Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-15169

Provided SELinux FC/TE rules do not allow executing /usr/bin/wsrep_sst_* scripts

    Details

    • Type: Bug
    • Status: Open (View Workflow)
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: 10.1.30
    • Fix Version/s: 10.1
    • Component/s: Galera, Galera SST, wsrep
    • Environment:
      CentOS 7 with SELinux in enforcing mode
      (MariaDB installed with packages from MariaDB YUM repo)

      Description

      When using the 'mariadb-server' policy (files in /usr/share/mysql/policy/selinux from the MariaDB-server package):

      • mariadb-server.fc file gives type mysqld_safe_exec_t to /usr/bin/wsrep_* scripts
      • mariadb-server.te file makes no use of it, but allows needed calls for bin_t

      $ grep mysqld_safe_exec_t mariadb-server.{fc,te}
      mariadb-server.fc:/usr/bin/wsrep.*  -- gen_context(system_u:object_r:mysqld_safe_exec_t,s0)
      

      Right after packages install, /usr/bin/wsrep_* have type bin_t so Galera SST can be performed successfully.

      But after relabeling/restorecon, SST scripts get their mysqld_safe_exec_t type and Galera SST no longer works, showing denials like this:

      type=AVC msg=audit(1517492933.954:1485): avc:  denied  { getattr } for  pid=5624 comm="sh" path="/usr/bin/wsrep_sst_rsync" dev="sda3" ino=295423 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:mysqld_safe_exec_t:s0 tclass=file
      

      Could the attached patch represent the initial goal with labeling SST scripts as mysqld_safe_exec_t?

        Attachments

          Activity

            People

            • Assignee:
              jplindst Jan Lindström
              Reporter:
              Mvedrines Mathias Védrines
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated: