[MDEV-30137] Selinux context have to be manually fixed for 10.4 after backup restore (was: SeLinux prevents backup restore) Created: 2022-11-30  Updated: 2023-05-05

Status: Open
Project: MariaDB Server
Component/s: Backup, Documentation, Packaging
Affects Version/s: 10.4.27
Fix Version/s: 10.4

Type: Bug Priority: Major
Reporter: Timofey Turenko Assignee: Ian Gilfillan
Resolution: Unresolved Votes: 0
Labels: None

Issue Links:
Relates

 Description   

1. make a backup

sudo mariadb-backup --backup -utest_user -p*****--target-dir b01

2. stop server

sudo systemctl stop mariadb.service

3. Remove data dir as instructed in the doc

 sudo rm -rf /var/lib/mysql

4. prepare and copy back backup

sudo mariadb-backup --prepare --target-dir b01
 
sudo mariadb-backup --copy-back --target-dir b01

5. Set owner for data dir

 sudo chown mysql:mysql -R /var/lib/mysql

6. Start server

 sudo systemctl start mariadb.service

Result:

[vagrant@build ~]$ sudo systemctl restart mariadb.service
 
Job for mariadb.service failed because the control process exited with error code.
 
See "systemctl status mariadb.service" and "journalctl -xe" for details.
 
[vagrant@build ~]$ systemctl status mariadb.service
 
● mariadb.service - MariaDB 10.4.27-18 database server
 
   Loaded: loaded (/usr/lib/systemd/system/mariadb.service; disabled; vendor preset: disabled)
 
  Drop-In: /etc/systemd/system/mariadb.service.d
 
           └─migrated-from-my.cnf-settings.conf
 
   Active: failed (Result: exit-code) since Wed 2022-11-30 15:01:44 CET; 1s ago
 
     Docs: man:mysqld(8)
 
           https://mariadb.com/kb/en/library/systemd/
 
  Process: 20670 ExecStartPost=/bin/sh -c systemctl unset-environment _WSREP_START_POSITION (code=exited, status=0/SUCCESS)
 
  Process: 21116 ExecStart=/usr/sbin/mysqld $MYSQLD_OPTS $_WSREP_NEW_CLUSTER $_WSREP_START_POSITION (code=exited, status=1/FAILURE)
 
  Process: 21016 ExecStartPre=/bin/sh -c [ ! -e /usr/bin/galera_recovery ] && VAR= ||   VAR=`cd /usr/bin/..; /usr/bin/galera_recovery`; [ $? -eq 0 ]   && systemctl set-environment _WSREP_START_POSITION=$VAR || exit 1 (code=exited, status=0/SUCCESS)
 
  Process: 21014 ExecStartPre=/bin/sh -c systemctl unset-environment _WSREP_START_POSITION (code=exited, status=0/SUCCESS)
 
 Main PID: 21116 (code=exited, status=1/FAILURE)
 
   Status: "MariaDB server is down"

setting Selinux to permissive mode fixes the problem:

[vagrant@build ~]$ sudo setenforce 0
 
[vagrant@build ~]$ sudo systemctl restart mariadb.service
 
[vagrant@build ~]$ systemctl status mariadb.service
 
● mariadb.service - MariaDB 10.4.27-18 database server
 
   Loaded: loaded (/usr/lib/systemd/system/mariadb.service; disabled; vendor preset: disabled)
 
  Drop-In: /etc/systemd/system/mariadb.service.d
 
           └─migrated-from-my.cnf-settings.conf
 
   Active: active (running) since Wed 2022-11-30 15:04:03 CET; 4s ago
 
     Docs: man:mysqld(8)
 
           https://mariadb.com/kb/en/library/systemd/
 
  Process: 21487 ExecStartPost=/bin/sh -c systemctl unset-environment _WSREP_START_POSITION (code=exited, status=0/SUCCESS)
 
  Process: 21318 ExecStartPre=/bin/sh -c [ ! -e /usr/bin/galera_recovery ] && VAR= ||   VAR=`cd /usr/bin/..; /usr/bin/galera_recovery`; [ $? -eq 0 ]   && systemctl set-environment _WSREP_START_POSITION=$VAR || exit 1 (code=exited, status=0/SUCCESS)
 
  Process: 21316 ExecStartPre=/bin/sh -c systemctl unset-environment _WSREP_START_POSITION (code=exited, status=0/SUCCESS)
 
 Main PID: 21418 (mysqld)
 
   Status: "Taking your SQL requests now..."
 
    Tasks: 38 (limit: 49492)
 
   Memory: 74.2M
 
   CGroup: /system.slice/mariadb.service
 
           └─21418 /usr/sbin/mysqld

tested with RHEL8

 Comments   
Comment by Timofey Turenko [ 2022-12-02 ]

it is reproducible also without backup:

sudo systemctl stop mariadb.service
 
sudo rm -rf /var/lib/mysql
 
sudo mariadb-install-db
 
sudo chown mysql:mysql -R /var/lib/mysql
 
sudo systemctl start mariadb.service

Comment by Timofey Turenko [ 2022-12-02 ] 

chcon -R -t mysqld_db_t /var/lib/mysql

after `mariadb-install-db` fixes the problem

Comment by Daniel Black [ 2022-12-04 ]

10.4 seems to have mariadb-backup as a symlink to mariabackup. The fcontext of mariabackup per support-files/policy/selinux/mariadb-server.fc is list as system_u:object_r:mysqld_exec_t. Is this the case where its installed ls -laZ /usr/sbin/maria*?

If you manually apply this context to the exe does it backup/restore correctly?

Are the fcontext's actually installed sudo semanage fcontext --list | grep mysqld?

Is the mariadb module installed sudo semanage module --list|grep mariadb?

Comment by Timofey Turenko [ 2022-12-14 ]

10.4:

[vagrant@build ~]$ sudo ls -laZ /usr/bin/mariadb-backup
 
lrwxrwxrwx. 1 root root system_u:object_r:bin_t:s0 11 Nov  2 15:02 /usr/bin/mariadb-backup -> mariabackup
 
[vagrant@build ~]$ sudo ls -laZ /usr/bin/mariabackup
 
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 23923000 Nov  2 15:06 /usr/bin/mariabackup
 
 
 
[vagrant@build ~]$ sudo ls -laZ /usr/bin/mariadb-install-db 
lrwxrwxrwx. 1 root root system_u:object_r:bin_t:s0 16 Nov  2 15:00 /usr/bin/mariadb-install-db -> mysql_install_db
 
[vagrant@build ~]$ sudo ls -laZ /usr/bin/mysql_install_db
 
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 21968 Nov  2 13:27 /usr/bin/mysql_install_db

10.6:

[vagrant@build ~]$ sudo ls -laZ /usr/bin/mariadb-backup
 
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 25294448 Nov  3 13:34 /usr/bin/mariadb-backup
 
 
 
[vagrant@build ~]$  sudo ls -laZ /usr/bin/mariadb-install-db 
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 22061 Nov  3 11:10 /usr/bin/mariadb-install-db
 
 

Comment by Timofey Turenko [ 2022-12-14 ]

module is installed for both 10.6 and 10.4:

[vagrant@build ~]$  sudo semanage module --list|grep mariadb
 
mariadb                   400       pp    
[vagrant@build ~]$ sudo semanage module --list|grep mysql
 
mysql                     100       pp

Comment by Timofey Turenko [ 2022-12-14 ]

sudo semanage fcontext --list | grep mysqld also alse the same for 10.4 nd 10.6

/etc/my\.cnf                                       regular file       system_u:object_r:mysqld_etc_t:s0 
/etc/my\.cnf\.d(/.*)?                              all files          system_u:object_r:mysqld_etc_t:s0 
/etc/mysql(/.*)?                                   all files          system_u:object_r:mysqld_etc_t:s0 
/etc/rc\.d/init\.d/mysqld                          regular file       system_u:object_r:mysqld_initrc_exec_t:s0 
/home/[^/]+/\.my\.cnf                              regular file       unconfined_u:object_r:mysqld_home_t:s0 
/root/\.my\.cnf                                    regular file       system_u:object_r:mysqld_home_t:s0 
/usr/bin/mysql_upgrade                             regular file       system_u:object_r:mysqld_exec_t:s0 
/usr/bin/mysqld_safe                               regular file       system_u:object_r:mysqld_safe_exec_t:s0 
/usr/bin/mysqld_safe_helper                        regular file       system_u:object_r:mysqld_exec_t:s0 
/usr/lib/systemd/system/mariadb.*                  regular file       system_u:object_r:mysqld_unit_file_t:s0 
/usr/lib/systemd/system/mysqld.*                   regular file       system_u:object_r:mysqld_unit_file_t:s0 
/usr/libexec/mysqld                                regular file       system_u:object_r:mysqld_exec_t:s0 
/usr/libexec/mysqld_safe-scl-helper                regular file       system_u:object_r:mysqld_safe_exec_t:s0 
/usr/sbin/mysqld(-max|-debug)?                     regular file       system_u:object_r:mysqld_exec_t:s0 
/usr/sbin/ndbd                                     regular file       system_u:object_r:mysqld_exec_t:s0 
/var/lib/mysql(-files|-keyring)?(/.*)?             all files          system_u:object_r:mysqld_db_t:s0 
/var/lib/mysql/mysql\.sock                         socket             system_u:object_r:mysqld_var_run_t:s0 
/var/log/mariadb(/.*)?                             all files          system_u:object_r:mysqld_log_t:s0 
/var/log/mysql(/.*)?                               all files          system_u:object_r:mysqld_log_t:s0 
/var/log/mysql.*                                   regular file       system_u:object_r:mysqld_log_t:s0 
/var/run/mariadb(/.*)?                             all files          system_u:object_r:mysqld_var_run_t:s0 
/var/run/mysql(/.*)?                               all files          system_u:object_r:mysqld_var_run_t:s0 
/var/run/mysqld(/.*)?                              all files          system_u:object_r:mysqld_var_run_t:s0 
/var/run/mysqld/mysqlmanager.*                     regular file       system_u:object_r:mysqlmanagerd_var_run_t:s0

Comment by Timofey Turenko [ 2023-05-05 ]

it is reproducible only for 10.4 (the version where 'mariadb' is the symlink to 'mysql')

the solution Is to add to the documentation:

for 10.4 after restoring backup please execute `chcon -R -t mysqld_db_t /var/lib/mysql`

(in the document https://mariadb.com/kb/en/full-backup-and-restore-with-mariabackup/#restoring-the-backup in the section "Then, you may need to fix the file permissions." for 10.,4 in addition to "chown -R mysql:mysql /var/lib/mysql/" also SELinux permission have to be fixed with `chcon -R -t mysqld_db_t /var/lib/mysql`

Generated at Thu Feb 08 10:13:56 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.