[MDEV-10405] mysql.sock gets created with different SELinux context - Jira

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Critical
Resolution: Fixed
Affects Version/s: 10.1.16
Fix Version/s: 10.1.17
Component/s: Platform RedHat
Labels:
None
Environment:
CentOS 7 updating from 10.1.14 to 10.1.16

Description

Hi there,

I tried updating some mariadb installations from version 10.1.14 to version 10.1.16.
After restarting the daemon php-fpm and some other daemons (like apache mod_php) were no longer able to connect via unix socket.

Due to this problem I am not able to update to the latest version.
I did not try 10.1.15. Maybe this version is also affected.

The working permissions/contexts (as of 10.1.14)

> ls -alZ /var/lib/mysql

...

srwxrwxrwx. mysql mysql system_u:object_r:mysqld_var_run_t:s0 mysql.sock

...

The new but not working permissions/contexts (as of 10.1.16)

> ls -alZ /var/lib/mysql

...

srwxrwxrwx. mysql mysql system_u:object_r:mysqld_db_t:s0 mysql.sock

...

The error inside /var/log/audit/audit.log

type=AVC msg=audit(1469001191.978:508572): avc:  denied  { connectto } for  pid=65240 comm="php-fpm" path="/var/lib/mysql/mysql.sock" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket

Attachments

Issue Links

is caused by

MDEV-10298 Improve systemd service hardening

Closed

is duplicated by

MDEV-10404 Improved systemd service hardening causes SELinux problems

Closed

relates to

MDEV-24941 SElinux incorrect label for server socket

Open

Activity

People

Assignee:: Sergey Vojtovich

Reporter:: Florian Bezdeka

Votes:: 1 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 2016-07-20 12:37

Updated:: 2023-10-13 10:14

Resolved:: 2016-08-17 10:01

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.