[MDEV-15169] Provided SELinux FC/TE rules do not allow executing /usr/bin/wsrep_sst_* scripts - Jira

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Minor
Resolution: Won't Fix
Affects Version/s: 10.1.30
Fix Version/s: N/A
Component/s: Galera, Galera SST, wsrep
Labels:
- galera
- patch
- selinux
- sst
Environment:
CentOS 7 with SELinux in enforcing mode
(MariaDB installed with packages from MariaDB YUM repo)

Description

When using the 'mariadb-server' policy (files in /usr/share/mysql/policy/selinux from the MariaDB-server package):

mariadb-server.fc file gives type mysqld_safe_exec_t to /usr/bin/wsrep_* scripts
mariadb-server.te file makes no use of it, but allows needed calls for bin_t

$ grep mysqld_safe_exec_t mariadb-server.{fc,te}

mariadb-server.fc:/usr/bin/wsrep.*  -- gen_context(system_u:object_r:mysqld_safe_exec_t,s0)

Right after packages install, /usr/bin/wsrep_* have type bin_t so Galera SST can be performed successfully.

But after relabeling/restorecon, SST scripts get their mysqld_safe_exec_t type and Galera SST no longer works, showing denials like this:

type=AVC msg=audit(1517492933.954:1485): avc:  denied  { getattr } for  pid=5624 comm="sh" path="/usr/bin/wsrep_sst_rsync" dev="sda3" ino=295423 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:mysqld_safe_exec_t:s0 tclass=file

Could the attached patch represent the initial goal with labeling SST scripts as mysqld_safe_exec_t?

Attachments

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

mariadb-server.te.diff
0.7 kB
2018-02-01 16:48

Activity

People

Assignee:: Julius Goryavsky

Reporter:: Mathias Védrines

Votes:: 1 Vote for this issue

Watchers:: 9 Start watching this issue

Dates

Created:: 2018-02-01 16:53

Updated:: 2023-06-06 09:31

Resolved:: 2023-06-06 09:31

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.