Bug 754072 - mysqld does not start with selinux in enforcing mode
Summary: mysqld does not start with selinux in enforcing mode
Keywords:
Status: CLOSED DUPLICATE of bug 753816
Alias: None
Product: Fedora
Classification: Fedora
Component: mysql
Version: 16
Hardware: x86_64
OS: Linux
unspecified
high
Target Milestone: ---
Assignee: Tom Lane
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 753851 754672 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-11-15 11:05 UTC by David Downing
Modified: 2011-11-17 23:25 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 759679 (view as bug list)
Environment:
Last Closed: 2011-11-17 16:12:13 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description David Downing 2011-11-15 11:05:24 UTC
Description of problem:
MySQL service fails to start if selinux in enforcing mode

Version-Release number of selected component (if applicable):
mysql-5.5.16-3.fc16.x86_64

How reproducible:
Always with all current updates applied

Steps to Reproduce:
1. setenforce enforcing
2. systemctl start mysqld.service
3.
  
Actual results:
"Job failed. See system logs and 'systemctl status' for details."

# systemctl status mysqld.service 
mysqld.service - MySQL database server
	  Loaded: loaded (/lib/systemd/system/mysqld.service; enabled)
	  Active: failed since Tue, 15 Nov 2011 10:55:37 +0000; 17s ago
	 Process: 1433 ExecStartPost=/usr/libexec/mysqld-wait-ready $MAINPID (code=exited, status=0/SUCCESS)
	 Process: 9490 ExecStart=/usr/bin/mysqld_safe --nowatch --basedir=/usr (code=exited, status=127)
	 Process: 9474 ExecStartPre=/usr/libexec/mysqld-prepare-db-dir (code=exited, status=0/SUCCESS)
	Main PID: 1430 (code=exited, status=0/SUCCESS)
	  CGroup: name=systemd:/system/mysqld.service

From /var/log/messages:

Nov 13 12:23:11 laptop systemd[1]: mysqld.service: control process exited, code=exited status=127
Nov 13 12:23:11 laptop systemd[1]: mysqld.service holdoff time over, scheduling restart.
Nov 13 12:23:11 laptop systemd[1]: Unit mysqld.service entered failed state.
Nov 13 12:23:11 laptop mysqld_safe[1363]: /bin/sh: error while loading shared libraries: cannot apply additional memory protection after relocation: Permission denied

Expected results:
mysql service should start

Additional info:

mysql starts when selinux is in permissive mode 

# setenforce permissive
# systemctl start mysqld.service 
# systemctl status mysqld.service 
mysqld.service - MySQL database server
	  Loaded: loaded (/lib/systemd/system/mysqld.service; enabled)
	  Active: active (running) since Tue, 15 Nov 2011 11:02:51 +0000; 6s ago
	 Process: 9739 ExecStartPost=/usr/libexec/mysqld-wait-ready $MAINPID (code=exited, status=0/SUCCESS)
	 Process: 9588 ExecStart=/usr/bin/mysqld_safe --nowatch --basedir=/usr (code=exited, status=0/SUCCESS)
	 Process: 9572 ExecStartPre=/usr/libexec/mysqld-prepare-db-dir (code=exited, status=0/SUCCESS)
	Main PID: 9738 (mysqld)
	  CGroup: name=systemd:/system/mysqld.service
		  └ 9738 /usr/libexec/mysqld --basedir=/usr --datadir=/var/lib/mysql --plugin-dir=/usr/lib64/mysql/plugin --log-error=...

Comment 1 David Downing 2011-11-15 11:09:36 UTC
Forgot to add that
# restorecon -r /
makes no difference.

Comment 2 Deron Meranda 2011-11-16 08:21:21 UTC
I am seeing this to. Immediately after upgrading from F15 to F16, mysqld would start fine. However after updating all the system packages I am now getting an SELinux AVC error. I don't know what in particular may have changed

I am using the SELinux Targeted policy in enforcing mode. In particular,

selinux-policy-targeted-3.10.0-55.fc16.noarch

The errors getting logged are:

Nov 16 03:10:37 beryl kernel: [ 3201.542880] type=1400 audit(1321431037.652:22): avc:  denied  { read } for  pid=4498 comm="mysqld_safe" path="/bin/bash" dev=dm-0 ino=5505036 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file

Nov 16 03:10:37 beryl mysqld_safe[4498]: /bin/sh: error while loading shared libraries: cannot apply additional memory protection after relocation: Permission denied


The SELinux booleans related to MySQL are set as:

allow_user_mysql_connect --> off
mysql_connect_any --> off

Comment 3 Dieter Vandenbroeck 2011-11-16 10:01:38 UTC
Same problem here.

[Dieter@DieterLaptop ~]$ rpm -qa | grep mysql
mysql-server-5.5.16-3.fc16.x86_64
mysql-libs-5.5.16-3.fc16.x86_64
mysql-5.5.16-3.fc16.x86_64
mysql-utilities-1.0.1-0.5.2.35.fc16.noarch
[Dieter@DieterLaptop ~]$ rpm -qa | grep selinux
libselinux-python-2.1.6-4.fc16.x86_64
libselinux-2.1.6-4.fc16.x86_64
selinux-policy-targeted-3.10.0-55.fc16.noarch
selinux-policy-3.10.0-55.fc16.noarch
libselinux-utils-2.1.6-4.fc16.x86_64
libselinux-2.1.6-4.fc16.i686

It looks like this bug is caused by http://bugzilla.redhat.com/show_bug.cgi?id=753816

Comment 4 Tom Lane 2011-11-17 15:34:13 UTC
*** Bug 754672 has been marked as a duplicate of this bug. ***

Comment 5 Tom Lane 2011-11-17 15:36:00 UTC
Please see whether your issue isn't fixed by
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-56.fc16

Comment 6 Tom Lane 2011-11-17 15:39:25 UTC
*** Bug 753851 has been marked as a duplicate of this bug. ***

Comment 7 Dieter Vandenbroeck 2011-11-17 15:48:38 UTC
selinux-policy-3.10.0-56.fc16 fixes the bug. Problem solved

Comment 8 Tom Lane 2011-11-17 16:12:13 UTC
OK, thanks for the followup.

*** This bug has been marked as a duplicate of bug 753816 ***

Comment 9 Donald Edward Winslow 2011-11-17 21:56:08 UTC
selinux-policy-3.10.0-56.fc16 fixed it for me, too.

Donald

Comment 10 David Downing 2011-11-17 22:05:54 UTC
As the original submitter of this bug I am beginning to feel a bit left out!

# yum clean all && yum --enablerepo=updates-testing update selinux-policy

just gives me "No Packages marked for Update"

# rpm -q selinux-policy
selinux-policy-3.10.0-55.fc16.noarch

Comment 11 Donald Edward Winslow 2011-11-17 22:11:34 UTC
David,

The update is available at https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-56.fc16 or on koji.

Donald

Comment 12 Deron Meranda 2011-11-17 22:14:19 UTC
The updated packages haven't yet shown up in the updates-testing repository
yet. I don't know if it is just a natural repo-push delay, or they are still
waiting on confirmation that it fixes all the other bugs not related to mysql.

You can download the RPM files directly from the Fedora build system at

http://koji.fedoraproject.org/koji/buildinfo?buildID=274347

and install them using plain rpm, e.g., "rpm -Uvh"

Comment 13 Donald Edward Winslow 2011-11-17 22:15:25 UTC
You can influence how quickly the bugs get pushed to testing by adding karma at:
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-56.fc16

Donald

Comment 14 David Downing 2011-11-17 23:25:43 UTC
Fixed for me too and added the karma.


Note You need to log in before you can comment on or make changes to this bug.