Bug #92258 SELinux is preventing mysqld from using the 'sys_nice' capabilities.
Submitted: 31 Aug 2018 11:38 Modified: 22 Dec 2018 10:10
Reporter: Aljosha Papsch Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Installing Severity:S3 (Non-critical)
Version:8.0 OS:Fedora
Assigned to: CPU Architecture:Any

[31 Aug 2018 11:38] Aljosha Papsch
Description:
Mysqld from the official YUM repository cannot use the sys_nice capability due to SELinux policy on Fedora 28.

Additional Information:
Source Context                system_u:system_r:mysqld_t:s0
Target Context                system_u:system_r:mysqld_t:s0
Target Objects                Unknown [ capability ]
Source                        mysqld
Source Path                   mysqld
Port                          <Unbekannt>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.14.1-40.fc28.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.17.17-200.fc28.x86_64 #1 SMP Mon
                              Aug 20 15:56:07 UTC 2018 x86_64 x86_64
Alert Count                   2
First Seen                    2018-08-31 13:25:10 CEST
Last Seen                     2018-08-31 13:25:10 CEST
Local ID                      8360888f-91ce-4688-8fe2-cc4994626f18

Raw Audit Messages
type=AVC msg=audit(1535714710.516:326): avc:  denied  { sys_nice } for  pid=6006 comm="mysqld" capability=23  scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:mysqld_t:s0 tclass=capability permissive=0

Hash: mysqld,mysqld_t,mysqld_t,capability,sys_nice

How to repeat:
Install mysqld as per the instructions on https://dev.mysql.com/doc/refman/8.0/en/linux-installation-yum-repo.html. As soon as mysqld is started, the SELinux troubleshoot notification pops up.
[2 Sep 2018 9:36] Terje Røsten
Hi!

Thanks for your report!

Indeed this is an issue, unsure if we want to lift this for all users
in default install, however at least it should be documented in ref. man 
in the Resource Group article.
[19 Nov 2018 9:15] Terje Røsten
hi!

This is now resolved in Fedora itself. 

Install of package mysql-selinux and problem should be fixed:

 https://src.fedoraproject.org/rpms/mysql-selinux

https://src.fedoraproject.org/rpms/mysql-selinux/c/9be4c4cb848282c0ea46d3ddf05f4274d0152eb...

https://github.com/kubco2/mysql-selinux/blob/master/mysql.te#L192

Could you please verify this?
[20 Dec 2018 1:00] Bugs System
No feedback was provided for this bug for over a month, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
[21 Dec 2018 14:29] Aljosha Papsch
I tried installation and start of mysqld 8 on a fresh Fedora 29 instance and it worked just fine. Thank you!
[22 Dec 2018 10:10] Terje Røsten
Issue verified to be fixed by change in selinux policy in Linux distribution.
[8 Jan 2019 13:57] Paul DuBois
Posted by developer:
 
This is now fixed, but not by any change on the MySQL side. The problem was an issue in upstream SELinux policy and has been fixed there.