I guess mariadb now needs 

Requires: (mysql-selinux if selinux-policy-%{selinuxtype})

https://fedoraproject.org/wiki/SELinux/Debugging#Enable_full_auditing

The module was removed as agreed in
https://github.com/fedora-selinux/selinux-policy/pull/2785

The above does not completely fix it as when MariaDB now starts, permissions are incorrectly assigned to the unix domain socket:


$ sudo systemctl start mariadb.service

$ sudo ls -lahZ /var/lib/mysql/mysql.sock
srwxrwxrwx. 1 mysql mysql system_u:object_r:mysqld_db_t:s0 0 Sep 16 14:55 /var/lib/mysql/mysql.sock

$ sudo restorecon -Rv /var/lib/mysql/
Relabeled /var/lib/mysql/mysql.sock from system_u:object_r:mysqld_db_t:s0 to system_u:object_r:mysqld_var_run_t:s0

$ sudo ls -lahZ /var/lib/mysql/mysql.sock
srwxrwxrwx. 1 mysql mysql system_u:object_r:mysqld_var_run_t:s0 0 Sep 16 14:55 /var/lib/mysql/mysql.sock

I'll take a look at it

Hi, can you please give us the output from your system of:
  # rpm -qa | grep -i -e maria -e mysql | sort
?

$ rpm -qa | grep -i -e maria -e mysql | sort

MariaDB-client-11.4.7-1.fc40.x86_64
MariaDB-client-compat-11.4.7-1.fc40.noarch
MariaDB-common-11.4.7-1.fc40.x86_64
MariaDB-server-11.4.7-1.fc40.x86_64
MariaDB-server-compat-11.4.7-1.fc40.noarch
MariaDB-shared-11.4.7-1.fc40.x86_64
mysql-selinux-1.0.14-1.fc42.noarch
zabbix-proxy-mysql-7.2.12-release1.el9.x86_64

Thanks,
I see you have a mix of MariaDB *upstream* RPMs for F40, Fedora 'mysql-selinux' package for F42 and a RHEL 9 / EPEL 9 'zabbix-proxy-mysql' rpm.

Can you please show us what your actual system is?
 # cat /etc/os-release

Hello,

the system is a Fedora Server 42.

$ cat /etc/os-release
NAME="Fedora Linux"
VERSION="42 (Server Edition)"
RELEASE_TYPE=stable
ID=fedora
VERSION_ID=42
VERSION_CODENAME=""
PLATFORM_ID="platform:f42"
PRETTY_NAME="Fedora Linux 42 (Server Edition)"
ANSI_COLOR="0;38;2;60;110;180"
LOGO=fedora-logo-icon
CPE_NAME="cpe:/o:fedoraproject:fedora:42"
HOME_URL="https://fedoraproject.org/"
DOCUMENTATION_URL="https://docs.fedoraproject.org/en-US/fedora/f42/"
SUPPORT_URL="https://ask.fedoraproject.org/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"
REDHAT_BUGZILLA_PRODUCT="Fedora"
REDHAT_BUGZILLA_PRODUCT_VERSION=42
REDHAT_SUPPORT_PRODUCT="Fedora"
REDHAT_SUPPORT_PRODUCT_VERSION=42
SUPPORT_END=2026-05-13
VARIANT="Server Edition"
VARIANT_ID=server


The system is an upgrade from a Fedora Server 40 and I had the old MariaDB repositories in /etc/yum.repos.d/ that I modified to the current ones for Fedora 42 and updated the packages so the current list is:

$ rpm -qa | grep -i -e maria -e mysql | sort
MariaDB-client-11.4.8-1.fc42.x86_64
MariaDB-client-compat-11.4.8-1.fc42.noarch
MariaDB-common-11.4.8-1.fc42.x86_64
MariaDB-server-11.4.8-1.fc42.x86_64
MariaDB-server-compat-11.4.8-1.fc42.noarch
MariaDB-shared-11.4.8-1.fc42.x86_64
mysql-selinux-1.0.14-1.fc42.noarch
zabbix-proxy-mysql-7.2.12-release1.el9.x86_64

Hi, after having a look at the socket and its permissions I have concluded that it only affects upstream MariaDB packages. As for the main selinux issues, they should be solved by installing the `mysql-selinux` package and relabeling the necessary files using restorecon or any other selinux tool. I have reported this to upstream on their chat platform[0] and an issue will be created either by us or them. Unfortunately I cannot suggest a solution for the socket relabel at the moment other than adding:
```
[Service]
ExecStartPost=restorecon -Rv /var/lib/mysql/
```
to the mariadb service using `systemctl edit mariadb` and reloading the daemon using `systemctl daemon-reload`.
This will fix the permissions for the socket on the restart of the service but requires editing the service yourself.

 [0]https://mariadb.zulipchat.com/#narrow/channel/118759-general/topic/.E2.9C.94.20MDEV-30520.20selinux.20compatible.20with.20MariaDB.20released.20pac.2E.2E.2E/with/540029333

For the socket I will open a bug upstream as the  SELinux label contrast to their  documentation; anyway it does not look to be the problem why services which were allowed before, now are not.

By using audit2allow I've been able to allow the local application (Zabbix) to connect and write to the socket and configure SELinux back in Enforcing state.
I'm pretty sure before it was not the case and something was indeed modified when mysql-related rules were moved from the selinux-policy into the mysql-selinux package.

I think that this change should have been handled with a proper change request with the release of Fedora 43. Nobody expects that a regular update will make major adjustments like this. Sysadmins tend to read changes on version upgrades and can adjust their systems accordingly.

(In reply to Pavol Sloboda from comment #8)
> Hi, after having a look at the socket and its permissions I have concluded
> that it only affects upstream MariaDB packages. As for the main selinux
> issues, they should be solved by installing the `mysql-selinux` package and
> relabeling the necessary files using restorecon or any other selinux tool.

Context restoring should actually be handled in mysql-selinux post script, as long as these directives are used

%selinux_relabel_pre -s %{selinuxtype}
...
%selinux_relabel_post -s %{selinuxtype}

It does not apply to filesystems like /run and may also not help with open files, both of it should be resolved by reboot.

I now also see the Requires field is there (I did not see it before):

# rpm -q --requires mariadb-server | grep mysql-selinux
(mysql-selinux >= 1.0.10 if selinux-policy-targeted)

@Luca can you please test this:

sudo wget https://ci.mariadb.org/59717/amd64-fedora-42-rpm-autobake/MariaDB.repo -O /etc/yum.repos.d/MariaDB.repo

This is the MariaDB-11.4 that is in its last week or so before a release (from our CI environment, its not a permanent link), + Pavol's recommended change https://github.com/MariaDB/server/commit/f2826dff276c681d881a91c7a3766bdf371cbb1b.

It installed and after the service started for me seems ok with even the socket still on the right label so some more testing needs to see what causes that difference:

I have a config file directive changing the location to /var/lib/mysql/mysql.sock to see how its processed.

$ sudo systemctl status mariadb.service
● mariadb.service - MariaDB 10.11.15 database server
     Loaded: loaded (/usr/lib/systemd/system/mariadb.service; disabled; preset: disabled)
    Drop-In: /usr/lib/systemd/system/service.d
             └─10-timeout-abort.conf
             /etc/systemd/system/mariadb.service.d
             └─migrated-from-my.cnf-settings.conf, override.conf
     Active: active (running) since Fri 2025-09-19 14:56:57 AEST; 4s ago
 Invocation: b6a3b3689f3949789a87555445b2184b
       Docs: man:mariadbd(8)
             https://mariadb.com/kb/en/library/systemd/
    Process: 900571 ExecStartPre=/bin/sh -c systemctl unset-environment _WSREP_START_POSITION (code=exited, status=0/SUCCESS)
    Process: 900572 ExecStartPre=/bin/sh -c [ ! -e /usr/bin/galera_recovery ] && VAR= ||   VAR=`/usr/bin/galera_recovery`; [ $? -eq 0 ]   && systemctl set-environment _WSREP_START_POSITION=$VAR || ex>
    Process: 900614 ExecStartPost=/bin/sh -c systemctl unset-environment _WSREP_START_POSITION (code=exited, status=0/SUCCESS)
   Main PID: 900602 (mariadbd)
     Status: "Taking your SQL requests now..."
      Tasks: 10 (limit: 250169)
     Memory: 4.4G (peak: 4.4G)
        CPU: 791ms
     CGroup: /system.slice/mariadb.service
             └─900602 /usr/sbin/mariadbd

Sep 19 14:56:56 bark mariadbd[900602]: 2025-09-19 14:56:56 0 [Note] InnoDB: File './ibtmp1' size is now 12.000MiB.
Sep 19 14:56:56 bark mariadbd[900602]: 2025-09-19 14:56:56 0 [Note] InnoDB: log sequence number 10824995612; transaction id 272
Sep 19 14:56:56 bark mariadbd[900602]: 2025-09-19 14:56:56 0 [Note] Plugin 'FEEDBACK' is disabled.
Sep 19 14:56:56 bark mariadbd[900602]: 2025-09-19 14:56:56 0 [Note] InnoDB: Loading buffer pool(s) from /var/lib/mysql/ib_buffer_pool
Sep 19 14:56:56 bark mariadbd[900602]: 2025-09-19 14:56:56 0 [Note] InnoDB: Buffer pool(s) load completed at 250919 14:56:56
Sep 19 14:56:57 bark mariadbd[900602]: 2025-09-19 14:56:57 0 [Note] Server socket created on IP: '0.0.0.0', port: '3306'.
Sep 19 14:56:57 bark mariadbd[900602]: 2025-09-19 14:56:57 0 [Note] Server socket created on IP: '::', port: '3306'.
Sep 19 14:56:57 bark mariadbd[900602]: 2025-09-19 14:56:57 0 [Note] /usr/sbin/mariadbd: ready for connections.
Sep 19 14:56:57 bark mariadbd[900602]: Version: '10.11.15-MariaDB'  socket: '/var/lib/mysql/mysql.sock'  port: 3306  MariaDB Server
Sep 19 14:56:57 bark systemd[1]: Started mariadb.service - MariaDB 10.11.15 database server.

$ ls -laZ /var/lib/mysql/mysql.sock
srwxrwxrwx. 1 mysql mysql system_u:object_r:mysqld_var_run_t:s0 0 Sep 19 14:56 /var/lib/mysql/mysql.sock

Created attachment 2106992 [details]
upgrade MariaDB with MariaDB-bb-11.4-MDEV-37680-danblack-pkgtest

@Daniel, I have been able to test the build provided and it seems to fix everything from package dependencies to the wrong permission on the unix socket.

I tested the following scenarios:
- An upgrade from selinux-policy 42.7-1.fc42 (where MySQL/MariaDB SELinux rules were still there)
- An upgrade from selinux-policy 42.8-1.fc42 (where MySQL/MariaDB SELinux rules were removed but dependency for mysql-selinux not yet created)

In the recent attachment I uploaded you can find the upgrade procedure for the first scenario.

On the system that originated this issue I was able to remove the custom policy I had to made with autdit2allow to have Zabbix be able to bind/write to the unix socket.
Everything seems to be working as originally intended.

So now it should just be a matter of waiting for the patch to get the next release cycle, right?

Thank you very much,
Luca

Thank you for the testing.

Yes it will just appear in the next release cycle, notionally 2025-10-23.