[MDEV-16718] Job for mariadb.service failed because the control process exited with error code. Created: 2018-07-10  Updated: 2023-07-18  Resolved: 2023-07-18

Status: Closed
Project: MariaDB Server
Component/s: N/A
Affects Version/s: 10.2.16
Fix Version/s: N/A

Type: Bug Priority: Major
Reporter: Edward van Berkum Assignee: Daniel Black
Resolution: Duplicate Votes: 1
Labels: selinux, systemd
Environment:

Fedora Linux

Issue Links:
Duplicate
duplicates MDEV-10404 Improved systemd service hardening ca... Closed

 Description   

Hi All,

I haven't seen this issue pop up yet anywhere except for notifications about multiple instances of MariaDB could be installed, but that's not the case in this specific issue.

On a clean installation of Fedora 28 when installing MariaDB server from the official repository it fails to start after the installation.

Installed packages

rpm -qa | grep -i maria
 
MariaDB-server-10.2.16-1.fc28.x86_64
 
MariaDB-common-10.2.16-1.fc28.x86_64
 
MariaDB-client-10.2.16-1.fc28.x86_64
 
 
 
dnf list installed | grep -i maria
 
MariaDB-client.x86_64                      10.2.16-1.fc28               @mariadb
 
MariaDB-common.x86_64                      10.2.16-1.fc28               @mariadb
 
MariaDB-server.x86_64                      10.2.16-1.fc28               @mariadb

It seems to have to do with selinux policies, when I set selinux to permissive it's able to start the MariaDB server process without any issues.

I was able to reproduce this on a plain netinstall of Fedora28.

Jul 10 12:44:54 fedora28 systemd[1]: Starting MariaDB 10.2.16 database server...
 
Jul 10 12:44:54 fedora28 audit[31938]: AVC avc:  denied  { nnp_transition } for  pid=31938 comm="(mysqld)" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:mysqld_t:s0 tclass=process2 permissive=0
 
Jul 10 12:44:54 fedora28 audit: SELINUX_ERR op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:init_t:s0 newcontext=system_u:system_r:mysqld_t:s0
 
Jul 10 12:44:54 fedora28 mysqld[31938]: 2018-07-10 12:44:54 140492999485696 [Note] /usr/sbin/mysqld (mysqld 10.2.16-MariaDB) starting as process 31938 ...
 
Jul 10 12:44:54 fedora28 mysqld[31938]: 2018-07-10 12:44:54 140492999485696 [Warning] Can't create test file /var/lib/mysql/fedora28.lower-test
 
Jul 10 12:44:54 fedora28 audit[31938]: AVC avc:  denied  { write } for  pid=31938 comm="mysqld" name="mysql" dev="dm-0" ino=811203 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:mysqld_db_t:s0 tclass=dir permissive=0
 
Jul 10 12:44:55 fedora28 audit[31938]: AVC avc:  denied  { read } for  pid=31938 comm="mysqld" name="plugin.frm" dev="dm-0" ino=806160 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:mysqld_db_t:s0 tclass=file permissive=0
 
Jul 10 12:44:55 fedora28 mysqld[31938]: 2018-07-10 12:44:55 140492999485696 [Note] InnoDB: Mutexes and rw_locks use GCC atomic builtins
 
Jul 10 12:44:55 fedora28 mysqld[31938]: 2018-07-10 12:44:55 140492999485696 [Note] InnoDB: Uses event mutexes
 
Jul 10 12:44:55 fedora28 mysqld[31938]: 2018-07-10 12:44:55 140492999485696 [Note] InnoDB: Compressed tables use zlib 1.2.11
 
Jul 10 12:44:55 fedora28 mysqld[31938]: 2018-07-10 12:44:55 140492999485696 [Note] InnoDB: Using Linux native AIO
 
Jul 10 12:44:55 fedora28 mysqld[31938]: 2018-07-10 12:44:55 140492999485696 [Note] InnoDB: Number of pools: 1
 
Jul 10 12:44:55 fedora28 mysqld[31938]: 2018-07-10 12:44:55 140492999485696 [Note] InnoDB: Using SSE2 crc32 instructions
 
Jul 10 12:44:55 fedora28 mysqld[31938]: 2018-07-10 12:44:55 140492999485696 [Note] InnoDB: Initializing buffer pool, total size = 128M, instances = 1, chunk size = 128M
 
Jul 10 12:44:55 fedora28 mysqld[31938]: 2018-07-10 12:44:55 140492999485696 [Note] InnoDB: Completed initialization of buffer pool
 
Jul 10 12:44:55 fedora28 mysqld[31938]: 2018-07-10 12:44:55 140492453046016 [Note] InnoDB: If the mysqld execution user is authorized, page cleaner thread priority can be changed. See the man page of setpriority().
 
Jul 10 12:44:55 fedora28 audit[31938]: AVC avc:  denied  { getattr } for  pid=31938 comm="mysqld" path="/var/lib/mysql/ibdata1" dev="dm-0" ino=806137 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:mysqld_db_t:s0 tclass=file permissive=0
 
Jul 10 12:44:55 fedora28 mysqld[31938]: 2018-07-10 12:44:55 140492999485696 [ERROR] InnoDB: Operating system error number 13 in a file operation.
 
Jul 10 12:44:55 fedora28 mysqld[31938]: 2018-07-10 12:44:55 140492999485696 [ERROR] InnoDB: The error means mysqld does not have the access rights to the directory.
 
Jul 10 12:44:55 fedora28 mysqld[31938]: 2018-07-10 12:44:55 140492999485696 [ERROR] InnoDB: os_file_get_status() failed on './ibdata1'. Can't determine file permissions
 
Jul 10 12:44:55 fedora28 mysqld[31938]: 2018-07-10 12:44:55 140492999485696 [ERROR] InnoDB: Plugin initialization aborted with error Generic error
 
Jul 10 12:44:55 fedora28 mysqld[31938]: 2018-07-10 12:44:55 140492999485696 [Note] InnoDB: Starting shutdown...
 
Jul 10 12:44:55 fedora28 mysqld[31938]: 2018-07-10 12:44:55 140492999485696 [ERROR] Plugin 'InnoDB' init function returned error.
 
Jul 10 12:44:55 fedora28 mysqld[31938]: 2018-07-10 12:44:55 140492999485696 [ERROR] Plugin 'InnoDB' registration as a STORAGE ENGINE failed.
 
Jul 10 12:44:55 fedora28 audit[31938]: AVC avc:  denied  { read write } for  pid=31938 comm="mysqld" name="aria_log_control" dev="dm-0" ino=806142 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:mysqld_db_t:s0 tclass=file permissive=0
 
Jul 10 12:44:55 fedora28 mysqld[31938]: 2018-07-10 12:44:55 140492999485696 [ERROR] mysqld: File '/var/lib/mysql/aria_log_control' not found (Errcode: 13 "Permission denied")
 
Jul 10 12:44:55 fedora28 mysqld[31938]: 2018-07-10 12:44:55 140492999485696 [ERROR] mysqld: Got error 'Can't open file' when trying to use aria control file '/var/lib/mysql/aria_log_control'
 
Jul 10 12:44:55 fedora28 mysqld[31938]: 2018-07-10 12:44:55 140492999485696 [ERROR] Plugin 'Aria' init function returned error.
 
Jul 10 12:44:55 fedora28 mysqld[31938]: 2018-07-10 12:44:55 140492999485696 [ERROR] Plugin 'Aria' registration as a STORAGE ENGINE failed.
 
Jul 10 12:44:55 fedora28 mysqld[31938]: 2018-07-10 12:44:55 140492999485696 [Note] Plugin 'FEEDBACK' is disabled.
 
Jul 10 12:44:55 fedora28 audit[31938]: AVC avc:  denied  { read } for  pid=31938 comm="mysqld" name="plugin.frm" dev="dm-0" ino=806160 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:mysqld_db_t:s0 tclass=file permissive=0
 
Jul 10 12:44:55 fedora28 mysqld[31938]: 2018-07-10 12:44:55 140492999485696 [ERROR] Could not open mysql.plugin table. Some plugins may be not loaded
 
Jul 10 12:44:55 fedora28 mysqld[31938]: 2018-07-10 12:44:55 140492999485696 [ERROR] Unknown/unsupported storage engine: InnoDB
 
Jul 10 12:44:55 fedora28 mysqld[31938]: 2018-07-10 12:44:55 140492999485696 [ERROR] Aborting
 
Jul 10 12:44:55 fedora28 systemd[1]: mariadb.service: Main process exited, code=exited, status=1/FAILURE
 
Jul 10 12:44:55 fedora28 systemd[1]: mariadb.service: Failed with result 'exit-code'.
 
Jul 10 12:44:55 fedora28 systemd[1]: Failed to start MariaDB 10.2.16 database server.
 
Jul 10 12:44:55 fedora28 audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=mariadb comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'


*****  Plugin catchall (100. confidence) suggests   **************************
 
 
 
If you believe that mysqld should be allowed read write access on the aria_log_control file by default.
 
Then you should report this as a bug.
 
You can generate a local policy module to allow this access.
 
Do
 
allow this access for now by executing:
 
# ausearch -c 'mysqld' --raw | audit2allow -M my-mysqld
 
# semodule -X 300 -i my-mysqld.pp
 
 
 
 
 
Additional Information:
 
Source Context                system_u:system_r:init_t:s0
 
Target Context                unconfined_u:object_r:mysqld_db_t:s0
 
Target Objects                aria_log_control [ file ]
 
Source                        mysqld
 
Source Path                   mysqld
 
Port                          <Unknown>
 
Host                          <Unknown>
 
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.14.1-32.fc28.noarch
 
Selinux Enabled               True
 
Policy Type                   targeted
 
Enforcing Mode                Enforcing
 
Host Name                     fedora28.afs.local
 
Platform                      Linux fedora28 4.17.3-200.fc28.x86_64 #1
 
                              SMP Tue Jun 26 14:17:07 UTC 2018 x86_64 x86_64
 
Alert Count                   3
 
First Seen                    2018-07-10 11:47:32 CEST
 
Last Seen                     2018-07-10 13:23:30 CEST
 
Local ID                      fe418f32-a09b-4648-ab58-0174f40d443b
 
 
 
Raw Audit Messages
 
type=AVC msg=audit(1531221810.99:421): avc:  denied  { read write } for  pid=1318 comm="mysqld" name="aria_log_control" dev="dm-0" ino=806142 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:mysqld_db_t:s0 tclass=file permissive=0
 
 
 
 
 
Hash: mysqld,init_t,mysqld_db_t,file,read,write
 
 
 
[root@fedora28 ~]# ausearch -c 'mysqld' --raw | audit2allow -M my-mysqld
 
******************** IMPORTANT ***********************
 
To make this policy package active, execute:
 
 
 
semodule -i my-mysqld.pp



 Comments   
Comment by Elena Stepanova [ 2018-07-10 ]

Our documentation has some points regarding SELinux configuration, did you check them?
https://mariadb.com/kb/en/library/what-to-do-if-mariadb-doesnt-start/#selinux

Comment by Edward van Berkum [ 2018-07-10 ]

Hi Elena,

I did, and obviously I can fix it by setting mysql service to permissive or set selinux to permissive.
Or even with sealert and create a semodule.
But there is something in the default selinux policies which is causing this, I only have this on the MariaDB repository ( for 10.2 and 10.3 ).

When I get the MariaDB-server from the fedora repositories I don't have these issues and everything starts fine.
The MariaDB version with selinux in permissive mode does work.

For what I've tested on CentOS 7.4 this isn't an issue either.

Comment by Zdravelina Sokolovska (Inactive) [ 2018-09-12 ]

I may confirm that issue, encountered on clean installation of Fedora 27 when installing MariaDB 10.2; with installation on CentOS 7.4 there wasn't indeed such issue .

Comment by Daniel Black [ 2023-07-18 ]

The system_u:system_r:init_t:s0 content and nnp AVC error seem that this is a duplicate of MDEV-10404.

NoNewPrivileges=true was reverted there, so shouldn't be a problem any more.

Generated at Thu Feb 08 08:31:02 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.