/usr/bin/mysqld_safe_helper: Cannot change uid/gid (errno: 1) (转)

From: https://www.rootusers.com/how-to-fix-mariadb-10-0-29-selinux-update-failure/

安装mysql 10.0.29后，启动mysql失败：

[root@server centos]# systemctl status mysql
â mysql.service - LSB: start and stop MySQL
   Loaded: loaded (/etc/rc.d/init.d/mysql; bad; vendor preset: disabled)
   Active: failed (Result: exit-code) since Sat 2017-01-14 10:17:09 UTC; 4s ago
     Docs: man:systemd-sysv-generator(8)
  Process: 14010 ExecStop=/etc/rc.d/init.d/mysql stop (code=exited, status=0/SUCCESS)
  Process: 14016 ExecStart=/etc/rc.d/init.d/mysql start (code=exited, status=1/FAILURE)

Jan 14 10:17:08 server systemd[1]: Starting LSB: start and stop MySQL...
Jan 14 10:17:08 server mysql[14016]: Starting MySQL.170114 10:17:08 mysqld_safe Logging to '/var/lib/mysql/server.err'.
Jan 14 10:17:08 server mysql[14016]: 170114 10:17:08 mysqld_safe Starting mysqld daemon with databases from /var/lib/mysql
Jan 14 10:17:08 server mysql[14016]: /usr/bin/mysqld_safe_helper: Cannot change uid/gid (errno: 1)
Jan 14 10:17:09 server mysql[14016]: ERROR!
Jan 14 10:17:09 server systemd[1]: mysql.service: control process exited, code=exited status=1
Jan 14 10:17:09 server systemd[1]: Failed to start LSB: start and stop MySQL.
Jan 14 10:17:09 server systemd[1]: Unit mysql.service entered failed state.
Jan 14 10:17:09 server systemd[1]: mysql.service failed.

可以看到，myql服务状态是down。错误显示mysqld_safe_helper 试图更改UID/GID：

Jan 14 10:17:08 server mysql[14016]: /usr/bin/mysqld_safe_helper: Cannot change uid/gid (errno: 1)

根据错误提示，执行 journalctl -xe命令：

[root@server mysql]# journalctl -xe
Jan 14 10:21:38 server setroubleshoot[14484]: SELinux is preventing /usr/bin/mysqld_safe_helper from using the setgid capability. For complete SELinux messages. run sealert -l 640a7d54-35ab-43b5-9267-db6f159e1449
Jan 14 10:21:38 server python[14484]: SELinux is preventing /usr/bin/mysqld_safe_helper from using the setgid capability.

                        *****  Plugin catchall (100. confidence) suggests   **************************

                        If you believe that mysqld_safe_helper should have the setgid capability by default.
                        Then you should report this as a bug.
                        You can generate a local policy module to allow this access.
                        Do
                        allow this access for now by executing:
                        # ausearch -c 'mysqld_safe_hel' --raw | audit2allow -M my-mysqldsafehel
                        # semodule -i my-mysqldsafehel.pp

通过以上日志可以看出SELinux阻止了mysqld_safe_helper 的行为，因此mysql服务启动失败是因为SELinux的权限问题。

为了获取更多信息，执行以下命令：

[root@server mysql]# sealert -a /var/log/audit/audit.log
SELinux is preventing /usr/bin/mysqld_safe_helper from using the setuid capability.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that mysqld_safe_helper should have the setuid capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'mysqld_safe_hel' --raw | audit2allow -M my-mysqldsafehel
# semodule -i my-mysqldsafehel.pp


Additional Information:
Source Context                system_u:system_r:mysqld_safe_t:s0
Target Context                system_u:system_r:mysqld_safe_t:s0
Target Objects                Unknown [ capability ]
Source                        mysqld_safe_hel
Source Path                   /usr/bin/mysqld_safe_helper
Port                          
Host                          
Source RPM Packages           MariaDB-server-10.0.29-1.el7.centos.x86_64
Target RPM Packages
Policy RPM                    selinux-policy-3.13.1-102.el7_3.7.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     server
Platform                      Linux server
                              3.10.0-514.2.2.el7.x86_64 #1 SMP Tue Dec 6
                              23:06:41 UTC 2016 x86_64 x86_64
Alert Count                   3
First Seen                    2017-01-14 10:23:22 UTC
Last Seen                     2017-01-14 10:23:22 UTC
Local ID                      f3462d4b-ed6b-4e94-9495-7ab0970c0af0

Raw Audit Messages
type=AVC msg=audit(1484389402.769:6203): avc:  denied  { setuid } for  pid=14718 comm="mysqld_safe_hel" capability=7  scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:system_r:mysqld_safe_t:s0 tclass=capability


type=SYSCALL msg=audit(1484389402.769:6203): arch=x86_64 syscall=setuid success=no exit=EPERM a0=3e4 a1=3e4 a2=7f2c90e772e0 a3=7f2c90e772e0 items=0 ppid=14640 pid=14718 auid=4294967295 uid=0 gid=994 euid=0 suid=0 fsuid=0 egid=994 sgid=994 fsgid=994 tty=(none) ses=4294967295 comm=mysqld_safe_hel exe=/usr/bin/mysqld_safe_helper subj=system_u:system_r:mysqld_safe_t:s0 key=(null)

Hash: mysqld_safe_hel,mysqld_safe_t,mysqld_safe_t,capability,setuid

根据以上建议，执行建议中的命令创建本地策略：

ausearch -c 'mysqld_safe_hel' --raw | audit2allow -M my-mysqldsafehel
semodule -i my-mysqldsafehel.pp

再次启动mysql服务，仍然失败。查看错误信息，仍是关于SELinux的：

SELinux is preventing /usr/bin/mysqld_safe_helper from using the setgid capability.

仍然按照以上步骤，执行建议命令。然后，再次重启mysql服务：

[root@server ~]# systemctl restart mysql
[root@server ~]# systemctl status mysql.service -l
â mysql.service - LSB: start and stop MySQL
   Loaded: loaded (/etc/rc.d/init.d/mysql; bad; vendor preset: disabled)
   Active: active (running) since Sat 2017-01-14 10:24:03 UTC; 29min ago

当然我们可以通过执行以下命令，通过临时关闭SELinux，解决这个问题：

setenforce 0

但是如果想要永久解决该问题，并保证系统的安全，还是建议通过添加SELinux策略的方式解决启动服务失败的问题。