Tungsten and SELinux, a Case Study

In this blog post, we talk about what happened during an installation of the Tungsten Cluster into an environment with SELinux running and mis-configured.

An attempt to execute `tpm install` on v5.3.2 recently failed with the below error:

ERROR >> node3_production_customer_com >> Unable to run 'sudo systemctl status mysqld.service' or the database server is not running (DatasourceBootScriptCheck) 
Update the /etc/sudoers file or disable sudo by adding --enable-sudo-access=false

Worse, this customer reported that this appeared as a WARNING only in Dev and Staging tests. So we checked, and it seemed we were able to access systemctl properly:

shell> sudo systemctl status mysqld.service
● mysqld.service - MySQL Percona Server
Loaded: loaded (/usr/lib/systemd/system/mysqld.service; enabled; vendor preset: disabled)
Active: activating (start-post) since Tue 2018-06-19 17:46:19 BST; 1min 15s ago
Process: 448996 ExecStart=/usr/bin/mysqld_safe (code=exited, status=0/SUCCESS)
Process: 448964 ExecStartPre=/usr/bin/mysql-systemd pre (code=exited, status=0/SUCCESS)
Main PID: 448996 (code=exited, status=0/SUCCESS); : 448997 (mysql-systemd)
CGroup: /system.slice/mysqld.service
└─control
├─448997 /bin/bash /usr/bin/mysql-systemd post
└─450505 sleep 1
Jun 19 17:46:19 node3.production.customer.com systemd[1]: Starting MySQL Percona Server...
Jun 19 17:46:19 node3.production.customer.com mysqld_safe[448996]: 180619 17:46:19 mysqld_safe Logging to '/var/log/mysqld.log'.
Jun 19 17:46:19 node3.production.customer.com mysqld_safe[448996]: 180619 17:46:19 mysqld_safe Starting mysqld daemon with databases from /dbdata/data01
Jun 19 17:46:20 node3.production.customer.com mysqld_safe[448996]: 180619 17:46:20 mysqld_safe mysqld from pid file /var/run/mysqld/mysqld.pid ended

The problem with the systemctl start-up for MySQL turned out to be related to SELinux, with the /data filesystem and the non-standard port having the wrong contexts.

The solution was to inform SELinux about the additional disk and port resources:

  • Ensure the file contexts are set correctly for SELinux, in this case allow MySQL data to be stored in a non-standard location (/data):
    semanage fcontext -a -t etc_runtime_t /data
    restorecon -Rv /data/
      
    semanage fcontext -a -t mysqld_db_t "/data(/.*)?"
    restorecon -Rv /data/*
  • By default, MySQL uses port 3306, but our best practice is to change it to 13306 to prevent accidental connection directly to the database, bypassing the required Connector. If using a non-standard PORT for MySQL and SELinux is enabled, you must also change the port context:
    semanage port -a -t mysqld_port_t -p tcp 13306

In future articles, we will continue to cover more advanced subjects of interest!

Questions? Contact Continuent

About the Author

Eric M. Stone
COO and VP of Product Management

Eric is a veteran of fast-paced, large-scale enterprise environments with 35 years of Information Technology experience. With a focus on HA/DR, from building data centers and trading floors to world-wide deployments, Eric has architected, coded, deployed and administered systems for a wide variety of disparate customers, from Fortune 500 financial institutions to SMB’s.

Add new comment