Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-16718

Job for mariadb.service failed because the control process exited with error code.

Details

    • Bug
    • Status: Closed (View Workflow)
    • Major
    • Resolution: Duplicate
    • 10.2.16
    • N/A
    • N/A
    • Fedora Linux

    Description

      Hi All,

      I haven't seen this issue pop up yet anywhere except for notifications about multiple instances of MariaDB could be installed, but that's not the case in this specific issue.

      On a clean installation of Fedora 28 when installing MariaDB server from the official repository it fails to start after the installation.

      Installed packages

      rpm -qa | grep -i maria
      MariaDB-server-10.2.16-1.fc28.x86_64
      MariaDB-common-10.2.16-1.fc28.x86_64
      MariaDB-client-10.2.16-1.fc28.x86_64
       
      dnf list installed | grep -i maria
      MariaDB-client.x86_64                      10.2.16-1.fc28               @mariadb
      MariaDB-common.x86_64                      10.2.16-1.fc28               @mariadb
      MariaDB-server.x86_64                      10.2.16-1.fc28               @mariadb
      

      It seems to have to do with selinux policies, when I set selinux to permissive it's able to start the MariaDB server process without any issues.

      I was able to reproduce this on a plain netinstall of Fedora28.

      Jul 10 12:44:54 fedora28 systemd[1]: Starting MariaDB 10.2.16 database server...
      Jul 10 12:44:54 fedora28 audit[31938]: AVC avc:  denied  { nnp_transition } for  pid=31938 comm="(mysqld)" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:mysqld_t:s0 tclass=process2 permissive=0
      Jul 10 12:44:54 fedora28 audit: SELINUX_ERR op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:init_t:s0 newcontext=system_u:system_r:mysqld_t:s0
      Jul 10 12:44:54 fedora28 mysqld[31938]: 2018-07-10 12:44:54 140492999485696 [Note] /usr/sbin/mysqld (mysqld 10.2.16-MariaDB) starting as process 31938 ...
      Jul 10 12:44:54 fedora28 mysqld[31938]: 2018-07-10 12:44:54 140492999485696 [Warning] Can't create test file /var/lib/mysql/fedora28.lower-test
      Jul 10 12:44:54 fedora28 audit[31938]: AVC avc:  denied  { write } for  pid=31938 comm="mysqld" name="mysql" dev="dm-0" ino=811203 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:mysqld_db_t:s0 tclass=dir permissive=0
      Jul 10 12:44:55 fedora28 audit[31938]: AVC avc:  denied  { read } for  pid=31938 comm="mysqld" name="plugin.frm" dev="dm-0" ino=806160 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:mysqld_db_t:s0 tclass=file permissive=0
      Jul 10 12:44:55 fedora28 mysqld[31938]: 2018-07-10 12:44:55 140492999485696 [Note] InnoDB: Mutexes and rw_locks use GCC atomic builtins
      Jul 10 12:44:55 fedora28 mysqld[31938]: 2018-07-10 12:44:55 140492999485696 [Note] InnoDB: Uses event mutexes
      Jul 10 12:44:55 fedora28 mysqld[31938]: 2018-07-10 12:44:55 140492999485696 [Note] InnoDB: Compressed tables use zlib 1.2.11
      Jul 10 12:44:55 fedora28 mysqld[31938]: 2018-07-10 12:44:55 140492999485696 [Note] InnoDB: Using Linux native AIO
      Jul 10 12:44:55 fedora28 mysqld[31938]: 2018-07-10 12:44:55 140492999485696 [Note] InnoDB: Number of pools: 1
      Jul 10 12:44:55 fedora28 mysqld[31938]: 2018-07-10 12:44:55 140492999485696 [Note] InnoDB: Using SSE2 crc32 instructions
      Jul 10 12:44:55 fedora28 mysqld[31938]: 2018-07-10 12:44:55 140492999485696 [Note] InnoDB: Initializing buffer pool, total size = 128M, instances = 1, chunk size = 128M
      Jul 10 12:44:55 fedora28 mysqld[31938]: 2018-07-10 12:44:55 140492999485696 [Note] InnoDB: Completed initialization of buffer pool
      Jul 10 12:44:55 fedora28 mysqld[31938]: 2018-07-10 12:44:55 140492453046016 [Note] InnoDB: If the mysqld execution user is authorized, page cleaner thread priority can be changed. See the man page of setpriority().
      Jul 10 12:44:55 fedora28 audit[31938]: AVC avc:  denied  { getattr } for  pid=31938 comm="mysqld" path="/var/lib/mysql/ibdata1" dev="dm-0" ino=806137 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:mysqld_db_t:s0 tclass=file permissive=0
      Jul 10 12:44:55 fedora28 mysqld[31938]: 2018-07-10 12:44:55 140492999485696 [ERROR] InnoDB: Operating system error number 13 in a file operation.
      Jul 10 12:44:55 fedora28 mysqld[31938]: 2018-07-10 12:44:55 140492999485696 [ERROR] InnoDB: The error means mysqld does not have the access rights to the directory.
      Jul 10 12:44:55 fedora28 mysqld[31938]: 2018-07-10 12:44:55 140492999485696 [ERROR] InnoDB: os_file_get_status() failed on './ibdata1'. Can't determine file permissions
      Jul 10 12:44:55 fedora28 mysqld[31938]: 2018-07-10 12:44:55 140492999485696 [ERROR] InnoDB: Plugin initialization aborted with error Generic error
      Jul 10 12:44:55 fedora28 mysqld[31938]: 2018-07-10 12:44:55 140492999485696 [Note] InnoDB: Starting shutdown...
      Jul 10 12:44:55 fedora28 mysqld[31938]: 2018-07-10 12:44:55 140492999485696 [ERROR] Plugin 'InnoDB' init function returned error.
      Jul 10 12:44:55 fedora28 mysqld[31938]: 2018-07-10 12:44:55 140492999485696 [ERROR] Plugin 'InnoDB' registration as a STORAGE ENGINE failed.
      Jul 10 12:44:55 fedora28 audit[31938]: AVC avc:  denied  { read write } for  pid=31938 comm="mysqld" name="aria_log_control" dev="dm-0" ino=806142 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:mysqld_db_t:s0 tclass=file permissive=0
      Jul 10 12:44:55 fedora28 mysqld[31938]: 2018-07-10 12:44:55 140492999485696 [ERROR] mysqld: File '/var/lib/mysql/aria_log_control' not found (Errcode: 13 "Permission denied")
      Jul 10 12:44:55 fedora28 mysqld[31938]: 2018-07-10 12:44:55 140492999485696 [ERROR] mysqld: Got error 'Can't open file' when trying to use aria control file '/var/lib/mysql/aria_log_control'
      Jul 10 12:44:55 fedora28 mysqld[31938]: 2018-07-10 12:44:55 140492999485696 [ERROR] Plugin 'Aria' init function returned error.
      Jul 10 12:44:55 fedora28 mysqld[31938]: 2018-07-10 12:44:55 140492999485696 [ERROR] Plugin 'Aria' registration as a STORAGE ENGINE failed.
      Jul 10 12:44:55 fedora28 mysqld[31938]: 2018-07-10 12:44:55 140492999485696 [Note] Plugin 'FEEDBACK' is disabled.
      Jul 10 12:44:55 fedora28 audit[31938]: AVC avc:  denied  { read } for  pid=31938 comm="mysqld" name="plugin.frm" dev="dm-0" ino=806160 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:mysqld_db_t:s0 tclass=file permissive=0
      Jul 10 12:44:55 fedora28 mysqld[31938]: 2018-07-10 12:44:55 140492999485696 [ERROR] Could not open mysql.plugin table. Some plugins may be not loaded
      Jul 10 12:44:55 fedora28 mysqld[31938]: 2018-07-10 12:44:55 140492999485696 [ERROR] Unknown/unsupported storage engine: InnoDB
      Jul 10 12:44:55 fedora28 mysqld[31938]: 2018-07-10 12:44:55 140492999485696 [ERROR] Aborting
      Jul 10 12:44:55 fedora28 systemd[1]: mariadb.service: Main process exited, code=exited, status=1/FAILURE
      Jul 10 12:44:55 fedora28 systemd[1]: mariadb.service: Failed with result 'exit-code'.
      Jul 10 12:44:55 fedora28 systemd[1]: Failed to start MariaDB 10.2.16 database server.
      Jul 10 12:44:55 fedora28 audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=mariadb comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
      

      *****  Plugin catchall (100. confidence) suggests   **************************
       
      If you believe that mysqld should be allowed read write access on the aria_log_control file by default.
      Then you should report this as a bug.
      You can generate a local policy module to allow this access.
      Do
      allow this access for now by executing:
      # ausearch -c 'mysqld' --raw | audit2allow -M my-mysqld
      # semodule -X 300 -i my-mysqld.pp
       
       
      Additional Information:
      Source Context                system_u:system_r:init_t:s0
      Target Context                unconfined_u:object_r:mysqld_db_t:s0
      Target Objects                aria_log_control [ file ]
      Source                        mysqld
      Source Path                   mysqld
      Port                          <Unknown>
      Host                          <Unknown>
      Source RPM Packages           
      Target RPM Packages           
      Policy RPM                    selinux-policy-3.14.1-32.fc28.noarch
      Selinux Enabled               True
      Policy Type                   targeted
      Enforcing Mode                Enforcing
      Host Name                     fedora28.afs.local
      Platform                      Linux fedora28 4.17.3-200.fc28.x86_64 #1
                                    SMP Tue Jun 26 14:17:07 UTC 2018 x86_64 x86_64
      Alert Count                   3
      First Seen                    2018-07-10 11:47:32 CEST
      Last Seen                     2018-07-10 13:23:30 CEST
      Local ID                      fe418f32-a09b-4648-ab58-0174f40d443b
       
      Raw Audit Messages
      type=AVC msg=audit(1531221810.99:421): avc:  denied  { read write } for  pid=1318 comm="mysqld" name="aria_log_control" dev="dm-0" ino=806142 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:mysqld_db_t:s0 tclass=file permissive=0
       
       
      Hash: mysqld,init_t,mysqld_db_t,file,read,write
       
      [root@fedora28 ~]# ausearch -c 'mysqld' --raw | audit2allow -M my-mysqld
      ******************** IMPORTANT ***********************
      To make this policy package active, execute:
       
      semodule -i my-mysqld.pp
      

      Attachments

        Issue Links

          Activity

            Our documentation has some points regarding SELinux configuration, did you check them?
            https://mariadb.com/kb/en/library/what-to-do-if-mariadb-doesnt-start/#selinux

            elenst Elena Stepanova added a comment - Our documentation has some points regarding SELinux configuration, did you check them? https://mariadb.com/kb/en/library/what-to-do-if-mariadb-doesnt-start/#selinux

            Hi Elena,

            I did, and obviously I can fix it by setting mysql service to permissive or set selinux to permissive.
            Or even with sealert and create a semodule.
            But there is something in the default selinux policies which is causing this, I only have this on the MariaDB repository ( for 10.2 and 10.3 ).

            When I get the MariaDB-server from the fedora repositories I don't have these issues and everything starts fine.
            The MariaDB version with selinux in permissive mode does work.

            For what I've tested on CentOS 7.4 this isn't an issue either.

            evanberkum Edward van Berkum added a comment - Hi Elena, I did, and obviously I can fix it by setting mysql service to permissive or set selinux to permissive. Or even with sealert and create a semodule. But there is something in the default selinux policies which is causing this, I only have this on the MariaDB repository ( for 10.2 and 10.3 ). When I get the MariaDB-server from the fedora repositories I don't have these issues and everything starts fine. The MariaDB version with selinux in permissive mode does work. For what I've tested on CentOS 7.4 this isn't an issue either.

            I may confirm that issue, encountered on clean installation of Fedora 27 when installing MariaDB 10.2; with installation on CentOS 7.4 there wasn't indeed such issue .

            winstone Zdravelina Sokolovska (Inactive) added a comment - I may confirm that issue, encountered on clean installation of Fedora 27 when installing MariaDB 10.2; with installation on CentOS 7.4 there wasn't indeed such issue .
            danblack Daniel Black added a comment -

            The system_u:system_r:init_t:s0 content and nnp AVC error seem that this is a duplicate of MDEV-10404.

            NoNewPrivileges=true was reverted there, so shouldn't be a problem any more.

            danblack Daniel Black added a comment - The system_u:system_r:init_t:s0 content and nnp AVC error seem that this is a duplicate of MDEV-10404 . NoNewPrivileges=true was reverted there, so shouldn't be a problem any more.

            People

              danblack Daniel Black
              evanberkum Edward van Berkum
              Votes:
              1 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.