.cgi?id=1584643
Comment 8 Jakub Jančo 2018-08-29 14:10:13 UTC 
In downstream community-mysql we are missing cap_sys_nice on mysqld binary. Therefore we dont see selinux AVCs. But resource groups dont work.

Reproduce:
# dnf install community-mysql-server
# systemctl start mysql
Connect to mysql server and create resource group and apply:
mysql> CREATE RESOURCE GROUP rg1
  TYPE = USER
  VCPU = 0
  THREAD_PRIORITY = 19;
mysql> SET RESOURCE GROUP rg1;

Maybe here should be some error message about "there is not capability set on binary". But currently I cant see any visible clue that groups dont work. Only thread nice doesnt change, while you are connected to mysql server, on mysql server run:
# ps -T ax -o ni,cmd | grep mysqld | grep '^ 19 '
<empty>

# systemctl stop mysqld
After you set capability on binary:
# setcap cap_sys_nice+ep /usr/libexec/mysqld
# systemctl start mysqld
AVCs appear.

Now if you try to set resource group in current login session:
mysql> SET RESOURCE GROUP rg1;
# ps -T ax -o ni,cmd | grep mysqld | grep '^ 19 '
 19 /usr/libexec/mysqld --basedir=/usr

Seems it works, but these log entries appears in mysql log:

2018-08-29T13:30:08.980728Z 8 [ERROR] [MY-010985] [Server] Setting thread priority 0 to thread id 1099 failed. (error code 0 - Success).
2018-08-29T13:30:08.980765Z 8 [Warning] [MY-010979] [Server] Unable to apply resource group controller USR_default.

Creating and installing selinux module from audited errors allows setting resource groups without errors:
audit2allow -a -M test
semodule -i test.pp
Comment 9 Michal Schorm 2018-09-06 05:20:17 UTC 
Fix pushed to the repo; rebuilds are on the way.
Comment 10 Héctor Louzao 2018-10-01 14:47:22 UTC 
finally works in F28 follow process :

https://bugzilla.redhat.com/show_bug.cgi?id=1629380

https://bugs.mysql.com/bug.php?id=92476

Thx fedora folks...

regards

mysql-connector-python3-8.0.12-1.fc28.x86_64
mysql-connector-java-8.0.12-1.fc28.noarch
mysql-community-client-8.0.12-1.fc28.x86_64
mysql-community-common-8.0.12-1.fc28.x86_64
mysql-workbench-community-8.0.12-1.fc28.x86_64
mysql-connector-python-8.0.12-1.fc28.x86_64
mysql-community-server-8.0.12-1.fc28.x86_64
mysql-community-libs-8.0.12-1.fc28.x86_64
mysql80-community-release-fc28-1.noarch
mysql-shell-8.0.12-1.fc28.x86_64

selinux-policy-targeted-3.14.1-42.fc28.noarch
selinux-policy-3.14.1-42.fc28.noarch
selinux-policy-devel-3.14.1-42.fc28.noarch

setroubleshoot-server-3.3.17-1.fc28.x86_64
setroubleshoot-plugins-3.3.9-3.fc28.noarch
setroubleshoot-3.3.17-1.fc28.x86_64
Comment 11 Fedora Update System 2018-10-31 13:02:08 UTC 
community-mysql-8.0.13-1.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-c82fc3e109
Comment 12 Fedora Update System 2018-10-31 18:52:36 UTC 
community-mysql-8.0.13-1.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-c82fc3e109
Comment 13 Fedora Update System 2018-11-10 03:18:14 UTC 
community-mysql-8.0.13-1.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.