Details
-
Bug
-
Status: Closed (View Workflow)
-
Critical
-
Resolution: Duplicate
-
10.1.28
-
None
-
CentOS Linux release 7.4.1708 (Core) x86_64
Description
After software update, MariaDB server no longer start.
MariaDB-common-10.1.28-1.el7.centos.x86_64
|
MariaDB-client-10.1.28-1.el7.centos.x86_64
|
MariaDB-server-10.1.28-1.el7.centos.x86_64
|
MariaDB-shared-10.1.28-1.el7.centos.x86_64
|
galera-25.3.20-1.rhel7.el7.centos.x86_64
|
percona-xtrabackup-2.3.6-1.el7.x86_64
|
SElinux is preventing mktemp to create a temporary files like wsrep_recovery.* under /usr.
It is not supposed to temporary files to be crearted there.
After setting permissive mode to mysqld_safe_t, SElinux logs show:
SELinux is preventing /usr/bin/mktemp from create access on the file wsrep_recovery.K1AY7s.
***** Plugin catchall_labels (83.8 confidence) suggests *******************
|
|
|
If you want to allow mktemp to have create access on the wsrep_recovery.K1AY7s file
|
Then necesita modificar la etiqueta en wsrep_recovery.K1AY7s
|
Do
|
# semanage fcontext -a -t FILE_TYPE 'wsrep_recovery.K1AY7s'
|
donde FILE_TYPE es uno de los siguientes: mysqld_db_t, mysqld_log_t, mysqld_var_run_t.
|
Luego ejecute:
|
restorecon -v 'wsrep_recovery.K1AY7s'
|
|
|
|
|
***** Plugin catchall (17.1 confidence) suggests **************************
|
|
|
If cree que de manera predeterminada, mktemp debería permitir acceso create sobre wsrep_recovery.K1AY7s file.
|
Then debería reportar esto como un error.
|
Puede generar un módulo de política local para permitir este acceso.
|
Do
|
allow this access for now by executing:
|
# ausearch -c 'mktemp' --raw | audit2allow -M my-mktemp
|
# semodule -i my-mktemp.pp
|
|
|
|
|
Additional Information:
|
Source Context system_u:system_r:mysqld_safe_t:s0
|
**Target Context system_u:object_r:usr_t:s0**
|
Target Objects wsrep_recovery.K1AY7s [ file ]
|
Source mktemp
|
Source Path /usr/bin/mktemp
|
Port <Unknown>
|
Host spi2.**********
|
Source RPM Packages coreutils-8.22-18.el7.x86_64
|
Target RPM Packages
|
Policy RPM selinux-policy-3.13.1-166.el7_4.4.noarch
|
Selinux Enabled True
|
Policy Type targeted
|
Enforcing Mode Enforcing
|
Host Name spi2.**********
|
Platform Linux spi2.********
|
3.10.0-693.2.2.el7.x86_64 #1 SMP Tue Sep 12
|
22:26:13 UTC 2017 x86_64 x86_64
|
Alert Count 14
|
First Seen 2017-09-28 12:54:57 -03
|
Last Seen 2017-10-12 12:09:59 -03
|
Local ID 2f128290-dc5e-4280-bcb4-2fcc3abb56e3
|
|
|
Raw Audit Messages
|
type=AVC msg=audit(1507820999.760:2512): avc: denied { create } for pid=16103 comm="mktemp" name="wsrep_recovery.K1AY7s" scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file
|
|
|
|
|
type=AVC msg=audit(1507820999.760:2512): avc: denied { write } for pid=16103 comm="mktemp" path="/usr/wsrep_recovery.K1AY7s" dev="sda3" ino=198736 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file
|
|
|
|
|
type=SYSCALL msg=audit(1507820999.760:2512): arch=x86_64 syscall=open success=yes exit=ESRCH a0=190d050 a1=c2 a2=180 a3=652a6ab1f081fc9a items=0 ppid=15909 pid=16103 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=mktemp exe=/usr/bin/mktemp subj=system_u:system_r:mysqld_safe_t:s0 key=(null)
|
|
|
Hash: mktemp,mysqld_safe_t,usr_t,file,create
|
my.cnf :
[mysqld]
|
datadir=/var/lib/mysql
|
socket=/var/lib/mysql/mysql.sock
|
# Disabling symbolic-links is recommended to prevent assorted security risks
|
symbolic-links=0
|
# Settings user and group are ignored when systemd is used.
|
# If you need to run mysqld under a different user or group,
|
# customize your systemd unit file for mariadb according to the
|
# instructions in http://fedoraproject.org/wiki/Systemd
|
log-error=/var/log/mariadb/mariadb.log
|
pid-file=/var/run/mariadb/mariadb.pid
|
|
|
|
|
[mysqld_safe]
|
log-error=/var/log/mariadb/mariadb.log
|
pid-file=/var/run/mariadb/mariadb.pid
|
|
|
[client]
|
default_character_set = UTF8
|
|
|
#
|
# include all files from the config directory
|
#
|
!includedir /etc/my.cnf.d
|
|
|
Included files: server.cnf
|
|
|
#
|
# These groups are read by MariaDB server.
|
# Use it for options that only the server (but not clients) should see
|
#
|
# See the examples of server my.cnf files in /usr/share/mysql/
|
#
|
|
|
# this is read by the standalone daemon and embedded servers
|
[server]
|
|
|
# this is only for the mysqld standalone daemon
|
[mysqld]
|
key_buffer = 64M
|
max_allowed_packet = 4M
|
table_cache = 512
|
sort_buffer_size = 8M
|
net_buffer_length = 32K
|
read_buffer_size = 4M
|
read_rnd_buffer_size = 8M
|
myisam_sort_buffer_size = 32M
|
character_set_filesystem = UTF8
|
character_set_server = UTF8
|
default-storage-engine=INNODB
|
innodb_file_per_table
|
innodb_flush_method=O_DIRECT
|
innodb_log_file_size=64M
|
innodb_buffer_pool_size = 256M
|
join_buffer_size = 1048576
|
|
|
|
|
#
|
# * Galera-related settings
|
#
|
[galera]
|
# Mandatory settings
|
wsrep_on=ON
|
wsrep_provider=/usr/lib64/galera/libgalera_smm.so
|
wsrep_provider_options="gmcast.listen_addr=tcp://10.39.2.150:4778"
|
wsrep_cluster_address=gcomm://10.39.1.150:4778,10.39.1.101:4778,10.39.2.150:4778
|
binlog_format=row
|
default_storage_engine=InnoDB
|
innodb_autoinc_lock_mode=2
|
#
|
# Allow server to accept connections on all interfaces.
|
#
|
bind-address=10.39.2.150
|
#
|
# Optional setting
|
#wsrep_slave_threads=1
|
#innodb_flush_log_at_trx_commit=0
|
#
|
wsrep_cluster_name="MariaDB_SPI-Cluster"
|
wsrep_node_address="10.39.2.150"
|
wsrep_sst_method=xtrabackup
|
wsrep_sst_auth=root:*********
|
wsrep_sst_receive_address=10.39.2.150:4777
|
|
|
wsrep_data_home_dir=/var/lib/mysql
|
wsrep_debug=ON
|
Attachments
Issue Links
- duplicates
-
-
- Closed
-