Tungsten and SELinux, a Case Study

In this blog post, we talk about what happened during an installation of the Tungsten Cluster into an environment with SELinux running and mis-configured.

An attempt to execute `tpm install` on v5.3.2 recently failed with the below error:

ERROR >> node3_production_customer_com >> Unable to run 'sudo systemctl status mysqld.service' or the database server is not running (DatasourceBootScriptCheck) 
Update the /etc/sudoers file or disable sudo by adding --enable-sudo-access=false

Worse, this customer reported that this appeared as a WARNING only in Dev and Staging tests. So we checked, and it seemed we were able to access systemctl properly:

shell> sudo systemctl status mysqld.service
● mysqld.service - MySQL Percona Server
Loaded: loaded (/usr/lib/systemd/system/mysqld.service; enabled; vendor preset: disabled)
Active: activating (start-post) since Tue 2018-06-19 17:46:19 BST; 1min 15s ago
Process: 448996 ExecStart=/usr/bin/mysqld_safe (code=exited, status=0/SUCCESS)
Process: 448964 ExecStartPre=/usr/bin/mysql-systemd pre (code=exited, status=0/SUCCESS)
Main PID: 448996 (code=exited, status=0/SUCCESS); : 448997 (mysql-systemd)
CGroup: /system.slice/mysqld.service
├─448997 /bin/bash /usr/bin/mysql-systemd post
└─450505 sleep 1
Jun 19 17:46:19 systemd[1]: Starting MySQL Percona Server...
Jun 19 17:46:19 mysqld_safe[448996]: 180619 17:46:19 mysqld_safe Logging to '/var/log/mysqld.log'.
Jun 19 17:46:19 mysqld_safe[448996]: 180619 17:46:19 mysqld_safe Starting mysqld daemon with databases from /dbdata/data01
Jun 19 17:46:20 mysqld_safe[448996]: 180619 17:46:20 mysqld_safe mysqld from pid file /var/run/mysqld/ ended

The problem with the systemctl start-up for MySQL turned out to be related to SELinux, with the /data filesystem and the non-standard port having the wrong contexts.

The solution was to inform SELinux about the additional disk and port resources:

  • Ensure the file contexts are set correctly for SELinux, in this case allow MySQL data to be stored in a non-standard location (/data):
    semanage fcontext -a -t etc_runtime_t /data
    restorecon -Rv /data/
    semanage fcontext -a -t mysqld_db_t "/data(/.*)?"
    restorecon -Rv /data/*
  • By default, MySQL uses port 3306, but our best practice is to change it to 13306 to prevent accidental connection directly to the database, bypassing the required Connector. If using a non-standard PORT for MySQL and SELinux is enabled, you must also change the port context:
    semanage port -a -t mysqld_port_t -p tcp 13306

In future articles, we will continue to cover more advanced subjects of interest!

Questions? Contact Continuent

About the Author

Eric M. Stone

Eric is a veteran of fast-paced, large-scale enterprise environments with 35 years of Information Technology experience. With a focus on HA/DR, from building data centers and trading floors to world-wide deployments, Eric has architected, coded, deployed and administered systems for a wide variety of disparate customers, from Fortune 500 financial institutions to SMB’s.

Add new comment