Description of problem: MySQL service fails to start if selinux in enforcing mode Version-Release number of selected component (if applicable): mysql-5.5.16-3.fc16.x86_64 How reproducible: Always with all current updates applied Steps to Reproduce: 1. setenforce enforcing 2. systemctl start mysqld.service 3. Actual results: "Job failed. See system logs and 'systemctl status' for details." # systemctl status mysqld.service mysqld.service - MySQL database server Loaded: loaded (/lib/systemd/system/mysqld.service; enabled) Active: failed since Tue, 15 Nov 2011 10:55:37 +0000; 17s ago Process: 1433 ExecStartPost=/usr/libexec/mysqld-wait-ready $MAINPID (code=exited, status=0/SUCCESS) Process: 9490 ExecStart=/usr/bin/mysqld_safe --nowatch --basedir=/usr (code=exited, status=127) Process: 9474 ExecStartPre=/usr/libexec/mysqld-prepare-db-dir (code=exited, status=0/SUCCESS) Main PID: 1430 (code=exited, status=0/SUCCESS) CGroup: name=systemd:/system/mysqld.service From /var/log/messages: Nov 13 12:23:11 laptop systemd[1]: mysqld.service: control process exited, code=exited status=127 Nov 13 12:23:11 laptop systemd[1]: mysqld.service holdoff time over, scheduling restart. Nov 13 12:23:11 laptop systemd[1]: Unit mysqld.service entered failed state. Nov 13 12:23:11 laptop mysqld_safe[1363]: /bin/sh: error while loading shared libraries: cannot apply additional memory protection after relocation: Permission denied Expected results: mysql service should start Additional info: mysql starts when selinux is in permissive mode # setenforce permissive # systemctl start mysqld.service # systemctl status mysqld.service mysqld.service - MySQL database server Loaded: loaded (/lib/systemd/system/mysqld.service; enabled) Active: active (running) since Tue, 15 Nov 2011 11:02:51 +0000; 6s ago Process: 9739 ExecStartPost=/usr/libexec/mysqld-wait-ready $MAINPID (code=exited, status=0/SUCCESS) Process: 9588 ExecStart=/usr/bin/mysqld_safe --nowatch --basedir=/usr (code=exited, status=0/SUCCESS) Process: 9572 ExecStartPre=/usr/libexec/mysqld-prepare-db-dir (code=exited, status=0/SUCCESS) Main PID: 9738 (mysqld) CGroup: name=systemd:/system/mysqld.service └ 9738 /usr/libexec/mysqld --basedir=/usr --datadir=/var/lib/mysql --plugin-dir=/usr/lib64/mysql/plugin --log-error=...
Forgot to add that # restorecon -r / makes no difference.
I am seeing this to. Immediately after upgrading from F15 to F16, mysqld would start fine. However after updating all the system packages I am now getting an SELinux AVC error. I don't know what in particular may have changed I am using the SELinux Targeted policy in enforcing mode. In particular, selinux-policy-targeted-3.10.0-55.fc16.noarch The errors getting logged are: Nov 16 03:10:37 beryl kernel: [ 3201.542880] type=1400 audit(1321431037.652:22): avc: denied { read } for pid=4498 comm="mysqld_safe" path="/bin/bash" dev=dm-0 ino=5505036 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file Nov 16 03:10:37 beryl mysqld_safe[4498]: /bin/sh: error while loading shared libraries: cannot apply additional memory protection after relocation: Permission denied The SELinux booleans related to MySQL are set as: allow_user_mysql_connect --> off mysql_connect_any --> off
Same problem here. [Dieter@DieterLaptop ~]$ rpm -qa | grep mysql mysql-server-5.5.16-3.fc16.x86_64 mysql-libs-5.5.16-3.fc16.x86_64 mysql-5.5.16-3.fc16.x86_64 mysql-utilities-1.0.1-0.5.2.35.fc16.noarch [Dieter@DieterLaptop ~]$ rpm -qa | grep selinux libselinux-python-2.1.6-4.fc16.x86_64 libselinux-2.1.6-4.fc16.x86_64 selinux-policy-targeted-3.10.0-55.fc16.noarch selinux-policy-3.10.0-55.fc16.noarch libselinux-utils-2.1.6-4.fc16.x86_64 libselinux-2.1.6-4.fc16.i686 It looks like this bug is caused by http://bugzilla.redhat.com/show_bug.cgi?id=753816
*** Bug 754672 has been marked as a duplicate of this bug. ***
Please see whether your issue isn't fixed by https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-56.fc16
*** Bug 753851 has been marked as a duplicate of this bug. ***
selinux-policy-3.10.0-56.fc16 fixes the bug. Problem solved
OK, thanks for the followup. *** This bug has been marked as a duplicate of bug 753816 ***
selinux-policy-3.10.0-56.fc16 fixed it for me, too. Donald
As the original submitter of this bug I am beginning to feel a bit left out! # yum clean all && yum --enablerepo=updates-testing update selinux-policy just gives me "No Packages marked for Update" # rpm -q selinux-policy selinux-policy-3.10.0-55.fc16.noarch
David, The update is available at https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-56.fc16 or on koji. Donald
The updated packages haven't yet shown up in the updates-testing repository yet. I don't know if it is just a natural repo-push delay, or they are still waiting on confirmation that it fixes all the other bugs not related to mysql. You can download the RPM files directly from the Fedora build system at http://koji.fedoraproject.org/koji/buildinfo?buildID=274347 and install them using plain rpm, e.g., "rpm -Uvh"
You can influence how quickly the bugs get pushed to testing by adding karma at: https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-56.fc16 Donald
Fixed for me too and added the karma.