Bug #75912 MySQL 5.6.23 triggers execmem SELinux denials on CentOS 7
Submitted: 15 Feb 2015 22:54 Modified: 19 Feb 2015 2:20
Reporter: Travers Carter Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Package Repos Severity:S2 (Serious)
Version:5.6.23 OS:Linux (CentOS 7.0.1406)
Assigned to: CPU Architecture:Any

[15 Feb 2015 22:54] Travers Carter 
Description:
After upgrading from mysql community 5.6.22 to mysql community 5.6.23 (both from the oracle yum respository) mysqld no longer starts unless selinux is disabled/permission.

The following AVC is recorded in the audit log:
type=AVC msg=audit(1423995414.836:680): avc:  denied  { execmem } for  pid=15742 comm="mysqld" scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:mysqld_t:s0 tclass=process

Comparing mysqld from  5.6.22 and 5.6.23 using readelf shows that the GNU_STACK is marked as executable in 5.6.23, but not 5.6.22, a number of mappings in 5.6.23 are marked as rwxp in 5.6.23, while none are in 5.6.22, and it appears that from an strace 5.6.23 is mapping memory as RWX before each thread is created.

5.6.22
==================================
# uname -r
3.10.0-123.13.2.el7.x86_64                                                                                                             

# cat /etc/centos-release
CentOS Linux release 7.0.1406 (Core)

# rpm -qa mysql-community-server                                                                        
mysql-community-server-5.6.22-2.el7.x86_64                                                     

# readelf -l /usr/sbin/mysqld | grep -A1 GNU_STACK                                                                               
  GNU_STACK      0x0000000000000000 0x0000000000000000 0x0000000000000000
                 0x0000000000000000 0x0000000000000000  RW     10
                                                        ^^^                                
# for i in $(pgrep mysqld); do grep rwxp /proc/$i/maps; done
<No output>

5.6.23
===================================
# uname -r
3.10.0-123.20.1.el7.x86_64

# cat /etc/centos-release 
CentOS Linux release 7.0.1406 (Core)

# rpm -qa mysql-community-server
mysql-community-server-5.6.23-2.el7.x86_64

# readelf -l /usr/sbin/mysqld | grep -A1 GNU_STACK
  GNU_STACK      0x0000000000000000 0x0000000000000000 0x0000000000000000
                 0x0000000000000000 0x0000000000000000  RWE    10

# for i in $(pgrep mysqld); do grep rwxp /proc/$i/maps; done
01249000-01349000 rwxp 00c49000 fd:01 35211750                           /usr/sbin/mysqld
01349000-0139c000 rwxp 00000000 00:00 0 
02e6d000-04640000 rwxp 00000000 00:00 0                                  [heap]
7f320c000000-7f320c021000 rwxp 00000000 00:00 0 
7f3214000000-7f3214021000 rwxp 00000000 00:00 0 
7f3218000000-7f321b050000 rwxp 00000000 00:00 0 
7f321c000000-7f321c021000 rwxp 00000000 00:00 0 
7f3220000000-7f3220021000 rwxp 00000000 00:00 0 
7f3224000000-7f3224021000 rwxp 00000000 00:00 0 
7f322ab94000-7f322ab95000 rwxp 00017000 fd:01 37305134                   /usr/lib64/libresolv-2.17.so
7f322ab95000-7f322ab97000 rwxp 00000000 00:00 0 
7f322ad9c000-7f322ad9d000 rwxp 00005000 fd:01 33697614                   /usr/lib64/libnss_dns-2.17.so
7f322affd000-7f322affe000 rwxp 00060000 fd:01 33735423                   /usr/lib64/libpcre.so.1.2.0
7f322afff000-7f322b7ff000 rwxp 00000000 00:00 0                          [stack:15768]
7f322b800000-7f322c000000 rwxp 00000000 00:00 0                          [stack:15767]
7f322c000000-7f322c114000 rwxp 00000000 00:00 0 
7f32300ad000-7f32300ed000 rwxp 00000000 00:00 0                          [stack:15773]
7f32300ee000-7f323012e000 rwxp 00000000 00:00 0                          [stack:15771]
7f323012f000-7f323016f000 rwxp 00000000 00:00 0                          [stack:15770]
7f3230375000-7f3230376000 rwxp 00006000 fd:01 1691546                    /usr/lib64/mysql/plugin/lib_mysqludf_preg.so
7f3230377000-7f3230b77000 rwxp 00000000 00:00 0                          [stack:15766]
7f3230b78000-7f3231378000 rwxp 00000000 00:00 0                          [stack:15765]
7f3231379000-7f3231b79000 rwxp 00000000 00:00 0                          [stack:15764]
7f3231b7a000-7f323237a000 rwxp 00000000 00:00 0                          [stack:15762]
7f323237b000-7f3232b7b000 rwxp 00000000 00:00 0                          [stack:15761]
7f3232b7c000-7f323379f000 rwxp 00000000 00:00 0                          [stack:15760]
7f32337b9000-7f32337f9000 rwxp 00000000 00:00 0                          [stack:15769]
7f3233a04000-7f3233a05000 rwxp 0000b000 fd:01 33697616                   /usr/lib64/libnss_files-2.17.so
7f3233a0f000-7f3233a10000 rwxp 00000000 00:00 0 
7f3233a11000-7f3234211000 rwxp 00000000 00:00 0                          [stack:15763]
7f3234212000-7f3234a12000 rwxp 00000000 00:00 0                          [stack:15752]
7f3234a13000-7f3235213000 rwxp 00000000 00:00 0                          [stack:15751]
7f3235214000-7f3235a14000 rwxp 00000000 00:00 0                          [stack:15750]
7f3235a15000-7f3236215000 rwxp 00000000 00:00 0                          [stack:15749]
7f3236216000-7f3236a16000 rwxp 00000000 00:00 0                          [stack:15748]
7f3236a17000-7f3237217000 rwxp 00000000 00:00 0                          [stack:15747]
7f3237218000-7f3237a18000 rwxp 00000000 00:00 0                          [stack:15746]
7f3237a19000-7f3238219000 rwxp 00000000 00:00 0                          [stack:15745]
7f323821a000-7f3238a1a000 rwxp 00000000 00:00 0                          [stack:15744]
7f3238a1b000-7f325b1aa000 rwxp 00000000 00:00 0                          [stack:15743]
7f325b1ad000-7f3277784000 rwxp 00000000 00:00 0 
7f32779fc000-7f32779fd000 rwxp 00078000 fd:01 33597402                   /usr/lib64/libfreebl3.so
7f32779fd000-7f3277a01000 rwxp 00000000 00:00 0 
7f3277dbb000-7f3277dbd000 rwxp 001ba000 fd:01 33597438                   /usr/lib64/libc-2.17.so
7f3277dbd000-7f3277dc2000 rwxp 00000000 00:00 0 
7f3277fd7000-7f3277fd8000 rwxp 00015000 fd:01 33595529                   /usr/lib64/libgcc_s-4.8.2-20140120.so.1
7f32782d9000-7f32782da000 rwxp 00101000 fd:01 33697606                   /usr/lib64/libm-2.17.so
7f32785ca000-7f32785cc000 rwxp 000f0000 fd:01 33697644                   /usr/lib64/libstdc++.so.6.0.19
7f32785cc000-7f32785e1000 rwxp 00000000 00:00 0 
7f32787e4000-7f32787e5000 rwxp 00003000 fd:01 33697604                   /usr/lib64/libdl-2.17.so
7f32789ed000-7f32789ee000 rwxp 00008000 fd:01 33697602                   /usr/lib64/libcrypt-2.17.so
7f32789ee000-7f3278a1c000 rwxp 00000000 00:00 0 
7f3278c1d000-7f3278c1e000 rwxp 00001000 fd:01 34511929                   /usr/lib64/libaio.so.1.0.1
7f3278e35000-7f3278e36000 rwxp 00017000 fd:01 37305132                   /usr/lib64/libpthread-2.17.so
7f3278e36000-7f3278e3a000 rwxp 00000000 00:00 0 
7f3278e6d000-7f327904e000 rwxp 00000000 00:00 0 
7f3279059000-7f327905a000 rwxp 00000000 00:00 0 
7f327905b000-7f327905c000 rwxp 00021000 fd:01 33597430                   /usr/lib64/ld-2.17.so
7f327905c000-7f327905d000 rwxp 00000000 00:00 0 
7fffc84a3000-7fffc84c4000 rwxp 00000000 00:00 0                          [stack]

Other notes
====================================================
The following strace fragment shows mapping of an RWXP segment:

mysqld.strc.12877:mmap(NULL, 8392704, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f4abf539000
mysqld.strc.12877:mprotect(0x7f4abf539000, 4096, PROT_NONE) = 0
mysqld.strc.12877-clone(child_stack=0x7f4abfd38fb0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tidptr=0x7f4abfd399d0, tls=0x7f4abfd39700, child_tidptr=0x7f4abfd399d0) = 12878
--
mysqld.strc.12878:madvise(0x7f4abf539000, 8368128, MADV_DONTNEED) = 0
mysqld.strc.12878-munmap(0x7f4aba52f000, 8392704)         = 0
--
mysqld.strc.12885:munmap(0x7f4abf539000, 8392704)         = 0
mysqld.strc.12885-_exit(0)                                = ?

Tracing with gdb indicates that at least some of the rwxp mmap calls are being made by allocate_stack() in the process of creating threads.

How to repeat:
# Upgrade/install mysql 5.6.23
yum -y update mysql-community-server

# Ensure SELinux is in enforcing mode
setenforce 1

# Start mysqld
systemctl start mysqld

# Observe that mysqld fails to start, check the audit log
grep 'denied' /var/log/audit/audit.log
> type=AVC msg=audit(1423995414.836:680): avc:  denied  { execmem } for  pid=15742 comm="mysqld" scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:mysqld_t:s0 tclass=process

# Put SELinux in permissive mode
setenforce 0

# Restart mysqld
systemctl stop mysqld
systemctl start mysqld
> mysqld starts as expected, but an execmem AVC is still logged, also the process map contains many rwxp segments
# cat /proc/15742/maps 
00400000-00fa4000 r-xp 00000000 fd:01 35211750                           /usr/sbin/mysqld
011a3000-01249000 r-xp 00ba3000 fd:01 35211750                           /usr/sbin/mysqld
01249000-01349000 rwxp 00c49000 fd:01 35211750                           /usr/sbin/mysqld
01349000-0139c000 rwxp 00000000 00:00 0 
02e6d000-04640000 rwxp 00000000 00:00 0                                  [heap]
7f320c000000-7f320c021000 rwxp 00000000 00:00 0 
7f320c021000-7f3210000000 ---p 00000000 00:00 0 
7f3214000000-7f3214021000 rwxp 00000000 00:00 0 
7f3214021000-7f3218000000 ---p 00000000 00:00 0 
7f3218000000-7f321b050000 rwxp 00000000 00:00 0 
7f321b050000-7f321c000000 ---p 00000000 00:00 0 
7f321c000000-7f321c021000 rwxp 00000000 00:00 0 
7f321c021000-7f3220000000 ---p 00000000 00:00 0 
7f3220000000-7f3220021000 rwxp 00000000 00:00 0 
7f3220021000-7f3224000000 ---p 00000000 00:00 0 
7f3224000000-7f3224021000 rwxp 00000000 00:00 0 
7f3224021000-7f3228000000 ---p 00000000 00:00 0 
7f322a97d000-7f322a993000 r-xp 00000000 fd:01 37305134                   /usr/lib64/libresolv-2.17.so
7f322a993000-7f322ab93000 ---p 00016000 fd:01 37305134                   /usr/lib64/libresolv-2.17.so
7f322ab93000-7f322ab94000 r-xp 00016000 fd:01 37305134                   /usr/lib64/libresolv-2.17.so
7f322ab94000-7f322ab95000 rwxp 00017000 fd:01 37305134                   /usr/lib64/libresolv-2.17.so
7f322ab95000-7f322ab97000 rwxp 00000000 00:00 0 
7f322ab97000-7f322ab9c000 r-xp 00000000 fd:01 33697614                   /usr/lib64/libnss_dns-2.17.so
7f322ab9c000-7f322ad9b000 ---p 00005000 fd:01 33697614                   /usr/lib64/libnss_dns-2.17.so
7f322ad9b000-7f322ad9c000 r-xp 00004000 fd:01 33697614                   /usr/lib64/libnss_dns-2.17.so
7f322ad9c000-7f322ad9d000 rwxp 00005000 fd:01 33697614                   /usr/lib64/libnss_dns-2.17.so
7f322ad9d000-7f322adfc000 r-xp 00000000 fd:01 33735423                   /usr/lib64/libpcre.so.1.2.0
7f322adfc000-7f322affc000 ---p 0005f000 fd:01 33735423                   /usr/lib64/libpcre.so.1.2.0
7f322affc000-7f322affd000 r-xp 0005f000 fd:01 33735423                   /usr/lib64/libpcre.so.1.2.0
7f322affd000-7f322affe000 rwxp 00060000 fd:01 33735423                   /usr/lib64/libpcre.so.1.2.0
7f322affe000-7f322afff000 ---p 00000000 00:00 0 
7f322afff000-7f322b7ff000 rwxp 00000000 00:00 0                          [stack:15768]
7f322b7ff000-7f322b800000 ---p 00000000 00:00 0 
7f322b800000-7f322c000000 rwxp 00000000 00:00 0                          [stack:15767]
7f322c000000-7f322c114000 rwxp 00000000 00:00 0 
7f322c114000-7f3230000000 ---p 00000000 00:00 0 
7f32300ac000-7f32300ad000 ---p 00000000 00:00 0 
7f32300ad000-7f32300ed000 rwxp 00000000 00:00 0                          [stack:15773]
7f32300ed000-7f32300ee000 ---p 00000000 00:00 0 
7f32300ee000-7f323012e000 rwxp 00000000 00:00 0                          [stack:15771]
7f323012e000-7f323012f000 ---p 00000000 00:00 0 
7f323012f000-7f323016f000 rwxp 00000000 00:00 0                          [stack:15770]
7f323016f000-7f3230175000 r-xp 00000000 fd:01 1691546                    /usr/lib64/mysql/plugin/lib_mysqludf_preg.so
7f3230175000-7f3230374000 ---p 00006000 fd:01 1691546                    /usr/lib64/mysql/plugin/lib_mysqludf_preg.so
7f3230374000-7f3230375000 r-xp 00005000 fd:01 1691546                    /usr/lib64/mysql/plugin/lib_mysqludf_preg.so
7f3230375000-7f3230376000 rwxp 00006000 fd:01 1691546                    /usr/lib64/mysql/plugin/lib_mysqludf_preg.so
7f3230376000-7f3230377000 ---p 00000000 00:00 0 
7f3230377000-7f3230b77000 rwxp 00000000 00:00 0                          [stack:15766]
7f3230b77000-7f3230b78000 ---p 00000000 00:00 0 
7f3230b78000-7f3231378000 rwxp 00000000 00:00 0                          [stack:15765]
7f3231378000-7f3231379000 ---p 00000000 00:00 0 
7f3231379000-7f3231b79000 rwxp 00000000 00:00 0                          [stack:15764]
7f3231b79000-7f3231b7a000 ---p 00000000 00:00 0 
7f3231b7a000-7f323237a000 rwxp 00000000 00:00 0                          [stack:15762]
7f323237a000-7f323237b000 ---p 00000000 00:00 0 
7f323237b000-7f3232b7b000 rwxp 00000000 00:00 0                          [stack:15761]
7f3232b7b000-7f3232b7c000 ---p 00000000 00:00 0 
7f3232b7c000-7f323379f000 rwxp 00000000 00:00 0                          [stack:15760]
7f32337b8000-7f32337b9000 ---p 00000000 00:00 0 
7f32337b9000-7f32337f9000 rwxp 00000000 00:00 0                          [stack:15769]
7f32337f9000-7f3233804000 r-xp 00000000 fd:01 33697616                   /usr/lib64/libnss_files-2.17.so
7f3233804000-7f3233a03000 ---p 0000b000 fd:01 33697616                   /usr/lib64/libnss_files-2.17.so
7f3233a03000-7f3233a04000 r-xp 0000a000 fd:01 33697616                   /usr/lib64/libnss_files-2.17.so
7f3233a04000-7f3233a05000 rwxp 0000b000 fd:01 33697616                   /usr/lib64/libnss_files-2.17.so
7f3233a0f000-7f3233a10000 rwxp 00000000 00:00 0 
7f3233a10000-7f3233a11000 ---p 00000000 00:00 0 
7f3233a11000-7f3234211000 rwxp 00000000 00:00 0                          [stack:15763]
7f3234211000-7f3234212000 ---p 00000000 00:00 0 
7f3234212000-7f3234a12000 rwxp 00000000 00:00 0                          [stack:15752]
7f3234a12000-7f3234a13000 ---p 00000000 00:00 0 
7f3234a13000-7f3235213000 rwxp 00000000 00:00 0                          [stack:15751]
7f3235213000-7f3235214000 ---p 00000000 00:00 0 
7f3235214000-7f3235a14000 rwxp 00000000 00:00 0                          [stack:15750]
7f3235a14000-7f3235a15000 ---p 00000000 00:00 0 
7f3235a15000-7f3236215000 rwxp 00000000 00:00 0                          [stack:15749]
7f3236215000-7f3236216000 ---p 00000000 00:00 0 
7f3236216000-7f3236a16000 rwxp 00000000 00:00 0                          [stack:15748]
7f3236a16000-7f3236a17000 ---p 00000000 00:00 0 
7f3236a17000-7f3237217000 rwxp 00000000 00:00 0                          [stack:15747]
7f3237217000-7f3237218000 ---p 00000000 00:00 0 
7f3237218000-7f3237a18000 rwxp 00000000 00:00 0                          [stack:15746]
7f3237a18000-7f3237a19000 ---p 00000000 00:00 0 
7f3237a19000-7f3238219000 rwxp 00000000 00:00 0                          [stack:15745]
7f3238219000-7f323821a000 ---p 00000000 00:00 0 
7f323821a000-7f3238a1a000 rwxp 00000000 00:00 0                          [stack:15744]
7f3238a1a000-7f3238a1b000 ---p 00000000 00:00 0 
7f3238a1b000-7f325b1aa000 rwxp 00000000 00:00 0                          [stack:15743]
7f325b1aa000-7f325b1ad000 rwxs 00000000 00:0a 106166                     /[aio] (deleted)
7f325b1ad000-7f3277784000 rwxp 00000000 00:00 0 
7f3277784000-7f32777fb000 r-xp 00000000 fd:01 33597402                   /usr/lib64/libfreebl3.so
7f32777fb000-7f32779fa000 ---p 00077000 fd:01 33597402                   /usr/lib64/libfreebl3.so
7f32779fa000-7f32779fc000 r-xp 00076000 fd:01 33597402                   /usr/lib64/libfreebl3.so
7f32779fc000-7f32779fd000 rwxp 00078000 fd:01 33597402                   /usr/lib64/libfreebl3.so
7f32779fd000-7f3277a01000 rwxp 00000000 00:00 0 
7f3277a01000-7f3277bb7000 r-xp 00000000 fd:01 33597438                   /usr/lib64/libc-2.17.so
7f3277bb7000-7f3277db7000 ---p 001b6000 fd:01 33597438                   /usr/lib64/libc-2.17.so
7f3277db7000-7f3277dbb000 r-xp 001b6000 fd:01 33597438                   /usr/lib64/libc-2.17.so
7f3277dbb000-7f3277dbd000 rwxp 001ba000 fd:01 33597438                   /usr/lib64/libc-2.17.so
7f3277dbd000-7f3277dc2000 rwxp 00000000 00:00 0 
7f3277dc2000-7f3277dd7000 r-xp 00000000 fd:01 33595529                   /usr/lib64/libgcc_s-4.8.2-20140120.so.1
7f3277dd7000-7f3277fd6000 ---p 00015000 fd:01 33595529                   /usr/lib64/libgcc_s-4.8.2-20140120.so.1
7f3277fd6000-7f3277fd7000 r-xp 00014000 fd:01 33595529                   /usr/lib64/libgcc_s-4.8.2-20140120.so.1
7f3277fd7000-7f3277fd8000 rwxp 00015000 fd:01 33595529                   /usr/lib64/libgcc_s-4.8.2-20140120.so.1
7f3277fd8000-7f32780d9000 r-xp 00000000 fd:01 33697606                   /usr/lib64/libm-2.17.so
7f32780d9000-7f32782d8000 ---p 00101000 fd:01 33697606                   /usr/lib64/libm-2.17.so
7f32782d8000-7f32782d9000 r-xp 00100000 fd:01 33697606                   /usr/lib64/libm-2.17.so
7f32782d9000-7f32782da000 rwxp 00101000 fd:01 33697606                   /usr/lib64/libm-2.17.so
7f32782da000-7f32783c3000 r-xp 00000000 fd:01 33697644                   /usr/lib64/libstdc++.so.6.0.19
7f32783c3000-7f32785c2000 ---p 000e9000 fd:01 33697644                   /usr/lib64/libstdc++.so.6.0.19
7f32785c2000-7f32785ca000 r-xp 000e8000 fd:01 33697644                   /usr/lib64/libstdc++.so.6.0.19
7f32785ca000-7f32785cc000 rwxp 000f0000 fd:01 33697644                   /usr/lib64/libstdc++.so.6.0.19
7f32785cc000-7f32785e1000 rwxp 00000000 00:00 0 
7f32785e1000-7f32785e4000 r-xp 00000000 fd:01 33697604                   /usr/lib64/libdl-2.17.so
7f32785e4000-7f32787e3000 ---p 00003000 fd:01 33697604                   /usr/lib64/libdl-2.17.so
7f32787e3000-7f32787e4000 r-xp 00002000 fd:01 33697604                   /usr/lib64/libdl-2.17.so
7f32787e4000-7f32787e5000 rwxp 00003000 fd:01 33697604                   /usr/lib64/libdl-2.17.so
7f32787e5000-7f32787ed000 r-xp 00000000 fd:01 33697602                   /usr/lib64/libcrypt-2.17.so
7f32787ed000-7f32789ec000 ---p 00008000 fd:01 33697602                   /usr/lib64/libcrypt-2.17.so
7f32789ec000-7f32789ed000 r-xp 00007000 fd:01 33697602                   /usr/lib64/libcrypt-2.17.so
7f32789ed000-7f32789ee000 rwxp 00008000 fd:01 33697602                   /usr/lib64/libcrypt-2.17.so
7f32789ee000-7f3278a1c000 rwxp 00000000 00:00 0 
7f3278a1c000-7f3278a1d000 r-xp 00000000 fd:01 34511929                   /usr/lib64/libaio.so.1.0.1
7f3278a1d000-7f3278c1c000 ---p 00001000 fd:01 34511929                   /usr/lib64/libaio.so.1.0.1
7f3278c1c000-7f3278c1d000 r-xp 00000000 fd:01 34511929                   /usr/lib64/libaio.so.1.0.1
7f3278c1d000-7f3278c1e000 rwxp 00001000 fd:01 34511929                   /usr/lib64/libaio.so.1.0.1
7f3278c1e000-7f3278c34000 r-xp 00000000 fd:01 37305132                   /usr/lib64/libpthread-2.17.so
7f3278c34000-7f3278e34000 ---p 00016000 fd:01 37305132                   /usr/lib64/libpthread-2.17.so
7f3278e34000-7f3278e35000 r-xp 00016000 fd:01 37305132                   /usr/lib64/libpthread-2.17.so
7f3278e35000-7f3278e36000 rwxp 00017000 fd:01 37305132                   /usr/lib64/libpthread-2.17.so
7f3278e36000-7f3278e3a000 rwxp 00000000 00:00 0 
7f3278e3a000-7f3278e5b000 r-xp 00000000 fd:01 33597430                   /usr/lib64/ld-2.17.so
7f3278e5b000-7f3278e5e000 rwxs 00000000 00:0a 106165                     /[aio] (deleted)
7f3278e5e000-7f3278e61000 rwxs 00000000 00:0a 106164                     /[aio] (deleted)
7f3278e61000-7f3278e64000 rwxs 00000000 00:0a 106163                     /[aio] (deleted)
7f3278e64000-7f3278e67000 rwxs 00000000 00:0a 106162                     /[aio] (deleted)
7f3278e67000-7f3278e6a000 rwxs 00000000 00:0a 106161                     /[aio] (deleted)
7f3278e6a000-7f3278e6d000 rwxs 00000000 00:0a 106160                     /[aio] (deleted)
7f3278e6d000-7f327904e000 rwxp 00000000 00:00 0 
7f327904e000-7f327904f000 rwxs 00000000 00:0a 106167                     /[aio] (deleted)
7f327904f000-7f3279052000 rwxs 00000000 00:0a 106159                     /[aio] (deleted)
7f3279052000-7f3279055000 rwxs 00000000 00:0a 106158                     /[aio] (deleted)
7f3279055000-7f3279058000 rwxs 00000000 00:0a 106157                     /[aio] (deleted)
7f3279058000-7f3279059000 rwxs 00000000 00:0a 106155                     /[aio] (deleted)
7f3279059000-7f327905a000 rwxp 00000000 00:00 0 
7f327905a000-7f327905b000 r-xp 00020000 fd:01 33597430                   /usr/lib64/ld-2.17.so
7f327905b000-7f327905c000 rwxp 00021000 fd:01 33597430                   /usr/lib64/ld-2.17.so
7f327905c000-7f327905d000 rwxp 00000000 00:00 0 
7fffc84a3000-7fffc84c4000 rwxp 00000000 00:00 0                          [stack]
7fffc85fe000-7fffc8600000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]

Suggested fix:
Don't mark the stack as executable, it appears that most (all?) of the rwxp segments are a consequence of the GNU_STACK section being marked as executable (RWE)
[16 Feb 2015 7:56] Terje Røsten 
Hi Travers,

thanks for your report.

Issue has been verified and we are working on a fix.
[18 Feb 2015 17:45] Terje Røsten 
Hi,

updated package set which fixes this issue has been pushed to MySQL Repository.

To verify update to package mysql-community-server-5.6.23-3.

Thanks again for reporting this issue!
[19 Feb 2015 2:20] Travers Carter 
I have upgraded and verified that mysqld (mysql-community-server-5.6.23-3) starts with selinux in enforcing mode, and no rwxp mappings are present in /proc/PID/maps

Thanks for the quick resolution.
[26 Feb 2015 9:04] Terje Røsten 
Posted by developer:
 
New build fixes issue.