[MDEV-13462] Can't start mysql with Galera and SELinux enabled Created: 2017-08-07  Updated: 2020-08-25  Resolved: 2018-06-19

Status: Closed
Project: MariaDB Server
Component/s: Galera, Platform RedHat, Server
Affects Version/s: 10.2.7
Fix Version/s: 10.1.27, 10.2.10

Type: Bug Priority: Critical
Reporter: Anders Karlsson Assignee: Sachin Setiya (Inactive)
Resolution: Fixed Votes: 2
Labels: None
Environment:

CentOS Linux release 7.2.1511 (Core)


 Description   

This is similar, but not the same as, MDEV-12102. The latter was fixed in 10.1 but the same appears again. The issue is that the mariadb.systemd script fails when Galera is enabled. Also, in the case SELinux has to be enabled to reproduce.

The issue seems to be with the galera_recover script that fails when run from mariadb.service but runs fine from the commandline when SELinux is enabled, with SELinux disabled all runs fine. This also means that the galera_new_cluster script also does not work, as this restarts mariadb using systemd. Disabling SELinux will fix this. Also, all runs fine with Galera not configured, so SELinux has to be enabled and Galera configured for this issue to appear.

 Comments   
Comment by Andrii Nikitin (Inactive) [ 2017-08-10 ]

I can verify this by just putting wsrep_on=1 into my.cnf (no other galera configuration are really required for verification).

journalctl -xe shows these when SELinux is enabled:

Aug 10 14:34:10 systemd[1]: Unit mariadb.service entered failed state.
 
Aug 10 14:34:10 systemd[1]: mariadb.service failed.
 
Aug 10 14:34:10 setroubleshoot[22179]: SELinux is preventing /usr/sbin/mysqld from open access on the file /tmp/wsrep_recovery.v8iHyw. For complete SELinux messages. run sealert -l 8c7415a6-1153-4fab-ad95-2ee327791
 
Aug 10 14:34:10 python[22179]: SELinux is preventing /usr/sbin/mysqld from open access on the file /tmp/wsrep_recovery.v8iHyw.

The service is able to start properly when SELinux is disabled

Comment by Sergei Golubchik [ 2018-04-30 ]

Wasn't it fixed in MDEV-10767? In commit bb7a70c955 on 2017-09-21?
After that commit mysqld does not need open access on the file /tmp/wsrep_recovery.v8iHyw.

Comment by Chris Calender (Inactive) [ 2018-05-23 ]

This does look to be fixed by MDEV-10767. I did not file this bug, but ran across it when looking at a customer issue (but I did not see the original MDEV-10767). It seems fine to close this to me. Many thanks!

Comment by Seppo Jaakola [ 2018-06-14 ]

the fix in MDEV-10767 appears to skip exactly this problematic /tmp/wsrep_recovery.* access, so I assume this case should be closed

Generated at Thu Feb 08 08:05:47 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.