[MDEV-10404] Improved systemd service hardening causes SELinux problems - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: 10.1.16
Fix Version/s: 10.1.17
Component/s: Scripts & Clients
Labels:
None
Environment:
CentOS 7.2

Sprint:
10.1.17-1

Description

In ~~MDEV-10298~~, NoNewPrivileges=true was added to the systemd service file. But when SELinux is enabled, this prevents mysqld from transitioning from init_t to mysqld_t, and that in turn prevents connecting from httpd_t. So after upgrading to 10.1.16, I see in ps auxZ:

system_u:system_r:init_t:s0     mysql     4080 11.8  7.2 779200 124164 ?       Ssl  08:54   0:00 /usr/sbin/mysqld

When I comment out the NoNewPrivileges=true, and restart, I see:

system_u:system_r:mysqld_t:s0   mysql     4185 27.0  7.3 779200 126220 ?       Ssl  08:55   0:00 /usr/sbin/mysqld

Attachments

Issue Links

duplicates

MDEV-10405 mysql.sock gets created with different SELinux context

Closed

is caused by

MDEV-10298 Improve systemd service hardening

Closed

is duplicated by

MDEV-16718 Job for mariadb.service failed because the control process exited with error code.

Closed

relates to

MDEV-10519 MariaDB fails to start after upgrade from 10.1.14 - 10.1.16 (InnoDB Encryption)

Closed

links to

systemd bug - NoNewPrivileges && SELinuxContext incompatible

systemd bug - NoNewPrivileges effects on Selinux context switching undocumented

(1 links to)

Activity

Ascending order - Click to sort in descending order

Daniel Black added a comment - 2016-07-31 23:00 - edited

https://bugzilla.redhat.com/show_bug.cgi?id=1293493 seems to be a related systemd bug. I can't find a systemd discussion about it in their mailing list or in the freedesktop bugzilla.

Daniel Black added a comment - 2016-07-31 23:00 - edited https://bugzilla.redhat.com/show_bug.cgi?id=1293493 seems to be a related systemd bug. I can't find a systemd discussion about it in their mailing list or in the freedesktop bugzilla.

Daniel Black added a comment - 2016-08-01 22:24 - edited

https://www.freedesktop.org/software/systemd/man/systemd.exec.html#SELinuxContext=

Suggest testing:

SELinuxContext=system_u:system_r:mysqld_t:s0

note: may have troubles - https://bugzilla.redhat.com/show_bug.cgi?id=1293493#c11

Daniel Black added a comment - 2016-08-01 22:24 - edited https://www.freedesktop.org/software/systemd/man/systemd.exec.html#SELinuxContext= Suggest testing: SELinuxContext=system_u:system_r:mysqld_t:s0 note: may have troubles - https://bugzilla.redhat.com/show_bug.cgi?id=1293493#c11

Daniel Black added a comment - 2016-08-01 22:25

As per the systemd bug report (link above) this apparently isn't their bug to fix.

Daniel Black added a comment - 2016-08-01 22:25 As per the systemd bug report (link above) this apparently isn't their bug to fix.

Sergey Vojtovich added a comment - 2016-08-17 10:03

serg, I disabled NoNewPrivileges. If you have an idea how to fix SELinux please do fix it, or just close this bug for now.

Sergey Vojtovich added a comment - 2016-08-17 10:03 serg , I disabled NoNewPrivileges. If you have an idea how to fix SELinux please do fix it, or just close this bug for now.

Daniel Black added a comment - 2016-08-18 00:12

I agree with svoj keep the NoNewPrivileges disabled until selinux contains the required transition rule or something radically simple happens in the combined selinux/systemd space.

Daniel Black added a comment - 2016-08-18 00:12 I agree with svoj keep the NoNewPrivileges disabled until selinux contains the required transition rule or something radically simple happens in the combined selinux/systemd space.

Daniel Black added a comment - 2018-04-01 09:12

From systemd bug report:

4.14 kernel fixs to add NNP to have selinux transition rule as per detailed commit:

https://github.com/torvalds/linux/commit/af63f4193f9fbbbac50fc766417d74735afd87ef
Wonder if the RHEL/Centos7 has backported this?

Fedora fc26,27 are 4.15+ (https://apps.fedoraproject.org/packages/kernel)

RHEL/Centos6 isn't systemd.

I don't think the other distos mariadb builds packages for enable selinux.

If all distro kernel capable we could give mariadb the transition to its domain via a macro like on line 599 and enable NNP again:
and https://src.fedoraproject.org/rpms/selinux-policy/c/107eb82b3e182d72c7f2c7f8f03bda6dd790f441?branch=master#L599

Daniel Black added a comment - 2018-04-01 09:12 From systemd bug report: 4.14 kernel fixs to add NNP to have selinux transition rule as per detailed commit: https://github.com/torvalds/linux/commit/af63f4193f9fbbbac50fc766417d74735afd87ef Wonder if the RHEL/Centos7 has backported this? Fedora fc26,27 are 4.15+ ( https://apps.fedoraproject.org/packages/kernel ) RHEL/Centos6 isn't systemd. I don't think the other distos mariadb builds packages for enable selinux. If all distro kernel capable we could give mariadb the transition to its domain via a macro like on line 599 and enable NNP again: and https://src.fedoraproject.org/rpms/selinux-policy/c/107eb82b3e182d72c7f2c7f8f03bda6dd790f441?branch=master#L599

People

Assignee:: Sergey Vojtovich

Reporter:: Harald van Dijk

Votes:: 1 Vote for this issue

Watchers:: 6 Start watching this issue

Dates

Created:: 2016-07-20 08:56

Updated:: 2023-07-18 01:42

Resolved:: 2016-08-23 13:19

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server