Details
Critical Description
A user reported the following error in /var/log/audit/audit.log when trying to start a cluster node:
type=AVC msg=audit(1473264262.081:132): avc: denied { open } for pid=11191 comm="mysqld" path="/tmp/wsrep_recovery.mx7VGR" dev="dm-1" ino=101950206 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file
|
This user fixed it with the following addition to their SELinux policy:
allow mysqld_t initrc_tmp_t:file open;
|
Should this file actually be created in the mysqld_tmp_t context, or should we modify our SELinux policy to allow access to files in the initrc_tmp_t context?
Attachments
Issue Links
- causes
-
MDEV-13950 mysqld_safe could not start Galera node after upgrade to 10.1.28 or 10.2.9
-
- Closed
-
-
-
- Closed
-
- relates to
-
-
- Closed
-
Activity
I'm puzzled here – from description it seems like writing to /tmp/wsrep_recovery.XXXXXX is not what we need, because of the SELinux. Yet it is the current implementation. I'm asking because I indeed see SELinux AVC on RHEL 6 with version 10.1.29.
It's also not clear to me what was wrong about original location $DATADIR/wsrep_recovery.XXXXXX. Can somebody explain to me, please?
hhorak In my understanding SELinux complains if mysqld is writing to /tmp ; after the patch it is mysqld_safe and galera_recovery scripts which use /tmp directly and SELinux should be OK with that. (because those scripts usually started by privileged user, while 'mysqld' process is started with context of 'mysql' user)
hhorak using $DATADIR/wsrep_recovery.XXXXXX works too. We just didn't want different scripts to use different solutions for the same problem. (And I hope we'll be able to remove the duplicate code and have only one copy of it)
Looks similar to
MDEV-10753.svoj, FYI.