Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-14061

SElinuix preventing MariaDB + Galera trying to create temporary file on /usr

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Critical
    • Resolution: Duplicate
    • Affects Version/s: 10.1.28
    • Fix Version/s: N/A
    • Component/s: Galera, Server, wsrep
    • Labels:
      None
    • Environment:
      CentOS Linux release 7.4.1708 (Core) x86_64

      Description

      After software update, MariaDB server no longer start.

      MariaDB-common-10.1.28-1.el7.centos.x86_64
      MariaDB-client-10.1.28-1.el7.centos.x86_64
      MariaDB-server-10.1.28-1.el7.centos.x86_64
      MariaDB-shared-10.1.28-1.el7.centos.x86_64
      galera-25.3.20-1.rhel7.el7.centos.x86_64
      percona-xtrabackup-2.3.6-1.el7.x86_64
      

      SElinux is preventing mktemp to create a temporary files like wsrep_recovery.* under /usr.
      It is not supposed to temporary files to be crearted there.
      After setting permissive mode to mysqld_safe_t, SElinux logs show:

      SELinux is preventing /usr/bin/mktemp from create access on the file wsrep_recovery.K1AY7s.

      *****  Plugin catchall_labels (83.8 confidence) suggests   *******************
       
      If you want to allow mktemp to have create access on the wsrep_recovery.K1AY7s file
      Then necesita modificar la etiqueta en wsrep_recovery.K1AY7s
      Do
      # semanage fcontext -a -t FILE_TYPE 'wsrep_recovery.K1AY7s'
      donde FILE_TYPE es uno de los siguientes: mysqld_db_t, mysqld_log_t, mysqld_var_run_t. 
      Luego ejecute: 
      restorecon -v 'wsrep_recovery.K1AY7s'
       
       
      *****  Plugin catchall (17.1 confidence) suggests   **************************
       
      If cree que de manera predeterminada, mktemp debería permitir acceso create sobre wsrep_recovery.K1AY7s file.     
      Then debería reportar esto como un error.
      Puede generar un módulo de política local para permitir este acceso.
      Do
      allow this access for now by executing:
      # ausearch -c 'mktemp' --raw | audit2allow -M my-mktemp
      # semodule -i my-mktemp.pp
       
       
      Additional Information:
      Source Context                system_u:system_r:mysqld_safe_t:s0
      **Target Context                system_u:object_r:usr_t:s0**
      Target Objects                wsrep_recovery.K1AY7s [ file ]
      Source                        mktemp
      Source Path                   /usr/bin/mktemp
      Port                          <Unknown>
      Host                          spi2.**********
      Source RPM Packages           coreutils-8.22-18.el7.x86_64
      Target RPM Packages           
      Policy RPM                    selinux-policy-3.13.1-166.el7_4.4.noarch
      Selinux Enabled               True
      Policy Type                   targeted
      Enforcing Mode                Enforcing
      Host Name                     spi2.**********
      Platform                      Linux spi2.********
                                    3.10.0-693.2.2.el7.x86_64 #1 SMP Tue Sep 12
                                    22:26:13 UTC 2017 x86_64 x86_64
      Alert Count                   14
      First Seen                    2017-09-28 12:54:57 -03
      Last Seen                     2017-10-12 12:09:59 -03
      Local ID                      2f128290-dc5e-4280-bcb4-2fcc3abb56e3
       
      Raw Audit Messages
      type=AVC msg=audit(1507820999.760:2512): avc:  denied  { create } for  pid=16103 comm="mktemp" name="wsrep_recovery.K1AY7s" scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file
       
       
      type=AVC msg=audit(1507820999.760:2512): avc:  denied  { write } for  pid=16103 comm="mktemp" path="/usr/wsrep_recovery.K1AY7s" dev="sda3" ino=198736 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file
       
       
      type=SYSCALL msg=audit(1507820999.760:2512): arch=x86_64 syscall=open success=yes exit=ESRCH a0=190d050 a1=c2 a2=180 a3=652a6ab1f081fc9a items=0 ppid=15909 pid=16103 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=mktemp exe=/usr/bin/mktemp subj=system_u:system_r:mysqld_safe_t:s0 key=(null)
       
      Hash: mktemp,mysqld_safe_t,usr_t,file,create
      

      my.cnf :

      [mysqld]
      datadir=/var/lib/mysql
      socket=/var/lib/mysql/mysql.sock
      # Disabling symbolic-links is recommended to prevent assorted security risks
      symbolic-links=0
      # Settings user and group are ignored when systemd is used.
      # If you need to run mysqld under a different user or group,
      # customize your systemd unit file for mariadb according to the
      # instructions in http://fedoraproject.org/wiki/Systemd
      log-error=/var/log/mariadb/mariadb.log
      pid-file=/var/run/mariadb/mariadb.pid
       
       
      [mysqld_safe]
      log-error=/var/log/mariadb/mariadb.log
      pid-file=/var/run/mariadb/mariadb.pid
       
      [client]
      default_character_set = UTF8
       
      #
      # include all files from the config directory
      #
      !includedir /etc/my.cnf.d
       
      Included files: server.cnf
       
      #
      # These groups are read by MariaDB server.
      # Use it for options that only the server (but not clients) should see
      #
      # See the examples of server my.cnf files in /usr/share/mysql/
      #
       
      # this is read by the standalone daemon and embedded servers
      [server]
       
      # this is only for the mysqld standalone daemon
      [mysqld]
      key_buffer = 64M
      max_allowed_packet = 4M
      table_cache = 512
      sort_buffer_size = 8M
      net_buffer_length = 32K
      read_buffer_size = 4M
      read_rnd_buffer_size = 8M
      myisam_sort_buffer_size = 32M
      character_set_filesystem = UTF8
      character_set_server = UTF8
      default-storage-engine=INNODB
      innodb_file_per_table
      innodb_flush_method=O_DIRECT
      innodb_log_file_size=64M
      innodb_buffer_pool_size = 256M
      join_buffer_size = 1048576
       
       
      #
      # * Galera-related settings
      #
      [galera]
      # Mandatory settings
      wsrep_on=ON
      wsrep_provider=/usr/lib64/galera/libgalera_smm.so
      wsrep_provider_options="gmcast.listen_addr=tcp://10.39.2.150:4778"
      wsrep_cluster_address=gcomm://10.39.1.150:4778,10.39.1.101:4778,10.39.2.150:4778
      binlog_format=row
      default_storage_engine=InnoDB
      innodb_autoinc_lock_mode=2
      #
      # Allow server to accept connections on all interfaces.
      #
      bind-address=10.39.2.150
      #
      # Optional setting
      #wsrep_slave_threads=1
      #innodb_flush_log_at_trx_commit=0
      #
      wsrep_cluster_name="MariaDB_SPI-Cluster"
      wsrep_node_address="10.39.2.150"
      wsrep_sst_method=xtrabackup
      wsrep_sst_auth=root:*********
      wsrep_sst_receive_address=10.39.2.150:4777
       
      wsrep_data_home_dir=/var/lib/mysql
      wsrep_debug=ON
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                anikitin Andrii Nikitin (Inactive)
                Reporter:
                gcremella Gustavo Cremella
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: