Bug #79458 unable to start server/create db when SELinux enabled with Enforcing
Submitted: 30 Nov 2015 14:53 Modified: 18 Dec 2015 18:39
Reporter: Ramana Yeruva Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Installing Severity:S3 (Non-critical)
Version:5.7.10 OS:Linux
Assigned to: Balasubramanian Kandasamy CPU Architecture:Any

[30 Nov 2015 14:53] Ramana Yeruva
Description:
unable to createdb or start server when SELinux enabled with Enforcing mode.

How to repeat:
enable SELinux with Enforcing mode and restart environment
now install 5.7 packages using yum and start service and observe it is failing
[root@viking50 ~]# getenforce
Enforcing

[root@viking50 rpms]# service mysqld start
Initializing MySQL database:                               [FAILED]
[root@viking50 rpms]# vi /var/log/mysqld.log
[root@viking50 rpms]# service mysqld stop
Stopping mysqld:                                           [  OK  ]
[root@viking50 rpms]# rm -rf /var/lib/mysql/*
[root@viking50 rpms]# service mysqld start
Initializing MySQL database:                               [FAILED]
[root@viking50 rpms]# vi /var/log/mysqld.log
[root@viking50 rpms]# service mysqld stop
Stopping mysqld:                                           [  OK  ]
[root@viking50 rpms]# rm -rf /var/lib/mysql/*
[root@viking50 rpms]# service mysqld start
Initializing MySQL database:                               [FAILED]
[root@viking50 rpms]# service mysqld stop
Stopping mysqld:                                           [  OK  ]
[root@viking50 rpms]# rm -rf /var/lib/mysql/*
[root@viking50 rpms]# rm -rf /var/lib/mysql
[root@viking50 rpms]# service mysqld start
Initializing MySQL database:                               [FAILED]

2015-11-30T14:32:17.983801Z 0 [Warning] TIMESTAMP with implicit DEFAULT value is deprecated. Please use --explicit_defaults_for_timestamp server option (see documentation for more details).
2015-11-30T14:32:18.765728Z 0 [Warning] InnoDB: New log files created, LSN=45790
2015-11-30T14:32:18.901291Z 0 [Warning] InnoDB: Creating foreign key constraint system tables.
2015-11-30T14:32:18.971404Z 0 [Warning] No existing UUID has been found, so we assume that this is the first time that this server has been started. Generating a new UUID: 29003e0d-976f-11e5-ae49-0021f6aaffb0.
2015-11-30T14:32:18.986536Z 0 [Warning] Gtid table is not ready to be used. Table 'mysql.gtid_executed' cannot be opened.
2015-11-30T14:32:18.989406Z 1 [Note] A temporary password is generated for root@localhost: q,t:5nk8Kilb
2015-11-30T14:32:21.197548Z 1 [ERROR] Failed to open the bootstrap file /var/lib/mysql-files/install-validate-password-plugin.M5NYOI.sql
2015-11-30T14:32:21.197569Z 1 [ERROR] 1105  Bootstrap file error, return code (0). Nearest query: 'LSE SET @sys.tmp.table_exists.SQL = CONCAT('SELECT COUNT(*) FROM `', in_db, '`.`', in_table, '`'); PREPARE stmt_select FROM @sys.tmp.table_exists.SQL; IF (NOT v_error) THEN DEALLOCATE PREPARE stmt_select; SET out_exists = 'TEMPORARY'; END IF; END IF; END;
'
2015-11-30T14:32:21.197692Z 0 [ERROR] Aborting
[17 Dec 2015 3:48] Balasubramanian Kandasamy
Thanks for the bug report. We have pushed the fix to mysql-5.7 and trunk.

Due to SELinux policy mysqld can't read init-file located elsewhere than
/var/lib/mysql. --initialize wants clean datadir.
    
Move installing of validate password plugin to after initialize
is done and use /var/lib/mysql as directory for init-file option.
    
Use of other directory than /var/lib/mysql caused SELinux to deny
access to file used as argument to --init-file. This broke initscript for
new installations
    
SELinux on Fedora don't accept access to /tmp for mysqld, use /var/tmp
instead.
[18 Dec 2015 18:39] Paul Dubois
Noted in 5.7.11 changelog.

On SELinux, mysqld --initialize with an --init-file option could fail
to initialize the data directory.