Bug 1613898 - mysqld_safe-scl-help is not able to exec mysqld_safe
Summary: mysqld_safe-scl-help is not able to exec mysqld_safe
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.6
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Milos Malik
Depends On:
TreeView+ depends on / blocked
Reported: 2018-08-08 13:47 UTC by Jakub Jančo
Modified: 2018-10-30 10:09 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2018-10-30 10:08:25 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add can_exec (721 bytes, patch)
2018-08-08 13:47 UTC, Jakub Jančo
no flags Details | Diff

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:3111 None None None 2018-10-30 10:09:18 UTC

Description Jakub Jančo 2018-08-08 13:47:19 UTC
Created attachment 1474352 [details]
Add can_exec

Description of problem:
SELinux denies starting of MySQL daemon from collection rh-mysql57 and rh-mariadb100. both collections behave same.

Version-Release number of selected component (if applicable):

How reproducible:
easy always

Steps to Reproduce:
1. Run RHEL-7.6 instance
2. add rh-scl repo [1]
3a. yum install rh-mysql57-mysql-server
3b. yum install rh-mariadb100-mariadb-server
4a. systemctl start rh-mysql57-mysqld
4b. systemctl start rh-mariadb100-mariadb

Actual results:
# systemctl start rh-mariadb100-mariadb
Job for rh-mariadb100-mariadb.service failed because the control process exited with error code. See "systemctl status rh-mariadb100-mariadb.service" and "journalctl -xe" for details.

# ausearch -m avc
time->Wed Aug  8 09:26:19 2018
type=PROCTITLE msg=audit(1533734779.130:534): proctitle=2F62696E2F7368002F6F70742F72682F72682D6D6172696164623130302F726F6F742F7573722F6C6962657865632F6D7973716C645F736166652D73636C2D68656C70657200656E61626C650072682D6D617269616462313030002D2D002F6F70742F72682F72682D6D6172696164623130302F726F6F742F7573722F62696E
type=SYSCALL msg=audit(1533734779.130:534): arch=c000003e syscall=59 success=no exit=-13 a0=beb150 a1=beb4e0 a2=bebad0 a3=7ffe9d61b7e0 items=0 ppid=1 pid=18657 auid=4294967295 uid=27 gid=27 euid=27 suid=27 fsuid=27 egid=27 sgid=27 fsgid=27 tty=(none) ses=4294967295 comm="mysqld_safe-scl" exe="/usr/bin/bash" subj=system_u:system_r:mysqld_safe_t:s0 key=(null)
type=AVC msg=audit(1533734779.130:534): avc:  denied  { execute_no_trans } for  pid=18657 comm="mysqld_safe-scl" path="/opt/rh/rh-mariadb100/root/usr/bin/mysqld_safe" dev="vda1" ino=18874987 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:mysqld_safe_exec_t:s0 tclass=file permissive=0

Expected results:
Daemon started.

Additional info:
[1] https://gitlab.cee.redhat.com/platform-eng-core-services/internal-repos/raw/master/rhscl/rhscl-rhel-7.repo

Patch of patch included.

Comment 2 Jakub Jančo 2018-08-09 09:25:46 UTC
This is valid for rh-mysql56 instead of rh-mysql57

Comment 6 errata-xmlrpc 2018-10-30 10:08:25 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.