[#MDEV-30520] SELinux incorrectly labeled mariadbd

type=AVC msg=audit(1675146674.414:430): avc: denied { connectto } for pid=4435 comm="php-fpm" path="/var/lib/mysql/mysql.sock" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=0

type=SYSCALL msg=audit(1675146674.414:430): arch=c000003e syscall=42 success=no exit=-13 a0=9 a1=7ffddc679b90 a2=1b a3=5582de7da5b0 items=0 ppid=2851 pid=4435 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="php-fpm" exe="/opt/remi/php82/root/usr/sbin/php-fpm" subj=system_u:system_r:httpd_t:s0 key=(null)ARCH=x86_64 SYSCALL=connect AUID="unset" UID="apache" GID="apache" EUID="apache" SUID="apache" FSUID="apache" EGID="apache" SGID="apache" FSGID="apache"

Looking at the default file context list will show problem:
semanage fcontext -l|grep mysql:

/etc/my\.cnf                                       regular file       system_u:object_r:mysqld_etc_t:s0

/etc/my\.cnf\.d(/.*)?                              all files          system_u:object_r:mysqld_etc_t:s0

/etc/mysql(/.*)?                                   all files          system_u:object_r:mysqld_etc_t:s0

/etc/rc\.d/init\.d/mysqld                          regular file       system_u:object_r:mysqld_initrc_exec_t:s0

/etc/rc\.d/init\.d/mysqlmanager                    regular file       system_u:object_r:mysqlmanagerd_initrc_exec_t:s0

/home/[^/]+/\.my\.cnf                              regular file       unconfined_u:object_r:mysqld_home_t:s0

/root/\.my\.cnf                                    regular file       system_u:object_r:mysqld_home_t:s0

/usr/bin/mariadb-upgrade                           regular file       system_u:object_r:mysqld_exec_t:s0

/usr/bin/mariadbd-safe                             regular file       system_u:object_r:mysqld_safe_exec_t:s0

/usr/bin/mariadbd-safe-helper                      regular file       system_u:object_r:mysqld_exec_t:s0

/usr/bin/mysql_upgrade                             regular file       system_u:object_r:mysqld_exec_t:s0

/usr/bin/mysqld_safe                               regular file       system_u:object_r:mysqld_safe_exec_t:s0

/usr/bin/mysqld_safe_helper                        regular file       system_u:object_r:mysqld_exec_t:s0

/usr/lib(64)?/nagios/plugins/check_mysql           regular file       system_u:object_r:nagios_services_plugin_exec_t:s0

/usr/lib(64)?/nagios/plugins/check_mysql_query     regular file       system_u:object_r:nagios_services_plugin_exec_t:s0

/usr/lib/systemd/system/mariadb.*                  regular file       system_u:object_r:mysqld_unit_file_t:s0

/usr/lib/systemd/system/mysqld.*                   regular file       system_u:object_r:mysqld_unit_file_t:s0

/usr/libexec/mariadbd                              regular file       system_u:object_r:mysqld_exec_t:s0

/usr/libexec/mysqld                                regular file       system_u:object_r:mysqld_exec_t:s0

/usr/libexec/mysqld_safe-scl-helper                regular file       system_u:object_r:mysqld_safe_exec_t:s0

/usr/sbin/mysqld(-max|-debug)?                     regular file       system_u:object_r:mysqld_exec_t:s0

/usr/sbin/mysqlmanager                             regular file       system_u:object_r:mysqlmanagerd_exec_t:s0

/usr/sbin/ndbd                                     regular file       system_u:object_r:mysqld_exec_t:s0

/usr/sbin/zabbix_proxy_mysql                       regular file       system_u:object_r:zabbix_exec_t:s0

/usr/sbin/zabbix_server_mysql                      regular file       system_u:object_r:zabbix_exec_t:s0

/usr/share/munin/plugins/mysql_.*                  regular file       system_u:object_r:services_munin_plugin_exec_t:s0

/var/lib/mysql(-files|-keyring)?(/.*)?             all files          system_u:object_r:mysqld_db_t:s0

/var/lib/mysql/mysql\.sock                         socket             system_u:object_r:mysqld_var_run_t:s0

/var/log/mariadb(/.*)?                             all files          system_u:object_r:mysqld_log_t:s0

/var/log/mariadb.log                               regular file       system_u:object_r:mysqld_log_t:s0

/var/log/mysql(/.*)?                               all files          system_u:object_r:mysqld_log_t:s0

/var/log/mysql.*                                   regular file       system_u:object_r:mysqld_log_t:s0

/var/run/mariadb(/.*)?                             all files          system_u:object_r:mysqld_var_run_t:s0

/var/run/mysql(/.*)?                               all files          system_u:object_r:mysqld_var_run_t:s0

/var/run/mysqld(/.*)?                              all files          system_u:object_r:mysqld_var_run_t:s0

/var/run/mysqld/mysqlmanager.*                     regular file       system_u:object_r:mysqlmanagerd_var_run_t:s0

/usr/bin/mariadb-upgrade                           regular file       system_u:object_r:mysqld_exec_t:s0

/usr/bin/mariadbd-safe                             regular file       system_u:object_r:mysqld_safe_exec_t:s0

/usr/bin/mariadbd-safe-helper                      regular file       system_u:object_r:mysqld_exec_t:s0

/usr/lib/systemd/system/mariadb.*                  regular file       system_u:object_r:mysqld_unit_file_t:s0

/usr/libexec/mariadbd                              regular file       system_u:object_r:mysqld_exec_t:s0

/var/log/mariadb(/.*)?                             all files          system_u:object_r:mysqld_log_t:s0

/var/log/mariadb.log                               regular file       system_u:object_r:mysqld_log_t:s0

/var/run/mariadb(/.*)?                             all files          system_u:object_r:mysqld_var_run_t:s0

For me the "magic" is this line:
/usr/sbin/mysqld(-max|-debug)? regular file system_u:object_r:mysqld_exec_t:s0
So the name for the binary must be fixed or an second default entry for
/usr/sbin/mariadbd(-max|-debug)? regular file system_u:object_r:mysqld_exec_t:s0
must be added.

[MDEV-30520] SELinux incorrectly labeled mariadbd Created: 2023-01-31 Updated: 2024-02-07
Status:	Stalled
Project:	MariaDB Server
Component/s:	Packaging
Affects Version/s:	10.6.11
Fix Version/s:	10.5

[MDEV-30520] SELinux incorrectly labeled mariadbd Created: 2023-01-31 Updated: 2024-02-07