Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-12231

MariaDB fails to restart after 10.0.30-1.el7 update

Details

    Description

      The issue reported in MDEV-11789 as being fixed in 10.0.30 is still present.

      I have just installed MariaDB 10.0.30 on a fresh CentOS 7.3 minimal system and cannot start it with SELinux enabled. The errors are exactly the same as outlined in MDEV-11789.

      SELinux is preventing /usr/bin/mysqld_safe_helper from using the setgid capability.
       
      *****  Plugin catchall (100. confidence) suggests   **************************
       
      If you believe that mysqld_safe_helper should have the setgid capability by default.
      Then you should report this as a bug.
      You can generate a local policy module to allow this access.
      Do
      allow this access for now by executing:
      # ausearch -c 'mysqld_safe_hel' --raw | audit2allow -M my-mysqldsafehel
      # semodule -i my-mysqldsafehel.pp
       
       
      Additional Information:
      Source Context                system_u:system_r:mysqld_safe_t:s0
      Target Context                system_u:system_r:mysqld_safe_t:s0
      Target Objects                Unknown [ capability ]
      Source                        mysqld_safe_hel
      Source Path                   /usr/bin/mysqld_safe_helper
      Port                          <Unknown>
      Host                          <Unknown>
      Source RPM Packages           MariaDB-server-10.0.30-1.el7.centos.x86_64
      Target RPM Packages
      Policy RPM                    selinux-policy-3.13.1-102.el7_3.15.noarch
      Selinux Enabled               True
      Policy Type                   targeted
      Enforcing Mode                Enforcing
      Host Name                     localhost.localdomain
      Platform                      Linux localhost.localdomain
                                    3.10.0-514.2.2.el7.x86_64 #1 SMP Tue Dec 6
                                    23:06:41 UTC 2016 x86_64 x86_64
      Alert Count                   4
      First Seen                    2017-03-11 00:13:14 PST
      Last Seen                     2017-03-11 00:13:14 PST
      Local ID                      0ed292fb-afa4-4222-8e26-e85411f37926
       
      Raw Audit Messages
      type=AVC msg=audit(1489219994.398:460): avc:  denied  { setgid } for  pid=49629 comm="mysqld_safe_hel" capability=6  scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:system_r:mysqld_safe_t:s0 tclass=capability
       
       
      type=SYSCALL msg=audit(1489219994.398:460): arch=x86_64 syscall=setgroups success=no exit=EPERM a0=1 a1=2886530 a2=3d6 a3=7f72793de2e0 items=0 ppid=49553 pid=49629 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=mysqld_safe_hel exe=/usr/bin/mysqld_safe_helper subj=system_u:system_r:mysqld_safe_t:s0 key=(null)
       
      Hash: mysqld_safe_hel,mysqld_safe_t,mysqld_safe_t,capability,setgid
      

      [root@localhost ~]# systemctl status mysql
      â mysql.service - LSB: start and stop MySQL
         Loaded: loaded (/etc/rc.d/init.d/mysql; bad; vendor preset: disabled)
         Active: failed (Result: exit-code) since Sat 2017-03-11 00:13:15 PST; 8s ago
           Docs: man:systemd-sysv-generator(8)
        Process: 49546 ExecStart=/etc/rc.d/init.d/mysql start (code=exited, status=1/FAILURE)
       
      Mar 11 00:13:14 localhost.localdomain systemd[1]: Starting LSB: start and stop MySQL...
      Mar 11 00:13:14 localhost.localdomain mysql[49546]: Starting MySQL.170311 00:13:14 mysqld_safe Logging to '/var/lib/mysql/localhost.localdomain.err'.
      Mar 11 00:13:14 localhost.localdomain mysql[49546]: 170311 00:13:14 mysqld_safe Starting mysqld daemon with databases from /var/lib/mysql
      Mar 11 00:13:14 localhost.localdomain mysql[49546]: /usr/bin/mysqld_safe_helper: Cannot change uid/gid (errno: 1)
      Mar 11 00:13:15 localhost.localdomain mysql[49546]: ERROR!
      Mar 11 00:13:15 localhost.localdomain systemd[1]: mysql.service: control process exited, code=exited status=1
      Mar 11 00:13:15 localhost.localdomain systemd[1]: Failed to start LSB: start and stop MySQL.
      Mar 11 00:13:15 localhost.localdomain systemd[1]: Unit mysql.service entered failed state.
      Mar 11 00:13:15 localhost.localdomain systemd[1]: mysql.service failed.
       
      [root@localhost ~]# mysql -V
      mysql  Ver 15.1 Distrib 10.0.30-MariaDB, for Linux (x86_64) using readline 5.1
      

      Attachments

        Issue Links

          Activity

            So, do you have /usr/sbin/semodule executable? What hapens if you run

              /usr/sbin/semodule -i /usr/share/mysql/policy/selinux/mariadb.pp
            

            serg Sergei Golubchik added a comment - So, do you have /usr/sbin/semodule executable? What hapens if you run /usr/sbin/semodule -i /usr/share/mysql/policy/selinux/mariadb .pp

            Yes, /usr/sbin/semodule is present.

            The /usr/share/mysql/policy/ directory however is not. I cannot find maradb.pp within /usr/share/mysql/*

            Jarrod Farncomb Jarrod Farncomb added a comment - Yes, /usr/sbin/semodule is present. The /usr/share/mysql/policy/ directory however is not. I cannot find maradb.pp within /usr/share/mysql/*
            serg Sergei Golubchik added a comment - - edited

            dbart, it turns out that our CentOS7 builder didn't have SELinux tools installed (checkmodule and semodule_package), so the mariadb.pp was not built.

            I've now commited and pushed (into 5.5) a change that will fail the build if these files are not present (only on release RPM builds). It seems to fail only on CentOS7 and SuSE, so other builders are fine.

            Could you please install these tools on affected VMs? And then restart failed bulds, to make sure everything's ok now. Thanks!

            serg Sergei Golubchik added a comment - - edited dbart , it turns out that our CentOS7 builder didn't have SELinux tools installed ( checkmodule and semodule_package ), so the mariadb.pp was not built. I've now commited and pushed (into 5.5) a change that will fail the build if these files are not present (only on release RPM builds). It seems to fail only on CentOS7 and SuSE, so other builders are fine. Could you please install these tools on affected VMs? And then restart failed bulds, to make sure everything's ok now. Thanks!

            The policycoreutils-python package had the necessary semodule_package tool, and it has a dependency to pull in the checkpolicy package, which has the checkmodule tool. Installed on CentOS 7 and suse/opensuse builders and it appears the builds are now working. The next versions of 5.5, 10.0, and 10.1 should all work properly now.

            serg: Does anything else need to be done for this? Thanks.

            dbart Daniel Bartholomew added a comment - The policycoreutils-python package had the necessary semodule_package tool, and it has a dependency to pull in the checkpolicy package, which has the checkmodule tool. Installed on CentOS 7 and suse/opensuse builders and it appears the builds are now working. The next versions of 5.5, 10.0, and 10.1 should all work properly now. serg : Does anything else need to be done for this? Thanks.

            Looks ok in buildbot, thanks!

            serg Sergei Golubchik added a comment - Looks ok in buildbot, thanks!

            This issue is also present with the policycoreutils-python package installed. During installation the following error is shown:

            libsemanage.map_file: Unable to open /usr/share/mysql/SELinux/mariadb.pp
            (No such file or directory).
            libsemanage.semanage_direct_install_file: Unable to read file /usr/share/mysql/SELinux/mariadb.pp
            (No such file or directory).
            /usr/sbin/semodule: Failed on /usr/share/mysql/SELinux/mariadb.pp!

            The directory /usr/share/mysql/SELinux/ contains the following files:
            mariadb.te rhel4-mysql.fc rhel4-mysql.te

            maarten Maarten Bremer added a comment - This issue is also present with the policycoreutils-python package installed. During installation the following error is shown: libsemanage.map_file: Unable to open /usr/share/mysql/SELinux/mariadb.pp (No such file or directory). libsemanage.semanage_direct_install_file: Unable to read file /usr/share/mysql/SELinux/mariadb.pp (No such file or directory). /usr/sbin/semodule: Failed on /usr/share/mysql/SELinux/mariadb.pp! The directory /usr/share/mysql/SELinux/ contains the following files: mariadb.te rhel4-mysql.fc rhel4-mysql.te

            maarten: The policycoreutils-python package issue was with the machine that builds our RHEL/CentOS 7 packages. Because it wasn't installed the build system didn't generate the mariadb.pp file, which is why it doesn't exist in our current RPMs. Now that the builder has been fixed the file will be generated properly and will be present in our future releases.

            dbart Daniel Bartholomew added a comment - maarten : The policycoreutils-python package issue was with the machine that builds our RHEL/CentOS 7 packages. Because it wasn't installed the build system didn't generate the mariadb.pp file, which is why it doesn't exist in our current RPMs. Now that the builder has been fixed the file will be generated properly and will be present in our future releases.

            People

              serg Sergei Golubchik
              Jarrod Farncomb Jarrod Farncomb
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.