[MDEV-10160] enabled cracklib plugin blocks all password changes with SELINUX=enforcing - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: 10.1.14, 10.1(EOL)
Fix Version/s: N/A
Component/s: Admin statements, Authentication and Privilege System, Documentation
Labels:
None
Environment:
linux with SELINUX=enforcing

Description

When using default settings cracklib tries to read the password database from /usr/share/cracklib/. When using the standard SELINUX profile mysqdl doesn't have access to that directory though.

Workarounds:

add additional access rules:

    semanage fcontext -a -t mysqld_etc_t  "/usr/share/cracklib(/.*)?"

    restorecon -Rv /usr/share/cracklib

or copy cracklib dictionary to mysqld datadir and set cracklib_password_check_dictionary accordingly

Attachments

Issue Links

relates to

MDEV-18374 SELinux breaks cracklib_password_check plugin

Closed

Activity

Ascending order - Click to sort in descending order

Hartmut Holzgraefe created issue - 2016-05-31 17:06

Sergei Golubchik made changes - 2016-05-31 17:15

Field	Original Value	New Value
Component/s		Documentation [ 10903 ]

Sergei Golubchik made changes - 2016-05-31 17:15

Fix Version/s

N/A [ 14700 ]

Sergei Golubchik made changes - 2016-05-31 17:15

Assignee

Ian Gilfillan [ greenman ]

Elena Stepanova made changes - 2016-05-31 17:16

Component/s	Documentation [ 10903 ]
Fix Version/s		10.1 [ 16100 ]
Fix Version/s	N/A [ 14700 ]
Affects Version/s		10.1 [ 16100 ]
Assignee	Ian Gilfillan [ greenman ]	Sergei Golubchik [ serg ]

Sergei Golubchik made changes - 2016-05-31 17:16

Description

When using default settings cracklib tries to read the password database from /usr/share/cracklib/. When using the standard SELINUX profile mysqdl doesn't have access to that directory though.

Workarounds:

* add additional access rules:

semanage fcontext -a -t mysqld_etc_t "/usr/share/cracklib(/.*)?"
restorecon -Rv /usr/share/cracklib

* or copy cracklib dictionary to mysqld datadir and set cracklib_password_check_dictionary accordingly

When using default settings cracklib tries to read the password database from /usr/share/cracklib/. When using the standard SELINUX profile mysqdl doesn't have access to that directory though.

Workarounds:

* add additional access rules:
{code:bash}
semanage fcontext -a -t mysqld_etc_t "/usr/share/cracklib(/.*)?"
restorecon -Rv /usr/share/cracklib
{code}
* or copy cracklib dictionary to mysqld datadir and set cracklib_password_check_dictionary accordingly

Sergei Golubchik made changes - 2016-05-31 17:16

Assignee

Sergei Golubchik [ serg ]

Ian Gilfillan [ greenman ]

Sergei Golubchik made changes - 2016-05-31 17:16

Component/s

Documentation [ 10903 ]

Sergei Golubchik made changes - 2016-05-31 17:16

Fix Version/s		N/A [ 14700 ]
Fix Version/s	10.1 [ 16100 ]

Ian Gilfillan made changes - 2016-08-08 09:27

Resolution		Fixed [ 1 ]
Status	Open [ 1 ]	Closed [ 6 ]

Geoff Montee (Inactive) made changes - 2019-01-25 01:39

Link

This issue relates to ~~MDEV-18374~~ [ ~~MDEV-18374~~ ]

Geoff Montee (Inactive) made changes - 2019-01-25 09:47

Link

This issue relates to CDOC-2 [ CDOC-2 ]

Sergei Golubchik made changes - 2021-12-06 21:43

Workflow

MariaDB v3 [ 75852 ]

MariaDB v4 [ 150474 ]

People

Assignee:: Ian Gilfillan

Reporter:: Hartmut Holzgraefe

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Dates

Created:: 2016-05-31 17:06

Updated:: 2019-01-25 09:47

Resolved:: 2016-08-08 09:27

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server

Details

Description

Attachments

Issue Links

Activity

People

Dates

Git Integration