[MDEV-34523] mysqladmin logrotate with SELinux enforced fails - Jira

XML

Word

Printable

Details

Type: Bug
Status: Open (View Workflow)
Priority: Minor
Resolution: Unresolved
Affects Version/s: 10.6.18
Fix Version/s: 10.4, 10.5, 10.6
Component/s: Scripts & Clients
Labels:
- logrotate
- selinux
Environment:
VM, Red Hat 8.10

Description

Running mysqladmin from logrotate, which is in the logrotate_t: no matter whether the file is in mysqld_var_run_t or mysqld_db_t, by default it won't work.

logrotate script:

/data/bases/log/mariadb.log
/data/bases/log/slow-queries.log

{ daily rotate 180 missingok compress delaycompress sharedscripts shred postrotate if test -x /usr/bin/mysqladmin && /usr/bin/mysqladmin ping &> /dev/null; then /usr/bin/mysqladmin flush-logs &> /dev/null || true fi endscript }

In the context of logrotate, the access to the MariaDB socket is denied:

type=AVC msg=audit(1719876242.096:38931154): avc: denied

{ write }

for pid=2007545 comm="mysqladmin" name="mysql.sock" dev="dm-6" ino=139 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mysqld_db_t:s0 tclass=sock_file permissive=0

ls -lZ /var/lib/mysql/mysql.sock
srwxrwxrwx. 1 mysql mysql system_u:object_r:mysqld_db_t:s0 0 Jul 2 18:19 /data/bases/mysql.sock

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Martin Reinhardt

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 2024-07-03 15:44

Updated:: 5 days ago 22:55

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.