[SOLVED] MySQL is not starting in enforcing mode

Mo_ · 01-06-2023, 08:42 PM

Hi Community, I have installed MySQL in Redhat Linux, however, MySQL is not getting started. I'm getting some error when I check journalctl. How can fix this issue?

Quote:

# ausearch -c 'boot' --raw | audit2allow -M my-boot
# semodule -X 300 -i my-boot.pp

Jan 06 19:32:21 mysql-server setroubleshoot[4898]: AnalyzeThread.run(): Set alarm timeout to 10
Jan 06 19:32:21 mysql-server setroubleshoot[4898]: AnalyzeThread.run(): Cancel pending alarm
Jan 06 19:32:21 mysql-server setroubleshoot[4898]: failed to retrieve rpm info for /mysql/app/mysql-commercial-8.0.31-linux-glibc2.12-x86_64/bin/mysqld
Jan 06 19:32:21 mysql-server setroubleshoot[4898]: SELinux is preventing /mysql/app/mysql-commercial-8.0.31-linux-glibc2.12-x86_64/bin/mysqld from write access on the file #ib_redo1. For complete SELinux messages>
Jan 06 19:32:21 mysql-sever setroubleshoot[4898]: SELinux is preventing /mysql/app/mysql-commercial-8.0.31-linux-glibc2.12-x86_64/bin/mysqld from write access on the file #ib_redo1.

***** Plugin catchall (100. confidence) suggests **************************

If you believe that mysqld should be allowed write access on the #ib_redo1 file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'boot' --raw | audit2allow -M my-boot
# semodule -X 300 -i my-boot.pp

Jan 06 19:32:21 mysql-server setroubleshoot[4898]: AnalyzeThread.run(): Set alarm timeout to 10
Jan 06 19:32:21 mysql-server setroubleshoot[4898]: AnalyzeThread.run(): Cancel pending alarm
Jan 06 19:32:21 mysql-server setroubleshoot[4898]: failed to retrieve rpm info for /mysql/app/mysql-commercial-8.0.31-linux-glibc2.12-x86_64/bin/mysqld
Jan 06 19:32:21 mysql-server sudo[73583]: PAM unable to dlopen(/usr/lib64/security/pam_fprintd.so): /usr/lib64/security/pam_fprintd.so: cannot open shared object file: No such file or directory
Jan 06 19:32:21 mysql-server sudo[73583]: PAM adding faulty module: /usr/lib64/security/pam_fprintd.so

Quote:

[root@mysql-server]# systemctl status mysqld
● mysqld.service - MySQL Server
Loaded: loaded (/usr/lib/systemd/system/mysqld.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Fri 2023-01-06 19:46:54 MST; 9s ago
Docs: man:mysqld(7)
http://dev.mysql.com/doc/refman/en/using-systemd.html
Process: 109241 ExecStart=/mysql/app/mysql/bin/mysqld --defaults-file=/etc/my.cnf --daemonize --pid-file=/dat>
Main PID: 4019 (code=killed, signal=KILL)

Jan 06 19:46:54 mysql-server systemd[1]: mysqld.service: Control process exited, code=exited status=203
Jan 06 19:46:54 mysql-server systemd[1]: mysqld.service: Failed with result 'exit-code'.
Jan 06 19:46:54 mysql-server systemd[1]: Failed to start MySQL Server.
Jan 06 19:46:54 mysql-server systemd[1]: mysqld.service: Service RestartSec=100ms expired, scheduling restart.
Jan 06 19:46:54 mysql-server systemd[1]: mysqld.service: Scheduled restart job, restart counter is at 5.
Jan 06 19:46:54 mysql-server systemd[1]: Stopped MySQL Server.
Jan 06 19:46:54 mysql-server systemd[1]: mysqld.service: Start request repeated too quickly.
Jan 06 19:46:54 mysql-server systemd[1]: mysqld.service: Failed with result 'exit-code'.
Jan 06 19:46:54 mysql-server systemd[1]: Failed to start MySQL Server.

Thank you for your help.

elgrandeperro · 01-08-2023, 08:28 AM

How did you install? A redhat rpm should have the selinux policies installed by default.

The best way to test is to turn off Selinux using "setenforce 0" and trying again. If you want to use this version, you will need to generate the policy probably using audit2allow.

Mo_ · 01-08-2023, 01:20 PM

Actually installed by someone else, and she's not with the company anymore. I'm not sure how she installed it, I think she downloaded the zip file. Not sure though. However, I can start it in permissive mode.
Howe audit2allow works? Can you help to provide the commands? I'm a newbie.
Thank you for your help.

TB0ne · 01-08-2023, 02:02 PM

Quote:

Originally Posted by Mo_

Actually installed by someone else, and she's not with the company anymore. I'm not sure how she installed it, I think she downloaded the zip file. Not sure though. However, I can start it in permissive mode. Howe audit2allow works? Can you help to provide the commands? I'm a newbie.

Ok, so since this has probably never worked, why not just delete the existing MySQL installation, and install it from the RHEL repositories, which do everything for you, to make sure it's correct?? Since you're a 'newbie', that would be the far safest/easiest way to do it...and since you're using RHEL, you can easily just call Red Hat support for everything. How did you get into the Linux admin role, being a 'newbie'??

You don't say what version of RHEL you're using, but did you look at the (extensive) RHEL documentation??
https://access.redhat.com/documentat...ixing_problems

Mo_ · 01-08-2023, 04:21 PM

I meant newbie to SELinux. Actually I have been working as a windows administrator, and recently I started learning Linux. I can configure the webserver from different directories easily, however, MySQL is the first time looking into it. I added the SELinux label whatever is mentioned in MySQL documentation. It didn't work, that's why I thought community members have any idea about the issue.

TB0ne · 01-08-2023, 05:42 PM

Quote:

Originally Posted by Mo_

I meant newbie to SELinux. Actually I have been working as a windows administrator, and recently I started learning Linux. I can configure the webserver from different directories easily, however, MySQL is the first time looking into it. I added the SELinux label whatever is mentioned in MySQL documentation. It didn't work, that's why I thought community members have any idea about the issue.

Ok, so go back to the solution offered: install it from the RHEL repositories, and contact RHEL support for help, since your organization is paying for RHEL. One command, and it's installed and selinux is configured. Doubtful it was installed from a .ZIP file, since that's typically for Windows...most Linux software will come in tar.gz files, but what makes you think the previous admin installed it from a compressed file??

Have you read the documentation on how to use the audit command mentioned? Or tried the command for selinux enforce to see if that gets it going?? And now you're mentioning a web-server...how is that fitting in with MySQL now? Because if you don't install things from the repositories, you are not going to get the updates/bug-fixes, and be left with an unstable system, that takes a LOT more to maintain and administer. Would you tell a Windows admin to install random stuff from ZIP's, and not stay up to date??

Mo_ · 01-08-2023, 06:58 PM

I just guessed they installed it from a zip file. I haven't seen any MySQL log in /var, I thought they just untar the file from that custom directory which is in /mysql. They might installed it from the repository.
I haven't installed webserver, I was just telling you that I know how to configure SELinux for a webserver.

TB0ne · 01-09-2023, 08:38 AM

Quote:

Originally Posted by Mo_

I just guessed they installed it from a zip file. I haven't seen any MySQL log in /var, I thought they just untar the file from that custom directory which is in /mysql. They might installed it from the repository. I haven't installed webserver, I was just telling you that I know how to configure SELinux for a webserver.

Ok, so if you know how to configure one service, apply that exact same procedure for MySQL. And have you (again) contacted RHEL support for help, or done any research?? Putting "rhel selinux mysql" into a search-engine pulls up quite a bit.
https://dev.mysql.com/doc/refman/8.0...-policies.html

elgrandeperro · 01-10-2023, 12:02 PM

You can look in /var/log/audit/audit.log, and run scripts to create a selinux policy to allow whatever mysql is doing. I've done this before (like 2 hours ago) but I am no expert on this so I can't give advice but there are plenty of tutorials on it.

This is if you don't want to move to a rhel version.

rnturn · 01-12-2023, 11:30 AM

Quote:

Originally Posted by TB0ne

Ok, so since this has probably never worked, why not just delete the existing MySQL installation, and install it from the RHEL repositories, which do everything for you, to make sure it's correct?? Since you're a 'newbie', that would be the far safest/easiest way to do it...and since you're using RHEL, you can easily just call Red Hat support for everything. How did you get into the Linux admin role, being a 'newbie'??

You don't say what version of RHEL you're using, but did you look at the (extensive) RHEL documentation??
https://access.redhat.com/documentat...ixing_problems

I second the call to Red Hat and having them help getting MySQL started. My worry about just clobbering the existing installation is that the OP's predecessor may have gotten the database up and running and it might contain data that ought to be exported before a re-installation from an RHEL rpm. Just bein' cautious.

elgrandeperro · 01-12-2023, 04:21 PM

You need to backup/export the data preferably in text form. That way, you can always import it. If you aren't doing this now, do this now. You can't back it up using "normal" tools if the database is running.

chrism01 · 01-12-2023, 09:27 PM

You need the db to be running, but not being changed ie used by anybody, then use the mysqldump tool.
This does actually work if the db is being used, but ofc it means the data may have changed as soon as it (mysqldump) releases the locks, so you won't know exactly what point in time data you have.

Mo_ · 01-13-2023, 09:51 PM

I applied SELinux policy "bin_t" on mysqld and that resolved the issue. Initially, I applied the SELinux policy "mysqld_db_t" on the directory and all files and sub-directory. Hope it helps someone if they are having the same issue.