Comments - SELinux
Content reproduced on this site is the property of its respective owners,
and this content is not reviewed in advance by MariaDB. The views, information and opinions
expressed by this content do not necessarily represent those of MariaDB or any other party.
I'm running MariaDB 10.6.17 on CentOS 7 and the log files are being sent to /var/log/mysql/. SELinux is enabled and the proper file contexts are set. But it's telling me that mariadb-admin needs write access on the sock_file mysql.sock and I don't see that mentioned.
However, logrotate fails to write to the new log file after it's created. When I check what SELinux is saying I see the following:
[root@server ~] # ausearch -m avc -ts today | audit2allow #============= logrotate_t ============== allow logrotate_t mysqld_db_t:sock_file write; [root@server ~] # sealert -a /var/log/audit/audit.log 100% done found 1 alerts in /var/log/audit/audit.log -------------------------------------------------------------------------------- SELinux is preventing /usr/bin/mariadb-admin from write access on the sock_file mysql.sock. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that mariadb-admin should be allowed write access on the mysql.sock sock_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'mysqladmin' --raw | audit2allow -M my-mysqladmin # semodule -i my-mysqladmin.pp Additional Information: Source Context system_u:system_r:logrotate_t:s0-s0:c0.c1023 Target Context system_u:object_r:mysqld_db_t:s0 Target Objects mysql.sock [ sock_file ] Source mysqladmin Source Path /usr/bin/mariadb-admin Port <Unknown> Host <Unknown> Source RPM Packages MariaDB-client-10.6.17-1.el7.centos.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-268.el7_9.2.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name server.local Platform Linux server.local 3.10.0-1160.108.1.el7.x86_64 #1 SMP Thu Jan 25 16:17:31 UTC 2024 x86_64 x86_64 Alert Count 6 First Seen 2024-02-15 03:32:17 CST Last Seen 2024-04-05 03:22:01 CDT Local ID e660dfa7-c2e7-4121-a382-c536820230c6 Raw Audit Messages type=AVC msg=audit(1712305321.206:3028): avc: denied { write } for pid=24914 comm="mysqladmin" name="mysql.sock" dev="dm-0" ino=130113 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mysqld_db_t:s0 tclass=sock_file permissive=0 type=SYSCALL msg=audit(1712305321.206:3028): arch=x86_64 syscall=connect success=no exit=EACCES a0=3 a1=7ffd53952090 a2=6e a3=1e items=0 ppid=24913 pid=24914 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=363 comm=mysqladmin exe=/usr/bin/mariadb-admin subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null) Hash: mysqladmin,logrotate_t,mysqld_db_t,sock_file,write