Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-15169

Provided SELinux FC/TE rules do not allow executing /usr/bin/wsrep_sst_* scripts

    XMLWordPrintable

Details

    • Bug
    • Status: Closed (View Workflow)
    • Minor
    • Resolution: Won't Fix
    • 10.1.30
    • N/A
    • Galera, Galera SST, wsrep
    • CentOS 7 with SELinux in enforcing mode
      (MariaDB installed with packages from MariaDB YUM repo)

    Description

      When using the 'mariadb-server' policy (files in /usr/share/mysql/policy/selinux from the MariaDB-server package):

      • mariadb-server.fc file gives type mysqld_safe_exec_t to /usr/bin/wsrep_* scripts
      • mariadb-server.te file makes no use of it, but allows needed calls for bin_t

      $ grep mysqld_safe_exec_t mariadb-server.{fc,te}
      mariadb-server.fc:/usr/bin/wsrep.*  -- gen_context(system_u:object_r:mysqld_safe_exec_t,s0)
      

      Right after packages install, /usr/bin/wsrep_* have type bin_t so Galera SST can be performed successfully.

      But after relabeling/restorecon, SST scripts get their mysqld_safe_exec_t type and Galera SST no longer works, showing denials like this:

      type=AVC msg=audit(1517492933.954:1485): avc:  denied  { getattr } for  pid=5624 comm="sh" path="/usr/bin/wsrep_sst_rsync" dev="sda3" ino=295423 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:mysqld_safe_exec_t:s0 tclass=file
      

      Could the attached patch represent the initial goal with labeling SST scripts as mysqld_safe_exec_t?

      Attachments

        Activity

          People

            sysprg Julius Goryavsky
            Mvedrines Mathias Védrines
            Votes:
            1 Vote for this issue
            Watchers:
            9 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.