CentOS Linux release 8.3.2011

I haven't looked at the selinux packaging for a while (some at least comes from the base install). Could you include the output from "sudo semanage fcontext --list | grep mysqld_"

There is a knowledge base article on setting default selinux fcontexts https://mariadb.com/kb/en/selinux/#setting-file-contexts .

Given restorecon is working I assume the default fcontexts are actually ok.

The NoNewPrivileges of MDEV-10405 / MDEV-10404 where removed ages ago and I assume centos8 would be a 4.19 kernel which is unaffected anyway.

Was your 10.3.27 previously a Centos or MariaDB package?

Upgraded 10.3 to 10.5 by changing the version on the baseurl
baseurl = http://yum.mariadb.org/10.5/centos7-amd64

fcontexts lists attached:
mysqld_fcontext.txt

Have been noticing this issue for a while but only just found this bug report.

Still happening in 10.5.13

90 Mariadb servers running on Centos 7 or Rocky 8.5. I get Selinux alerts that it's blocked access on mysql.sock - and on investigating the contexts have changes as above.

A typical report for me is:

{{Dec 12 03:07:04 hostname setroubleshoot: SELinux is preventing /usr/bin/mariadb from write access on the sock_file /var/lib/mysql/mysql.sock. For complete SELinux messages run: sealert -l 053746c6-4469-408b-9712-5b5364ad9453
}}

Temporary fix is: restorecon /var/lib/mysql/mysql.sock

Hi,

We also noticed this bug. MDEV-10405 has nothing todo on this one I guess. The cause seems that in new MariaDB versions there is a mariadb.sock file which activates the socket file. But somehow it does not respect the filecontext (mathpathcon).
Adding SELinuxContext=mysqld_var_run_t does not seems to work either.

For now there is only one workaround possible. Create or update /etc/systemd/system/mariadb.service.d/override.conf with the following content:

# Workaround so socket gets correct linux context

[Service]

ExecStartPost=chcon -t mysqld_var_run_t /var/lib/mysql/mysql.sock

and then systemctl daemon-reload and systemctl restart mariadb

This might be some bug in selinux in combination with systemd.

I don't understand why this bug is flagged as minor when nothing can connect to the MariaDB socket when SELinux is enabled. Can we get an update on this as it's going to be almost a year since this was first reported?

For reference, the ExecStartPost should be:

ExecStartPost=/bin/chcon -t mysqld_var_run_t /var/lib/mysql/mysql.sock

(Systemd, at least on the Rocky/EL systems I tested on, does not automatically path /bin)

Bumping as it's still an issue with 10.5.17-1.el7.centos.
As mentioned previously fixed with systemd conf override by restoring context as the system policy is correct.

/etc/systemd/system/mariadb.service.d/restorecon_socket.conf

–

[Service]

ExecStartPost=/sbin/restorecon /var/lib/mysql/mysql.sock

On Rocky Linux 9.1 and MariaDB 10.11 problem still persist.

Set mysqld_var_run_t on /var/lib/mysql/mysql.sock not resolve problem. Selinux still prevent to connect to.

type=AVC msg=audit(1680706848.894:35115): avc: denied

for pid=26248 comm="php-fpm" path="/var/lib/mysql/mysql.sock" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=0

Any advice to resolve problem?

I confirm the issue on AlmaLinux 9.2 and MariaDB 10.11.

None of the proposed solutions work.

This seems related to #MDEV-30520.

Looks like a regression, this was fixed at some point, but re-occured starting with 10.5

the policies files under support-files have not changed between versions as far as I can tell, so something else must have changed between 10.4 and 10.5

What I wonder about though is that the only lines in these referring to mysqld_var_run_t in MariaDB source repository is:

# grep -r mysqld_var_run

support-files/policy/selinux/mariadb-server.fc:/var/lib/mysql/.*\.pid -- gen_context(system_u:object_r:mysqld_var_run_t,s0)

while

# semanage fcontext --list | grep mysqld_var_run_t

/var/lib/mysql/mysql\.sock                         socket             system_u:object_r:mysqld_var_run_t:s0 

/var/run/mariadb(/.*)?                             all files          system_u:object_r:mysqld_var_run_t:s0 

/var/run/mysql(/.*)?                               all files          system_u:object_r:mysqld_var_run_t:s0 

/var/run/mysqld(/.*)?                              all files          system_u:object_r:mysqld_var_run_t:s0 

And that list is even the same on a fresh CentOS8 VM without any mariadb-* packages installed.

So these actually seem to be from OS SElinux default policies, and not from what gets installed under /usr/share/mysql/policies/selinux by the MariaDB-server package.

Now the question is what changed between 10.4 and 10.5 packages that made this re-appear?

mariadb changed from mysqld as a symlink to mariadbd rather than mariadbd symlink to mysqld. The selinux context comes form the real exe rather than the symlink. There is no mysqld_exec_t label on mariadbd meaning it doesn't have the required access on files:

Aiming for upstream policy fix:

https://github.com/devexp-db/mysql-selinux/pull/4

Added https://github.com/devexp-db/mysql-selinux/pull/5 as a fix that included mariadb-backup and doesn't break the Fedora distribution of MariaDB.