Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-10160

enabled cracklib plugin blocks all password changes with SELINUX=enforcing

Details

    Description

      When using default settings cracklib tries to read the password database from /usr/share/cracklib/. When using the standard SELINUX profile mysqdl doesn't have access to that directory though.

      Workarounds:

      • add additional access rules: 

            semanage fcontext -a -t mysqld_etc_t  "/usr/share/cracklib(/.*)?"
        		 
            restorecon -Rv /usr/share/cracklib

      • or copy cracklib dictionary to mysqld datadir and set cracklib_password_check_dictionary accordingly

      Attachments

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. MDEV-18374 SELinux breaks cracklib_password_check plugin

          • Major - Major loss of function.
          • Closed

          Activity

            Ascending order - Click to sort in descending order
            elenst Elena Stepanova added a comment -

            I'm not sure how it should be fixed. By not reading the passwords?
            Assigning to serg for consideration.

            elenst Elena Stepanova added a comment - I'm not sure how it should be fixed. By not reading the passwords? Assigning to serg for consideration.
            greenman Ian Gilfillan added a comment -

            Documentation updated

            greenman Ian Gilfillan added a comment - Documentation updated
            hholzgra Hartmut Holzgraefe added a comment -

            Unfortunately the semanage/restorecon approach doesn't work as intended, it takes away permissions on the password list files from cracklib itself and so e.g. breaks PAM ...

            I'll update the KB page accordingly ...

            hholzgra Hartmut Holzgraefe added a comment - Unfortunately the semanage/restorecon approach doesn't work as intended, it takes away permissions on the password list files from cracklib itself and so e.g. breaks PAM ... I'll update the KB page accordingly ...
            GeoffMontee Geoff Montee (Inactive) added a comment -

            This can probably be fixed by adding an SELinux policy to the cracklib_password_check packages. See MDEV-18374 about that.

            GeoffMontee Geoff Montee (Inactive) added a comment - This can probably be fixed by adding an SELinux policy to the cracklib_password_check packages. See MDEV-18374 about that.

            People

              greenman Ian Gilfillan
              hholzgra Hartmut Holzgraefe
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.