Uploaded image for project: 'Percona Server'
  1. Percona Server
  2. PS-4813

Using flush_caches leads to SELinux denial errors

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Done
    • Priority: Medium
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 5.6.42-84.2
    • Component/s: Packaging
    • Labels:
      None

      Description

      Tested on:

      shell> cat /etc/redhat-release
      CentOS Linux release 7.4.1708 (Core)

      Using latest Percona-Server-server packages:

      shell> rpm -qa | egrep -i "percona|mysql"
      percona-toolkit-3.0.11-1.el7.x86_64
      Percona-Server-shared-56-5.6.41-rel84.1.el7.x86_64
      Percona-Server-server-56-5.6.41-rel84.1.el7.x86_64
      percona-release-0.1-4.noarch
      perl-DBD-MySQL-4.023-6.el7.x86_64
      Percona-Server-client-56-5.6.41-rel84.1.el7.x86_64

      Installed with Percona's RPM repo and yum install Percona-Server-server-56 command.

      Add flush_caches=1 under [mysqld_safe] section, and when using SELinux to enforcing, the service will not start. Nothing will be logged to mysql's error log, and the following will be seen in system logs:

      shell> cat /var/log/messages | grep mysql
      Sep 2 21:05:05 localhost mysqld_safe: 180902 21:05:05 mysqld_safe Logging to '/var/log/mysqld.log'.
      Sep 2 21:05:05 localhost mysqld_safe: 180902 21:05:05 mysqld_safe Starting mysqld daemon with databases from /var/lib/mysql
      Sep 2 21:06:26 localhost mysqld_safe: 180902 21:06:26 mysqld_safe mysqld from pid file /var/run/mysqld/mysqld.pid ended
      Sep 2 21:06:35 localhost mysqld_safe: 180902 21:06:35 mysqld_safe Logging to '/var/log/mysqld.log'.
      Sep 2 21:06:35 localhost mysqld_safe: sysctl: cannot stat /proc/sys/vm/drop_caches: Permission denied
      Sep 2 21:06:35 localhost mysqld_safe: 180902 21:06:35 mysqld_safe sysctl failed, check the error message for details
      Sep 2 21:06:35 localhost systemd: mysqld.service: main process exited, code=exited, status=1/FAILURE
      shell> cat /var/log/audit/audit.log | grep denied
      type=AVC msg=audit(1535922395.806:977): avc: denied { getattr } for pid=4603 comm="sysctl" path="/proc/sys/vm/drop_caches" dev="proc" ino=29892 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:sysctl_vm_t:s0 tclass=file

       

      If SELinux is set to permissive, the service will start, and we will see the following errors logged to audit log:

      type=AVC msg=audit(1535922999.860:1061): avc: denied { getattr } for pid=6771 comm="sysctl" path="/proc/sys/vm/drop_caches" dev="proc" ino=29892 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:sysctl_vm_t:s0 tclass=file
      type=AVC msg=audit(1535922999.860:1062): avc: denied { write } for pid=6771 comm="sysctl" name="drop_caches" dev="proc" ino=29892 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:sysctl_vm_t:s0 tclass=file
      type=AVC msg=audit(1535922999.860:1062): avc: denied { open } for pid=6771 comm="sysctl" path="/proc/sys/vm/drop_caches" dev="proc" ino=29892 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:sysctl_vm_t:s0 tclass=file

       

      SELinux settings for Percona Server 5.6 should be updated with these in place.

        Attachments

          Activity

            People

            • Assignee:
              evgeniy.patlan Evgeniy Patlan
              Reporter:
              agustin.gallego Agustín Gallego
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - Not Specified
                Not Specified
                Logged:
                Time Spent - 4 hours
                4h