[MDEV-10767] /tmp/wsrep_recovery.${RANDOM} file created in unallowed SELinux context - Jira

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Critical
Resolution: Fixed
Affects Version/s: 10.1.17
Fix Version/s: 10.1.27, 10.2.10
Component/s: Galera, wsrep
Labels:
- galera
- wsrep

Sprint:
10.1.22

Description

A user reported the following error in /var/log/audit/audit.log when trying to start a cluster node:

type=AVC msg=audit(1473264262.081:132): avc: denied { open } for pid=11191 comm="mysqld" path="/tmp/wsrep_recovery.mx7VGR" dev="dm-1" ino=101950206 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file

This user fixed it with the following addition to their SELinux policy:

allow mysqld_t initrc_tmp_t:file open;

Should this file actually be created in the mysqld_tmp_t context, or should we modify our SELinux policy to allow access to files in the initrc_tmp_t context?

Attachments

Issue Links

causes

MDEV-13950 mysqld_safe could not start Galera node after upgrade to 10.1.28 or 10.2.9

Closed

MDEV-14063 mariadb102-server 10.2.9 cannot startup with galera

Closed

relates to

MDEV-10753 selinux policies prevent 10.1.17-1.el7.centos to access: initrc_tmp_t + var_log_t

Closed

Activity

People

Assignee:: Sachin Setiya (Inactive)

Reporter:: Geoff Montee (Inactive)

Votes:: 2 Vote for this issue

Watchers:: 9 Start watching this issue

Dates

Created:: 2016-09-07 19:06

Updated:: 2024-07-08 01:11

Resolved:: 2017-09-21 07:18

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.