[#MDEV-9852] SELinux errors on fresh cluster build preventing

SELinux is preventing /usr/sbin/mysqld from using the setpgid access on a process.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that mysqld should be allowed setpgid access on processes labeled mysqld_t by default.

Then you should report this as a bug.

You can generate a local policy module to allow this access.

Do

allow this access for now by executing:

# grep mysqld /var/log/audit/audit.log | audit2allow -M mypol

# semodule -i mypol.pp

Additional Information:

Source Context                system_u:system_r:mysqld_t:s0

Target Context                system_u:system_r:mysqld_t:s0

Target Objects                Unknown [ process ]

Source                        mysqld

Source Path                   /usr/sbin/mysqld

Port                          <Unknown>

Host                          <Unknown>

Source RPM Packages           MariaDB-server-10.1.13-1.el7.centos.x86_64

Target RPM Packages

Policy RPM                    selinux-policy-3.13.1-60.el7_2.3.noarch

Selinux Enabled               True

Policy Type                   targeted

Enforcing Mode                Enforcing

Host Name                     rh7db02

Platform                      Linux rh7db02 3.10.0-327.10.1.el7.x86_64 #1 SMP

                              Sat Jan 23 04:54:55 EST 2016 x86_64 x86_64

Alert Count                   3

First Seen                    2016-03-31 14:41:02 MDT

Last Seen                     2016-03-31 15:05:37 MDT

Local ID                      39a5a913-ccc6-44ff-9c3e-9fcb4966d494

Raw Audit Messages

type=AVC msg=audit(1459458337.366:701): avc:  denied  { setpgid } for  pid=4983 comm="mysqld" scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:mysqld_t:s0 tclass=process

type=SYSCALL msg=audit(1459458337.366:701): arch=x86_64 syscall=setpgid success=no exit=EACCES a0=0 a1=0 a2=1 a3=8 items=0 ppid=4975 pid=4983 auid=4294967295 uid=27 gid=27 euid=27 suid=27 fsuid=27 egid=27 sgid=27 fsgid=27 tty=(none) ses=4294967295 comm=mysqld exe=/usr/sbin/mysqld subj=system_u:system_r:mysqld_t:s0 key=(null)

Hash: mysqld,mysqld_t,mysqld_t,process,setpgid

$sudo yum list installed |grep -i maria

MariaDB-client.x86_64                10.1.13-1.el7.centos    @mariadb-enterprise-main

MariaDB-common.x86_64                10.1.13-1.el7.centos    @mariadb-enterprise-main

MariaDB-server.x86_64                10.1.13-1.el7.centos    @mariadb-enterprise-main

MariaDB-shared.x86_64                10.1.13-1.el7.centos    @mariadb-enterprise-main

                                                             @mariadb-enterprise-main

jemalloc.x86_64                      3.6.0-1.el7             @mariadb-enterprise-main

mariadb-enterprise-repository.noarch 0.1-1                   installed

=============ENVIRONMENT NODE 2&1==================

$ cat /etc/redhat-release

Red Hat Enterprise Linux Server release 7.2 (Maipo)

$sudo yum check-update

Loaded plugins: langpacks, product-id, search-disabled-repos, subscription-

              : manager

[xxx@rh7db02 mysql]$

===============================

content of /etc/my.cnf.d/server.cnf

[galera]

# Mandatory settings

wsrep_on=ON

wsrep_provider=/usr/lib64/galera/libgalera_smm.so

wsrep_cluster_address="gcomm://10.100.106.41,10.100.106.42,10.100.106.40"

wsrep_cluster_name="eval_internal_galera_cluster"

binlog_format=row

default_storage_engine=InnoDB

innodb_autoinc_lock_mode=2

# Galera Node Configuration

wsrep_node_address="10.100.106.42"

wsrep_node_name="RH7DB02"

wsrep_sst_method=rsync

# Allow server to accept connections on all interfaces.

#bind-address=0.0.0.0

# Optional setting

#wsrep_slave_threads=1

#innodb_flush_log_at_trx_commit=0

# this is only for embedded server

[embedded]

# This group is only read by MariaDB servers, not by MySQL.

# If you use the same .cnf file for MySQL and MariaDB,

# you can put MariaDB-only options here

[mariadb]

# 2016 set the collation to Western English

init_connect='SET collation_connection = utf8_unicode_ci'

init_connect='SET NAMES utf8'

character-set-server=utf8

collation-server=utf8_unicode_ci

skip-character-set-client-handshake

#2016 to keep ibdata1 from balloning

innodb_file_per_table

#2016 for Holland backup method

[mysqldump]

quick

max_allowed_packet = 512M

...

=============Sequence=====================

[xxxx@rh7db01] sudo galera_new_cluster

....

[xxxx@rh7db02] systemctl start mariadb

node2's /var/log/messages |grep -i mysql

Mar 31 15:05:37 rh7db02 mysqld: 2016-03-31 15:05:37 139827097888512 [Note] WSREP: Quorum results:

Mar 31 15:05:37 rh7db02 mysqld: version    = 3,

Mar 31 15:05:37 rh7db02 mysqld: component  = PRIMARY,

Mar 31 15:05:37 rh7db02 mysqld: conf_id    = 1,

Mar 31 15:05:37 rh7db02 mysqld: members    = 1/2 (joined/total),

Mar 31 15:05:37 rh7db02 mysqld: act_id     = 0,

Mar 31 15:05:37 rh7db02 mysqld: last_appl. = -1,

Mar 31 15:05:37 rh7db02 mysqld: protocols  = 0/7/3 (gcs/repl/appl),

Mar 31 15:05:37 rh7db02 mysqld: group UUID = 4d4b4993-f784-11e5-aa9d-86b465e7ab44

Mar 31 15:05:37 rh7db02 mysqld: 2016-03-31 15:05:37 139827097888512 [Note] WSREP: Flow-control interval: [23, 23]

Mar 31 15:05:37 rh7db02 mysqld: 2016-03-31 15:05:37 139827097888512 [Note] WSREP: Shifting OPEN -> PRIMARY (TO: 0)

Mar 31 15:05:37 rh7db02 mysqld: 2016-03-31 15:05:37 139827388963584 [Note] WSREP: State transfer required:

Mar 31 15:05:37 rh7db02 mysqld: Group state: 4d4b4993-f784-11e5-aa9d-86b465e7ab44:0

Mar 31 15:05:37 rh7db02 mysqld: Local state: 00000000-0000-0000-0000-000000000000:-1

Mar 31 15:05:37 rh7db02 mysqld: 2016-03-31 15:05:37 139827388963584 [Note] WSREP: New cluster view: global state: 4d4b4993-f784-11e5-aa9d-86b465e7ab44:0, view# 2: Primary, number of nodes: 2, my index: 1, protocol version 3

Mar 31 15:05:37 rh7db02 mysqld: 2016-03-31 15:05:37 139827388963584 [Warning] WSREP: Gap in state sequence. Need state transfer.

Mar 31 15:05:37 rh7db02 mysqld: 2016-03-31 15:05:37 139827389278336 [Note] WSREP: Waiting for SST to complete.

Mar 31 15:05:37 rh7db02 mysqld: 2016-03-31 15:05:37 139827081115392 [Note] WSREP: Running: 'wsrep_sst_rsync --role 'joiner' --address '10.100.106.42' --datadir '/var/lib/mysql/'   --parent '4975' --binlog 'mariadb-bin' '

Mar 31 15:05:37 rh7db02 mysqld: 2016-03-31 15:05:37 139827081115392 [ERROR] WSREP: Failed to read 'ready <addr>' from: wsrep_sst_rsync --role 'joiner' --address '10.100.106.42' --datadir '/var/lib/mysql/'   --parent '4975' --binlog 'mariadb-bin'

Mar 31 15:05:37 rh7db02 mysqld: Read: '(null)'

Mar 31 15:05:37 rh7db02 mysqld: 2016-03-31 15:05:37 139827081115392 [ERROR] WSREP: Process completed with error: wsrep_sst_rsync --role 'joiner' --address '10.100.106.42' --datadir '/var/lib/mysql/'   --parent '4975' --binlog 'mariadb-bin' : 2 (No such file or directory)

Mar 31 15:05:37 rh7db02 mysqld: 2016-03-31 15:05:37 139827388963584 [ERROR] WSREP: Failed to prepare for 'rsync' SST. Unrecoverable.

Mar 31 15:05:37 rh7db02 mysqld: 2016-03-31 15:05:37 139827388963584 [ERROR] Aborting

Mar 31 15:05:38 rh7db02 setroubleshoot: SELinux is preventing /usr/sbin/mysqld from using the setpgid access on a process. For complete SELinux messages. run sealert -l 50537a7e-8080-4bdb-a450-62682933a42a

Mar 31 15:05:46 rh7db02 mysqld: Error in my_thread_global_end(): 1 threads didn't exit

[MDEV-9852] SELinux errors on fresh cluster build preventing Created: 2016-03-31 Updated: 2019-12-12 Resolved: 2019-12-12
Status:	Closed
Project:	MariaDB Server
Component/s:	Platform RedHat
Affects Version/s:	10.1.13
Fix Version/s:	N/A

[MDEV-9852] SELinux errors on fresh cluster build preventing Created: 2016-03-31 Updated: 2019-12-12 Resolved: 2019-12-12