[MDEV-10404] Improved systemd service hardening causes SELinux problems - Jira

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: 10.1.16
Fix Version/s: 10.1.17
Component/s: Scripts & Clients
Labels:
None
Environment:
CentOS 7.2

Sprint:
10.1.17-1

Description

In ~~MDEV-10298~~, NoNewPrivileges=true was added to the systemd service file. But when SELinux is enabled, this prevents mysqld from transitioning from init_t to mysqld_t, and that in turn prevents connecting from httpd_t. So after upgrading to 10.1.16, I see in ps auxZ:

system_u:system_r:init_t:s0     mysql     4080 11.8  7.2 779200 124164 ?       Ssl  08:54   0:00 /usr/sbin/mysqld

When I comment out the NoNewPrivileges=true, and restart, I see:

system_u:system_r:mysqld_t:s0   mysql     4185 27.0  7.3 779200 126220 ?       Ssl  08:55   0:00 /usr/sbin/mysqld

Attachments

Issue Links

duplicates

MDEV-10405 mysql.sock gets created with different SELinux context

Closed

is caused by

MDEV-10298 Improve systemd service hardening

Closed

is duplicated by

MDEV-16718 Job for mariadb.service failed because the control process exited with error code.

Closed

relates to

MDEV-10519 MariaDB fails to start after upgrade from 10.1.14 - 10.1.16 (InnoDB Encryption)

Closed

links to

systemd bug - NoNewPrivileges && SELinuxContext incompatible

systemd bug - NoNewPrivileges effects on Selinux context switching undocumented

(1 links to)

Activity

People

Assignee:: Sergey Vojtovich

Reporter:: Harald van Dijk

Votes:: 1 Vote for this issue

Watchers:: 6 Start watching this issue

Dates

Created:: 2016-07-20 08:56

Updated:: 2023-07-18 01:42

Resolved:: 2016-08-23 13:19

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.