[MDEV-10160] enabled cracklib plugin blocks all password changes with SELINUX=enforcing - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: 10.1.14, 10.1(EOL)
Fix Version/s: N/A
Component/s: Admin statements, Authentication and Privilege System, Documentation
Labels:
None
Environment:
linux with SELINUX=enforcing

Description

When using default settings cracklib tries to read the password database from /usr/share/cracklib/. When using the standard SELINUX profile mysqdl doesn't have access to that directory though.

Workarounds:

add additional access rules:

    semanage fcontext -a -t mysqld_etc_t  "/usr/share/cracklib(/.*)?"

    restorecon -Rv /usr/share/cracklib

or copy cracklib dictionary to mysqld datadir and set cracklib_password_check_dictionary accordingly

Attachments

Issue Links

relates to

MDEV-18374 SELinux breaks cracklib_password_check plugin

Closed

Activity

Ascending order - Click to sort in descending order

Hartmut Holzgraefe created issue - 2016-05-31 17:06

Sergei Golubchik made changes - 2016-05-31 17:15

Field	Original Value	New Value
Component/s		Documentation [ 10903 ]

Sergei Golubchik made changes - 2016-05-31 17:15

Fix Version/s

N/A [ 14700 ]

Sergei Golubchik made changes - 2016-05-31 17:15

Assignee

Ian Gilfillan [ greenman ]

Elena Stepanova added a comment - 2016-05-31 17:16

I'm not sure how it should be fixed. By not reading the passwords?
Assigning to serg for consideration.

Elena Stepanova added a comment - 2016-05-31 17:16 I'm not sure how it should be fixed. By not reading the passwords? Assigning to serg for consideration.

Elena Stepanova made changes - 2016-05-31 17:16

Component/s	Documentation [ 10903 ]
Fix Version/s		10.1 [ 16100 ]
Fix Version/s	N/A [ 14700 ]
Affects Version/s		10.1 [ 16100 ]
Assignee	Ian Gilfillan [ greenman ]	Sergei Golubchik [ serg ]

Sergei Golubchik made changes - 2016-05-31 17:16

Description

When using default settings cracklib tries to read the password database from /usr/share/cracklib/. When using the standard SELINUX profile mysqdl doesn't have access to that directory though.

Workarounds:

* add additional access rules:

semanage fcontext -a -t mysqld_etc_t "/usr/share/cracklib(/.*)?"
restorecon -Rv /usr/share/cracklib

* or copy cracklib dictionary to mysqld datadir and set cracklib_password_check_dictionary accordingly

When using default settings cracklib tries to read the password database from /usr/share/cracklib/. When using the standard SELINUX profile mysqdl doesn't have access to that directory though.

Workarounds:

* add additional access rules:
{code:bash}
semanage fcontext -a -t mysqld_etc_t "/usr/share/cracklib(/.*)?"
restorecon -Rv /usr/share/cracklib
{code}
* or copy cracklib dictionary to mysqld datadir and set cracklib_password_check_dictionary accordingly

Sergei Golubchik made changes - 2016-05-31 17:16

Assignee

Sergei Golubchik [ serg ]

Ian Gilfillan [ greenman ]

Sergei Golubchik made changes - 2016-05-31 17:16

Component/s

Documentation [ 10903 ]

Sergei Golubchik made changes - 2016-05-31 17:16

Fix Version/s		N/A [ 14700 ]
Fix Version/s	10.1 [ 16100 ]

Ian Gilfillan added a comment - 2016-08-08 09:27

Documentation updated

Ian Gilfillan added a comment - 2016-08-08 09:27 Documentation updated

Ian Gilfillan made changes - 2016-08-08 09:27

Resolution		Fixed [ 1 ]
Status	Open [ 1 ]	Closed [ 6 ]

Hartmut Holzgraefe added a comment - 2016-08-08 11:48

Unfortunately the semanage/restorecon approach doesn't work as intended, it takes away permissions on the password list files from cracklib itself and so e.g. breaks PAM ...

I'll update the KB page accordingly ...

Hartmut Holzgraefe added a comment - 2016-08-08 11:48 Unfortunately the semanage/restorecon approach doesn't work as intended, it takes away permissions on the password list files from cracklib itself and so e.g. breaks PAM ... I'll update the KB page accordingly ...

Geoff Montee (Inactive) made changes - 2019-01-25 01:39

Link

This issue relates to ~~MDEV-18374~~ [ ~~MDEV-18374~~ ]

Geoff Montee (Inactive) added a comment - 2019-01-25 01:42

This can probably be fixed by adding an SELinux policy to the cracklib_password_check packages. See ~~MDEV-18374~~ about that.

Geoff Montee (Inactive) added a comment - 2019-01-25 01:42 This can probably be fixed by adding an SELinux policy to the cracklib_password_check packages. See MDEV-18374 about that.

Geoff Montee (Inactive) made changes - 2019-01-25 09:47

Link

This issue relates to CDOC-2 [ CDOC-2 ]

Sergei Golubchik made changes - 2021-12-06 21:43

Workflow

MariaDB v3 [ 75852 ]

MariaDB v4 [ 150474 ]

People

Assignee:: Ian Gilfillan

Reporter:: Hartmut Holzgraefe

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Dates

Created:: 2016-05-31 17:06

Updated:: 2019-01-25 09:47

Resolved:: 2016-08-08 09:27

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server

Details

Description

Attachments

Issue Links

Activity

People

Dates

Git Integration