Bug 800907 - avc denial , comm="mysqld_safe" path="/bin/bash; mysqld cannot start
avc denial , comm="mysqld_safe" path="/bin/bash; mysqld cannot start
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy (Show other bugs)
7.0
All Linux
high Severity unspecified
: rc
: ---
Assigned To: Daniel Walsh
Milos Malik
: Regression
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-03-07 08:53 EST by Petr Sklenar
Modified: 2014-06-17 22:11 EDT (History)
3 users (show)

See Also:
Fixed In Version: selinux-policy-3.10.0-96.el7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-06-13 07:41:04 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Petr Sklenar 2012-03-07 08:53:59 EST
Description of problem:
try start / stop default configuration for mysqld,
mysqld cannot start

Version-Release number of selected component (if applicable):
mysql-server-5.5.16-3.el7.x86_64
selinux-policy-3.10.0-56.el7.noarch

How reproducible:
deterministic

Steps to Reproduce:
1. service mysqld stop
2. service mysqld start
# mysqld is not running
  
Actual results:
[root@nec-em6 bz675906-client-long-line-backslash-regression]# service mysqld stop
Redirecting to /bin/systemctl  stop mysqld.service
[root@nec-em6 bz675906-client-long-line-backslash-regression]# service mysqld start
Redirecting to /bin/systemctl  start mysqld.service
type=AVC msg=audit(1331127781.467:1073): avc:  denied  { read } for  pid=18407 comm="mysqld_safe" path="/bin/bash" dev=dm-1 ino=396701 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
Job failed. See system logs and 'systemctl status' for details.
[root@nec-em6 bz675906-client-long-line-backslash-regression]# type=AVC msg=audit(1331127781.846:1075): avc:  denied  { read } for  pid=18464 comm="mysqld_safe" path="/bin/bash" dev=dm-1 ino=396701 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
type=AVC msg=audit(1331127782.204:1077): avc:  denied  { read } for  pid=18520 comm="mysqld_safe" path="/bin/bash" dev=dm-1 ino=396701 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
type=AVC msg=audit(1331127782.571:1079): avc:  denied  { read } for  pid=18576 comm="mysqld_safe" path="/bin/bash" dev=dm-1 ino=396701 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
type=AVC msg=audit(1331127782.937:1081): avc:  denied  { read } for  pid=18631 comm="mysqld_safe" path="/bin/bash" dev=dm-1 ino=396701 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
type=AVC msg=audit(1331127783.299:1083): avc:  denied  { read } for  pid=18686 comm="mysqld_safe" path="/bin/bash" dev=dm-1 ino=396701 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file

Expected results:
no denial
service can start successfully

Additional info:
Comment 1 Daniel Walsh 2012-03-07 13:59:38 EST
Fixed in selinux-policy-3.10.0-96
Comment 2 Milos Malik 2012-03-28 03:03:10 EDT
Together with AVCs following lines appear in /var/log/messages:

Mar 28 09:58:27 pokus mysqld_safe[1288]: /bin/sh: error while loading shared libraries: cannot apply additional memory protection after relocation: Permission denied
Mar 28 09:58:27 pokus systemd[1]: mysqld.service: control process exited, code=exited status=127
Mar 28 09:58:27 pokus systemd[1]: mysqld.service holdoff time over, scheduling restart.
Mar 28 09:58:27 pokus systemd[1]: Job pending for unit, delaying automatic restart.
Mar 28 09:58:27 pokus systemd[1]: Unit mysqld.service entered failed state.
Mar 28 09:58:27 pokus systemd[1]: mysqld.service start request repeated too quickly, refusing to start.
Comment 4 Ludek Smid 2014-06-13 07:41:04 EDT
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.