Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 498053

Summary: Monitoring, mysql can not get mysql probe to connect to mysql server on rhel4/5 w/ selinux Enforcing
Product: Red Hat Satellite 5 Reporter: wes hayutin <whayutin>
Component: MonitoringAssignee: Jan Pazdziora (Red Hat) <jpazdziora>
Status: CLOSED CURRENTRELEASE QA Contact: wes hayutin <whayutin>
Severity: medium Docs Contact:
Priority: low    
Version: 530CC: bperkins, mzazrivec
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
URL: https://riverraid.rhndev.redhat.com/rhn/systems/details/probes/ProbesList.do?sid=1000010020
Whiteboard:
Fixed In Version: sat530 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-09-10 19:12:41 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 457079    
Attachments:
Description Flags
spacewalk-debug
none
sosreport from sat server
none
sosreport from client none

Description wes hayutin 2009-04-28 16:31:03 UTC 
Description of problem:
first bug opened on a similar but not related issue.. 433884

4/24.1 build

recreate.

1. change selinux to Permissive on *ALL* systems
2. register a rhel4 and rhel 5 client to satellite
3. enable monitoring
4. test a sample probe to make sure monitoring works..
(in my test I had Linux:Load, Ping, Linux:Virtual Memory working)
5. on the satellite server install mysql package

5. on each client install mysql and mysql server
6. create a db and user
mysql>  GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, CREATE TEMPORARY TABLES, LOCK TABLES ON TEST.* TO 'westest'@'%' IDENTIFIED BY 'dog8code';

7. go to satellite server test the connection of mysql to the clients..

riverraid= satellite server

[root@riverraid ~]#  mysql -h dhcp77-132.rhndev.redhat.com -u westest -p test
Enter password: 
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 26
Server version: 5.0.45 Source distribution

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> 



8. create a mysql:Database accessibility probe
using the same parameters used in step 7

9. push the scout config.

eventually you get an error: Client connectivity test failed when trying to connect to database test
Comment 1 wes hayutin 2009-04-28 16:43:16 UTC 
Created attachment 341602 [details]
spacewalk-debug
Comment 2 wes hayutin 2009-04-28 16:43:57 UTC 
Created attachment 341603 [details]
sosreport from sat server
Comment 3 wes hayutin 2009-04-28 16:44:40 UTC 
Created attachment 341605 [details]
sosreport from client
Comment 4 wes hayutin 2009-04-28 16:55:23 UTC 
I'm an idiot, selinux was on.. and I found errors
Comment 5 wes hayutin 2009-04-28 16:57:22 UTC 
selinux for monitoring and mysql here..


type=MAC_STATUS msg=audit(1240937469.177:1342): enforcing=0 old_enforcing=1 auid=0 ses=148
type=SYSCALL msg=audit(1240937469.177:1342): arch=40000003 syscall=4 success=yes exit=1 a0=3 a1=bf94ab04 a2=1 a3=bf94ab04 items=0 ppid=4804 pid=15274 auid=0 uid=0 gid=0 eui
d=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts4 ses=148 comm="setenforce" exe="/usr/sbin/setenforce" subj=root:system_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1240937500.386:1343): avc:  denied  { getattr } for  pid=15473 comm="mysql" path="/etc/my.cnf" dev=dm-0 ino=1345384 scontext=system_u:system_r:spacewalk_
monitoring_t:s0 tcontext=system_u:object_r:mysqld_etc_t:s0 tclass=file
type=SYSCALL msg=audit(1240937500.386:1343): arch=40000003 syscall=195 success=yes exit=0 a0=bf8845ae a1=bf88154c a2=53aff4 a3=bf88154c items=0 ppid=15459 pid=15473 auid=42
94967295 uid=103 gid=105 euid=103 suid=103 fsuid=103 egid=105 sgid=105 fsgid=105 tty=(none) ses=4294967295 comm="mysql" exe="/usr/bin/mysql" subj=system_u:system_r:spacewal
k_monitoring_t:s0 key=(null)
type=AVC msg=audit(1240937500.386:1344): avc:  denied  { read } for  pid=15473 comm="mysql" name="my.cnf" dev=dm-0 ino=1345384 scontext=system_u:system_r:spacewalk_monitori
ng_t:s0 tcontext=system_u:object_r:mysqld_etc_t:s0 tclass=file
type=SYSCALL msg=audit(1240937500.386:1344): arch=40000003 syscall=5 success=yes exit=3 a0=bf8845ae a1=8000 a2=1b6 a3=9808520 items=0 ppid=15459 pid=15473 auid=4294967295 u
id=103 gid=105 euid=103 suid=103 fsuid=103 egid=105 sgid=105 fsgid=105 tty=(none) ses=4294967295 comm="mysql" exe="/usr/bin/mysql" subj=system_u:system_r:spacewalk_monitori
ng_t:s0 key=(null)
type=AVC msg=audit(1240937500.418:1345): avc:  denied  { getattr } for  pid=15473 comm="mysql" path="/usr/share/mysql/charsets/Index.xml" dev=dm-0 ino=2000682 scontext=syst
em_u:system_r:spacewalk_monitoring_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file
type=SYSCALL msg=audit(1240937500.418:1345): arch=40000003 syscall=195 success=yes exit=0 a0=bf8839be a1=bf88392c a2=53aff4 a3=bf88392c items=0 ppid=15459 pid=15473 auid=42
94967295 uid=103 gid=105 euid=103 suid=103 fsuid=103 egid=105 sgid=105 fsgid=105 tty=(none) ses=4294967295 comm="mysql" exe="/usr/bin/mysql" subj=system_u:system_r:spacewal
k_monitoring_t:s0 key=(null)
type=AVC msg=audit(1240937500.418:1346): avc:  denied  { read } for  pid=15473 comm="mysql" name="Index.xml" dev=dm-0 ino=2000682 scontext=system_u:system_r:spacewalk_monit
oring_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file
type=SYSCALL msg=audit(1240937500.418:1346): arch=40000003 syscall=5 success=yes exit=4 a0=bf8839be a1=8000 a2=0 a3=8000 items=0 ppid=15459 pid=15473 auid=4294967295 uid=10
3 gid=105 euid=103 suid=103 fsuid=103 egid=105 sgid=105 fsgid=105 tty=(none) ses=4294967295 comm="mysql" exe="/usr/bin/mysql" subj=system_u:system_r:spacewalk_monitoring_t:
s0 key=(null)
Comment 6 wes hayutin 2009-04-28 17:00:12 UTC 
the probe works just fine w/ selinux in permissive
Comment 7 wes hayutin 2009-04-28 17:00:48 UTC 
the above selinux errors are on the rhn-satellite server  riverraid.
Comment 8 Miroslav Suchý 2009-04-29 10:10:15 UTC 
Jan can you do this one, please?
Comment 9 Jan Pazdziora (Red Hat) 2009-05-05 11:38:19 UTC 
Note to self: The AVCs are

type=AVC msg=audit(1240937500.386:1343): avc:  denied  { getattr } for pid=15473 comm="mysql" path="/etc/my.cnf" dev=dm-0 ino=1345384 scontext=system_u:system_r:spacewalk_monitoring_t:s0 tcontext=system_u:object_r:mysqld_etc_t:s0 tclass=file

type=AVC msg=audit(1240937500.386:1344): avc:  denied  { read } for  pid=15473 comm="mysql" name="my.cnf" dev=dm-0 ino=1345384 scontext=system_u:system_r:spacewalk_monitoring_t:s0 tcontext=system_u:object_r:mysqld_etc_t:s0 tclass=file

type=AVC msg=audit(1240937500.418:1345): avc:  denied  { getattr } for pid=15473 comm="mysql" path="/usr/share/mysql/charsets/Index.xml" dev=dm-0 ino=2000682 scontext=system_u:system_r:spacewalk_monitoring_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file

type=AVC msg=audit(1240937500.418:1346): avc:  denied  { read } for  pid=15473 comm="mysql" name="Index.xml" dev=dm-0 ino=2000682 scontext=system_u:system_r:spacewalk_monitoring_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file

The /usr/bin/mysql is bin_t, nothing special:

# ls -laZ /usr/bin/mysql
-rwxr-xr-x  root root system_u:object_r:bin_t          /usr/bin/mysql
Comment 10 Jan Pazdziora (Red Hat) 2009-05-12 10:00:40 UTC 
Fix in Spacewalk master f00ef6f06308869c2125ed4a848c51fc061ca1ca and VADER b3db1b234a682f5a43df9ee3c016489a23698541. Tagged as spacewalk-monitoring-selinux-0.6.6-1 (master).
Comment 11 Jan Pazdziora (Red Hat) 2009-05-21 12:14:16 UTC 
With compose Satellite-5.3.0-RHEL5-re20090520.0 available, moving ON_QA.
Comment 12 wes hayutin 2009-06-02 12:57:57 UTC 
verified..

[root@grandprix ~]# setenforce 1
[root@grandprix ~]# su - nocpulse
-bash-3.2$  rhn-runprobe --debug 2 --probe 93
2009-06-02 08:55:09     No items changed
2009-06-02 08:55:09     Notification not required
2009-06-02 08:55:09     NOTE: Running in test mode; no changes saved, nothing enqueued
2009-06-02 08:55:09 
============================================================
OK: Client connectivity for user sattest to database test successful
Comment 13 Milan Zázrivec 2009-09-09 15:56:19 UTC 
5.3.0 final iso:

$ rhn-runprobe --live 21 
2009-09-09 11:52:34     No items changed
2009-09-09 11:52:34     Notification not required
2009-09-09 11:52:34 
============================================================
OK: Client connectivity for user testuser to database mysql successful 
============================================================

No selinux denials, RELEASE_PENDING.
Comment 14 Brandon Perkins 2009-09-10 19:12:41 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2009-1434.html