[root@server centos]# systemctl status mysqlâ mysql.service - LSB: start and stop MySQL   Loaded: loaded (/etc/rc.d/init.d/mysql; bad; vendor preset: disabled)   Active: failed (Result: exit-code) since Sat 2017-01-14 10:17:09 UTC; 4s ago     Docs: man:systemd-sysv-generator(8)  Process: 14010 ExecStop=/etc/rc.d/init.d/mysql stop (code=exited, status=0/SUCCESS)  Process: 14016 ExecStart=/etc/rc.d/init.d/mysql start (code=exited, status=1/FAILURE)Jan 14 10:17:08 server systemd[1]: Starting LSB: start and stop MySQL...Jan 14 10:17:08 server mysql[14016]: Starting MySQL.170114 10:17:08 mysqld_safe Logging to ‘/var/lib/mysql/server.err‘.Jan 14 10:17:08 server mysql[14016]: 170114 10:17:08 mysqld_safe Starting mysqld daemon with databases from /var/lib/mysqlJan 14 10:17:08 server mysql[14016]: /usr/bin/mysqld_safe_helper: Cannot change uid/gid (errno: 1)Jan 14 10:17:09 server mysql[14016]: ERROR!Jan 14 10:17:09 server systemd[1]: mysql.service: control process exited, code=exited status=1Jan 14 10:17:09 server systemd[1]: Failed to start LSB: start and stop MySQL.Jan 14 10:17:09 server systemd[1]: Unit mysql.service entered failed state.Jan 14 10:17:09 server systemd[1]: mysql.service failed.

Jan 14 10:17:08 server mysql[14016]: /usr/bin/mysqld_safe_helper: Cannot change uid/gid (errno: 1)

[root@server mysql]# journalctl -xeJan 14 10:21:38 server setroubleshoot[14484]: SELinux is preventing /usr/bin/mysqld_safe_helper from using the setgid capability. For complete SELinux messages. run sealert -l 640a7d54-35ab-43b5-9267-db6f159e1449Jan 14 10:21:38 server python[14484]: SELinux is preventing /usr/bin/mysqld_safe_helper from using the setgid capability.                        *****  Plugin catchall (100. confidence) suggests   **************************                        If you believe that mysqld_safe_helper should have the setgid capability by default.                        Then you should report this as a bug.                        You can generate a local policy module to allow this access.                        Do                        allow this access for now by executing:                        # ausearch -c ‘mysqld_safe_hel‘ --raw | audit2allow -M my-mysqldsafehel                        # semodule -i my-mysqldsafehel.pp

[root@server mysql]# sealert -a /var/log/audit/audit.logSELinux is preventing /usr/bin/mysqld_safe_helper from using the setuid capability.*****  Plugin catchall (100. confidence) suggests   **************************If you believe that mysqld_safe_helper should have the setuid capability by default.Then you should report this as a bug.You can generate a local policy module to allow this access.Doallow this access for now by executing:# ausearch -c ‘mysqld_safe_hel‘ --raw | audit2allow -M my-mysqldsafehel# semodule -i my-mysqldsafehel.ppAdditional Information:Source Context                system_u:system_r:mysqld_safe_t:s0Target Context                system_u:system_r:mysqld_safe_t:s0Target Objects                Unknown [ capability ]Source                        mysqld_safe_helSource Path                   /usr/bin/mysqld_safe_helperPort                          Host                          Source RPM Packages           MariaDB-server-10.0.29-1.el7.centos.x86_64Target RPM PackagesPolicy RPM                    selinux-policy-3.13.1-102.el7_3.7.noarchSelinux Enabled               TruePolicy Type                   targetedEnforcing Mode                EnforcingHost Name                     serverPlatform                      Linux server                              3.10.0-514.2.2.el7.x86_64 #1 SMP Tue Dec 6                              23:06:41 UTC 2016 x86_64 x86_64Alert Count                   3First Seen                    2017-01-14 10:23:22 UTCLast Seen                     2017-01-14 10:23:22 UTCLocal ID                      f3462d4b-ed6b-4e94-9495-7ab0970c0af0Raw Audit Messagestype=AVC msg=audit(1484389402.769:6203): avc:  denied  { setuid } for  pid=14718 comm="mysqld_safe_hel" capability=7  scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:system_r:mysqld_safe_t:s0 tclass=capabilitytype=SYSCALL msg=audit(1484389402.769:6203): arch=x86_64 syscall=setuid success=no exit=EPERM a0=3e4 a1=3e4 a2=7f2c90e772e0 a3=7f2c90e772e0 items=0 ppid=14640 pid=14718 auid=4294967295 uid=0 gid=994 euid=0 suid=0 fsuid=0 egid=994 sgid=994 fsgid=994 tty=(none) ses=4294967295 comm=mysqld_safe_hel exe=/usr/bin/mysqld_safe_helper subj=system_u:system_r:mysqld_safe_t:s0 key=(null)Hash: mysqld_safe_hel,mysqld_safe_t,mysqld_safe_t,capability,setuid

ausearch -c ‘mysqld_safe_hel‘ --raw | audit2allow -M my-mysqldsafehelsemodule -i my-mysqldsafehel.pp

SELinux is preventing /usr/bin/mysqld_safe_helper from using the setgid capability.

[root@server ~]# systemctl restart mysql[root@server ~]# systemctl status mysql.service -lâ mysql.service - LSB: start and stop MySQL   Loaded: loaded (/etc/rc.d/init.d/mysql; bad; vendor preset: disabled)   Active: active (running) since Sat 2017-01-14 10:24:03 UTC; 29min ago

setenforce 0