[MDEV-15169] Provided SELinux FC/TE rules do not allow executing /usr/bin/wsrep_sst_* scripts - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Minor
Resolution: Won't Fix
Affects Version/s: 10.1.30
Fix Version/s: N/A
Component/s: Galera, Galera SST, wsrep
Labels:
- galera
- patch
- selinux
- sst
Environment:
CentOS 7 with SELinux in enforcing mode
(MariaDB installed with packages from MariaDB YUM repo)

Description

When using the 'mariadb-server' policy (files in /usr/share/mysql/policy/selinux from the MariaDB-server package):

mariadb-server.fc file gives type mysqld_safe_exec_t to /usr/bin/wsrep_* scripts
mariadb-server.te file makes no use of it, but allows needed calls for bin_t

$ grep mysqld_safe_exec_t mariadb-server.{fc,te}

mariadb-server.fc:/usr/bin/wsrep.*  -- gen_context(system_u:object_r:mysqld_safe_exec_t,s0)

Right after packages install, /usr/bin/wsrep_* have type bin_t so Galera SST can be performed successfully.

But after relabeling/restorecon, SST scripts get their mysqld_safe_exec_t type and Galera SST no longer works, showing denials like this:

type=AVC msg=audit(1517492933.954:1485): avc:  denied  { getattr } for  pid=5624 comm="sh" path="/usr/bin/wsrep_sst_rsync" dev="sda3" ino=295423 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:mysqld_safe_exec_t:s0 tclass=file

Could the attached patch represent the initial goal with labeling SST scripts as mysqld_safe_exec_t?

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

mariadb-server.te.diff
0.7 kB
2018-02-01 16:48

Activity

Ascending order - Click to sort in descending order

Daniel Black added a comment - 2018-02-01 22:46

Good start. Do ssts work with these changes?

Notes to do with selinux but not this bug:
mariadb-server.fc - missing label for mariabackup

Daniel Black added a comment - 2018-02-01 22:46 Good start. Do ssts work with these changes? Notes to do with selinux but not this bug: mariadb-server.fc - missing label for mariabackup

Mathias Védrines added a comment - 2018-02-02 09:40

Hi Daniel, yes my SSTs do work with these changes.
I successfully tested rsync SST with patched policy yesterday, as well as mariabackup SST today.

Mathias Védrines added a comment - 2018-02-02 09:40 Hi Daniel, yes my SSTs do work with these changes. I successfully tested rsync SST with patched policy yesterday, as well as mariabackup SST today.

Timofey Turenko added a comment - 2021-10-29 10:05

I can confirm for 10.3 CS:

type=AVC msg=audit(1635500516.442:1106): avc:  denied  { write } for  pid=13810 comm="mktemp" name="tmp" dev="sda2" ino=16777317 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=0

type=AVC msg=audit(1635501502.418:1164): avc:  denied  { write } for  pid=15100 comm="mktemp" name="tmp" dev="sda2" ino=16777317 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=0

type=AVC msg=audit(1635501564.218:1483): avc:  denied  { write } for  pid=16996 comm="mktemp" name="tmp" dev="sda2" ino=16777317 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=0

and it is not reproducible with 10.5 ES

Timofey Turenko added a comment - 2021-10-29 10:05 I can confirm for 10.3 CS: type=AVC msg=audit(1635500516.442:1106): avc: denied { write } for pid=13810 comm="mktemp" name="tmp" dev="sda2" ino=16777317 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=0 type=AVC msg=audit(1635501502.418:1164): avc: denied { write } for pid=15100 comm="mktemp" name="tmp" dev="sda2" ino=16777317 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=0 type=AVC msg=audit(1635501564.218:1483): avc: denied { write } for pid=16996 comm="mktemp" name="tmp" dev="sda2" ino=16777317 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=0 and it is not reproducible with 10.5 ES

Timofey Turenko added a comment - 2021-10-29 10:39

10.4 ES, Galera4:

Failed to start node1

---------- BEGIN LOGS ----------

Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: or misconfigured. This error can also be caused by malfunctioning hardware.

Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: To report this bug, see https://mariadb.com/kb/en/reporting-bugs

Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: We will try our best to scrape up some info that will hopefully help

Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: diagnose the problem, but since we have already crashed,

Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: something is definitely wrong and this may fail.

Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: Server version: 10.4.21-13-MariaDB-enterprise-log

Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: key_buffer_size=134217728

Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: read_buffer_size=131072

Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: max_used_connections=0

Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: max_threads=153

Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: thread_count=4

Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: It is possible that mysqld could use up to

Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: key_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 467776 K  bytes of memory

Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: Hope that's ok; if not, decrease some variables in the equation.

Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: Thread pointer: 0x7f2bc0000a88

Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: Attempting backtrace. You can use the following information to find out

Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: where mysqld died. If you see no messages after this, something went

Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: terribly wrong...

Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: 2021-10-29 12:32:30 2 [Warning] WSREP: Failed to prepare for incremental state transfer: Failed to open IST listener at tcp://10.166.0.2:4568', asio error 'Failed to listen: bind: Permission denied: 13 (Permission denied)

Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: at /home/jenkins/workspace/es-galera-4-RPM/label/rhel-7/galerautils/src/gu_asio_stream_react.cpp:listen():746': 13 (Permission denied)

Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: at /home/jenkins/workspace/es-galera-4-RPM/label/rhel-7/galera/src/ist.cpp:prepare():325. IST will be unavailable.

Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: stack_bottom = 0x7f2bd8f55ab0 thread_stack 0x49000

Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: 2021-10-29 12:32:30 0 [Note] WSREP: Member 1.0 (galera001) requested state transfer from '*any*'. Selected 0.0 (galera000)(SYNCED) as donor.

Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: 2021-10-29 12:32:30 0 [Note] WSREP: Shifting PRIMARY -> JOINER (TO: 2)

Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: 2021-10-29 12:32:30 2 [Note] WSREP: Requesting state transfer: success, donor: 0

Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: 2021-10-29 12:32:30 2 [Note] WSREP: Resetting GCache seqno map due to different histories.

Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: 2021-10-29 12:32:30 2 [Note] WSREP: GCache history reset: 00000000-0000-0000-0000-000000000000:0 -> 6de3b865-38a3-11ec-989f-ffe73aa5c715:2

Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: 2021-10-29 12:32:30 0 [Warning] WSREP: 0.0 (galera000): State transfer to 1.0 (galera001) failed: -42 (No message of desired type)

Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: 2021-10-29 12:32:30 0 [ERROR] WSREP: /home/jenkins/workspace/es-galera-4-RPM/label/rhel-7/gcs/src/gcs_group.cpp:gcs_group_handle_join_msg():1205: Will never receive state. Need to abort.

Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: 2021-10-29 12:32:30 0 [Note] WSREP: gcomm: terminating thread

Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: 2021-10-29 12:32:30 0 [Note] WSREP: gcomm: joining thread

Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: 2021-10-29 12:32:30 0 [Note] WSREP: gcomm: closing backend

Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: /usr/sbin/mysqld(my_print_stacktrace+0x2e)[0x55a84ac8059e]

Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: /usr/sbin/mysqld(handle_fatal_signal+0x30f)[0x55a84a6f97cf]

Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: sigaction.c:0(__restore_rt)[0x7f2bf5a45630]

Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: :0(__GI_raise)[0x7f2bf4e90387]

Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: :0(__GI_abort)[0x7f2bf4e91a78]

Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: /lib64/libstdc++.so.6(_ZN9__gnu_cxx27__verbose_terminate_handlerEv+0x165)[0x7f2bf558aa95]

Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: /lib64/libstdc++.so.6(+0x5ea06)[0x7f2bf5588a06]

Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: /lib64/libstdc++.so.6(+0x5ea33)[0x7f2bf5588a33]

Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: /lib64/libstdc++.so.6(+0x5ec53)[0x7f2bf5588c53]

Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: /usr/sbin/mysqld(_ZN5wsrep12server_state12sst_receivedERNS_14client_serviceEi+0xe11)[0x55a84ad13241]

Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: /usr/sbin/mysqld(+0x84af18)[0x55a84a662f18]

Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: /usr/sbin/mysqld(+0x84d3fe)[0x55a84a6653fe]

Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: pthread_create.c:0(start_thread)[0x7f2bf5a3dea5]

Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: /lib64/libc.so.6(clone+0x6d)[0x7f2bf4f58b0d]

Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 systemd[1]: mariadb.service: main process exited, code=killed, status=6/ABRT

Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 systemd[1]: Failed to start MariaDB 10.4.21-13 database server.

Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 systemd[1]: Unit mariadb.service entered failed state.

Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 systemd[1]: mariadb.service failed.----------- END LOGS -----------

Job for mariadb.service failed because a fatal signal was delivered to the control process. See "systemctl status mariadb.service" and "journalctl -xe" for details.

Redirecting to /bin/systemctl start mysql.service

Failed to start mysql.service: Unit not found.

other nodes did not crash. Audit log does not have any "denied" on the first node_, but other nodes have:

sudo cat /var/log/audit/audit.log | grep den

type=AVC msg=audit(1635503554.398:2086): avc:  denied  { setpgid } for  pid=16942 comm="timeout" scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:mysqld_t:s0 tclass=process permissive=0

type=AVC msg=audit(1635503554.402:2087): avc:  denied  { name_bind } for  pid=16944 comm="socat" src=4444 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:kerberos_port_t:s0 tclass=tcp_socket permissive=0

type=AVC msg=audit(1635503589.703:2088): avc:  denied  { name_bind } for  pid=16765 comm="mysqld" src=4568 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=0

type=AVC msg=audit(1635503598.434:2113): avc:  denied  { setpgid } for  pid=17952 comm="timeout" scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:mysqld_t:s0 tclass=process permissive=0

type=AVC msg=audit(1635503598.438:2114): avc:  denied  { name_bind } for  pid=17954 comm="socat" src=4444 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:kerberos_port_t:s0 tclass=tcp_socket permissive=0

type=AVC msg=audit(1635503633.726:2115): avc:  denied  { name_bind } for  pid=17776 comm="mysqld" src=4568 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=0

type=AVC msg=audit(1635503642.643:2120): avc:  denied  { setpgid } for  pid=18937 comm="timeout" scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:mysqld_t:s0 tclass=process permissive=0

type=AVC msg=audit(1635503642.647:2121): avc:  denied  { name_bind } for  pid=18939 comm="socat" src=4444 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:kerberos_port_t:s0 tclass=tcp_socket permissive=0

type=AVC msg=audit(1635503677.923:2122): avc:  denied  { name_bind } for  pid=18762 comm="mysqld" src=4568 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=0

type=AVC msg=audit(1635503686.437:2127): avc:  denied  { setpgid } for  pid=19923 comm="timeout" scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:mysqld_t:s0 tclass=process permissive=0

type=AVC msg=audit(1635503686.440:2128): avc:  denied  { name_bind } for  pid=19925 comm="socat" src=4444 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:kerberos_port_t:s0 tclass=tcp_socket permissive=0

type=AVC msg=audit(1635503721.737:2152): avc:  denied  { name_bind } for  pid=19748 comm="mysqld" src=4568 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=0

Timofey Turenko added a comment - 2021-10-29 10:39 10.4 ES, Galera4: Failed to start node1 ---------- BEGIN LOGS ---------- Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: or misconfigured. This error can also be caused by malfunctioning hardware. Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: To report this bug, see https://mariadb.com/kb/en/reporting-bugs Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: We will try our best to scrape up some info that will hopefully help Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: diagnose the problem, but since we have already crashed, Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: something is definitely wrong and this may fail. Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: Server version: 10.4.21-13-MariaDB-enterprise-log Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: key_buffer_size=134217728 Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: read_buffer_size=131072 Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: max_used_connections=0 Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: max_threads=153 Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: thread_count=4 Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: It is possible that mysqld could use up to Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: key_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 467776 K bytes of memory Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: Hope that's ok; if not, decrease some variables in the equation. Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: Thread pointer: 0x7f2bc0000a88 Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: Attempting backtrace. You can use the following information to find out Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: where mysqld died. If you see no messages after this, something went Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: terribly wrong... Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: 2021-10-29 12:32:30 2 [Warning] WSREP: Failed to prepare for incremental state transfer: Failed to open IST listener at tcp://10.166.0.2:4568', asio error 'Failed to listen: bind: Permission denied: 13 (Permission denied) Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: at /home/jenkins/workspace/es-galera-4-RPM/label/rhel-7/galerautils/src/gu_asio_stream_react.cpp:listen():746': 13 (Permission denied) Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: at /home/jenkins/workspace/es-galera-4-RPM/label/rhel-7/galera/src/ist.cpp:prepare():325. IST will be unavailable. Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: stack_bottom = 0x7f2bd8f55ab0 thread_stack 0x49000 Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: 2021-10-29 12:32:30 0 [Note] WSREP: Member 1.0 (galera001) requested state transfer from '*any*'. Selected 0.0 (galera000)(SYNCED) as donor. Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: 2021-10-29 12:32:30 0 [Note] WSREP: Shifting PRIMARY -> JOINER (TO: 2) Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: 2021-10-29 12:32:30 2 [Note] WSREP: Requesting state transfer: success, donor: 0 Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: 2021-10-29 12:32:30 2 [Note] WSREP: Resetting GCache seqno map due to different histories. Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: 2021-10-29 12:32:30 2 [Note] WSREP: GCache history reset: 00000000-0000-0000-0000-000000000000:0 -> 6de3b865-38a3-11ec-989f-ffe73aa5c715:2 Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: 2021-10-29 12:32:30 0 [Warning] WSREP: 0.0 (galera000): State transfer to 1.0 (galera001) failed: -42 (No message of desired type) Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: 2021-10-29 12:32:30 0 [ERROR] WSREP: /home/jenkins/workspace/es-galera-4-RPM/label/rhel-7/gcs/src/gcs_group.cpp:gcs_group_handle_join_msg():1205: Will never receive state. Need to abort. Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: 2021-10-29 12:32:30 0 [Note] WSREP: gcomm: terminating thread Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: 2021-10-29 12:32:30 0 [Note] WSREP: gcomm: joining thread Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: 2021-10-29 12:32:30 0 [Note] WSREP: gcomm: closing backend Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: /usr/sbin/mysqld(my_print_stacktrace+0x2e)[0x55a84ac8059e] Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: /usr/sbin/mysqld(handle_fatal_signal+0x30f)[0x55a84a6f97cf] Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: sigaction.c:0(__restore_rt)[0x7f2bf5a45630] Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: :0(__GI_raise)[0x7f2bf4e90387] Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: :0(__GI_abort)[0x7f2bf4e91a78] Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: /lib64/libstdc++.so.6(_ZN9__gnu_cxx27__verbose_terminate_handlerEv+0x165)[0x7f2bf558aa95] Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: /lib64/libstdc++.so.6(+0x5ea06)[0x7f2bf5588a06] Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: /lib64/libstdc++.so.6(+0x5ea33)[0x7f2bf5588a33] Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: /lib64/libstdc++.so.6(+0x5ec53)[0x7f2bf5588c53] Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: /usr/sbin/mysqld(_ZN5wsrep12server_state12sst_receivedERNS_14client_serviceEi+0xe11)[0x55a84ad13241] Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: /usr/sbin/mysqld(+0x84af18)[0x55a84a662f18] Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: /usr/sbin/mysqld(+0x84d3fe)[0x55a84a6653fe] Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: pthread_create.c:0(start_thread)[0x7f2bf5a3dea5] Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: /lib64/libc.so.6(clone+0x6d)[0x7f2bf4f58b0d] Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 systemd[1]: mariadb.service: main process exited, code=killed, status=6/ABRT Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 systemd[1]: Failed to start MariaDB 10.4.21-13 database server. Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 systemd[1]: Unit mariadb.service entered failed state. Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 systemd[1]: mariadb.service failed.----------- END LOGS ----------- Job for mariadb.service failed because a fatal signal was delivered to the control process. See "systemctl status mariadb.service" and "journalctl -xe" for details. Redirecting to /bin/systemctl start mysql.service Failed to start mysql.service: Unit not found. other nodes did not crash. Audit log does not have any "denied" on the first node_, but other nodes have: sudo cat /var/log/audit/audit.log | grep den type=AVC msg=audit(1635503554.398:2086): avc: denied { setpgid } for pid=16942 comm="timeout" scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:mysqld_t:s0 tclass=process permissive=0 type=AVC msg=audit(1635503554.402:2087): avc: denied { name_bind } for pid=16944 comm="socat" src=4444 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:kerberos_port_t:s0 tclass=tcp_socket permissive=0 type=AVC msg=audit(1635503589.703:2088): avc: denied { name_bind } for pid=16765 comm="mysqld" src=4568 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=0 type=AVC msg=audit(1635503598.434:2113): avc: denied { setpgid } for pid=17952 comm="timeout" scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:mysqld_t:s0 tclass=process permissive=0 type=AVC msg=audit(1635503598.438:2114): avc: denied { name_bind } for pid=17954 comm="socat" src=4444 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:kerberos_port_t:s0 tclass=tcp_socket permissive=0 type=AVC msg=audit(1635503633.726:2115): avc: denied { name_bind } for pid=17776 comm="mysqld" src=4568 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=0 type=AVC msg=audit(1635503642.643:2120): avc: denied { setpgid } for pid=18937 comm="timeout" scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:mysqld_t:s0 tclass=process permissive=0 type=AVC msg=audit(1635503642.647:2121): avc: denied { name_bind } for pid=18939 comm="socat" src=4444 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:kerberos_port_t:s0 tclass=tcp_socket permissive=0 type=AVC msg=audit(1635503677.923:2122): avc: denied { name_bind } for pid=18762 comm="mysqld" src=4568 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=0 type=AVC msg=audit(1635503686.437:2127): avc: denied { setpgid } for pid=19923 comm="timeout" scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:mysqld_t:s0 tclass=process permissive=0 type=AVC msg=audit(1635503686.440:2128): avc: denied { name_bind } for pid=19925 comm="socat" src=4444 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:kerberos_port_t:s0 tclass=tcp_socket permissive=0 type=AVC msg=audit(1635503721.737:2152): avc: denied { name_bind } for pid=19748 comm="mysqld" src=4568 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=0

Timofey Turenko added a comment - 2021-10-29 12:30

10.2 CS, Selinux is switched to Permissive mode:

type=AVC msg=audit(1635510380.471:1565): avc:  denied  { write } for  pid=18307 comm="mktemp" name="tmp" dev="sda2" ino=16777317 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=1

type=AVC msg=audit(1635510380.471:1565): avc:  denied  { add_name } for  pid=18307 comm="mktemp" name="wsrep_recovery.RPBfoe" scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=1

type=AVC msg=audit(1635510380.471:1565): avc:  denied  { create } for  pid=18307 comm="mktemp" name="wsrep_recovery.RPBfoe" scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=1

type=AVC msg=audit(1635510380.471:1565): avc:  denied  { write } for  pid=18307 comm="mktemp" path="/tmp/wsrep_recovery.RPBfoe" dev="sda2" ino=16777762 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=1

type=AVC msg=audit(1635510380.473:1566): avc:  denied  { setattr } for  pid=18308 comm="chmod" name="wsrep_recovery.RPBfoe" dev="sda2" ino=16777762 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=1

type=AVC msg=audit(1635510380.480:1567): avc:  denied  { write } for  pid=18313 comm="mysqld" path="/tmp/wsrep_recovery.RPBfoe" dev="sda2" ino=16777762 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=1

type=AVC msg=audit(1635510382.256:1568): avc:  denied  { remove_name } for  pid=18353 comm="rm" name="wsrep_recovery.RPBfoe" dev="sda2" ino=16777762 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=1

type=AVC msg=audit(1635510382.256:1568): avc:  denied  { unlink } for  pid=18353 comm="rm" name="wsrep_recovery.RPBfoe" dev="sda2" ino=16777762 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=1

type=AVC msg=audit(1635510532.450:1931): avc:  denied  { write } for  pid=20385 comm="mktemp" name="tmp" dev="sda2" ino=16777317 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=1

type=AVC msg=audit(1635510532.450:1931): avc:  denied  { add_name } for  pid=20385 comm="mktemp" name="wsrep_recovery.jPcblI" scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=1

type=AVC msg=audit(1635510532.450:1931): avc:  denied  { create } for  pid=20385 comm="mktemp" name="wsrep_recovery.jPcblI" scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=1

type=AVC msg=audit(1635510532.450:1931): avc:  denied  { write } for  pid=20385 comm="mktemp" path="/tmp/wsrep_recovery.jPcblI" dev="sda2" ino=16777762 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=1

type=AVC msg=audit(1635510532.452:1932): avc:  denied  { setattr } for  pid=20386 comm="chmod" name="wsrep_recovery.jPcblI" dev="sda2" ino=16777762 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=1

type=AVC msg=audit(1635510532.460:1933): avc:  denied  { write } for  pid=20391 comm="mysqld" path="/tmp/wsrep_recovery.jPcblI" dev="sda2" ino=16777762 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=1

type=AVC msg=audit(1635510534.299:1934): avc:  denied  { remove_name } for  pid=20432 comm="rm" name="wsrep_recovery.jPcblI" dev="sda2" ino=16777762 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=1

type=AVC msg=audit(1635510534.299:1934): avc:  denied  { unlink } for  pid=20432 comm="rm" name="wsrep_recovery.jPcblI" dev="sda2" ino=16777762 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=1

Timofey Turenko added a comment - 2021-10-29 12:30 10.2 CS, Selinux is switched to Permissive mode: type=AVC msg=audit(1635510380.471:1565): avc: denied { write } for pid=18307 comm="mktemp" name="tmp" dev="sda2" ino=16777317 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1635510380.471:1565): avc: denied { add_name } for pid=18307 comm="mktemp" name="wsrep_recovery.RPBfoe" scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1635510380.471:1565): avc: denied { create } for pid=18307 comm="mktemp" name="wsrep_recovery.RPBfoe" scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=1 type=AVC msg=audit(1635510380.471:1565): avc: denied { write } for pid=18307 comm="mktemp" path="/tmp/wsrep_recovery.RPBfoe" dev="sda2" ino=16777762 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=1 type=AVC msg=audit(1635510380.473:1566): avc: denied { setattr } for pid=18308 comm="chmod" name="wsrep_recovery.RPBfoe" dev="sda2" ino=16777762 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=1 type=AVC msg=audit(1635510380.480:1567): avc: denied { write } for pid=18313 comm="mysqld" path="/tmp/wsrep_recovery.RPBfoe" dev="sda2" ino=16777762 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=1 type=AVC msg=audit(1635510382.256:1568): avc: denied { remove_name } for pid=18353 comm="rm" name="wsrep_recovery.RPBfoe" dev="sda2" ino=16777762 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1635510382.256:1568): avc: denied { unlink } for pid=18353 comm="rm" name="wsrep_recovery.RPBfoe" dev="sda2" ino=16777762 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=1 type=AVC msg=audit(1635510532.450:1931): avc: denied { write } for pid=20385 comm="mktemp" name="tmp" dev="sda2" ino=16777317 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1635510532.450:1931): avc: denied { add_name } for pid=20385 comm="mktemp" name="wsrep_recovery.jPcblI" scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1635510532.450:1931): avc: denied { create } for pid=20385 comm="mktemp" name="wsrep_recovery.jPcblI" scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=1 type=AVC msg=audit(1635510532.450:1931): avc: denied { write } for pid=20385 comm="mktemp" path="/tmp/wsrep_recovery.jPcblI" dev="sda2" ino=16777762 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=1 type=AVC msg=audit(1635510532.452:1932): avc: denied { setattr } for pid=20386 comm="chmod" name="wsrep_recovery.jPcblI" dev="sda2" ino=16777762 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=1 type=AVC msg=audit(1635510532.460:1933): avc: denied { write } for pid=20391 comm="mysqld" path="/tmp/wsrep_recovery.jPcblI" dev="sda2" ino=16777762 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=1 type=AVC msg=audit(1635510534.299:1934): avc: denied { remove_name } for pid=20432 comm="rm" name="wsrep_recovery.jPcblI" dev="sda2" ino=16777762 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1635510534.299:1934): avc: denied { unlink } for pid=20432 comm="rm" name="wsrep_recovery.jPcblI" dev="sda2" ino=16777762 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=1

Jan Lindström added a comment - 2023-06-06 09:31

10.1 is EOL.

Jan Lindström added a comment - 2023-06-06 09:31 10.1 is EOL.

People

Assignee:: Julius Goryavsky

Reporter:: Mathias Védrines

Votes:: 1 Vote for this issue

Watchers:: 9 Start watching this issue

Dates

Created:: 2018-02-01 16:53

Updated:: 2023-06-06 09:31

Resolved:: 2023-06-06 09:31

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server

Details

Description

Attachments

Attachments

Activity

People

Dates

Git Integration