Details
-
Bug
-
Status: In Review (View Workflow)
-
Major
-
Resolution: Unresolved
-
10.11
-
None
Description
PrivateDevices=false was added to the systemd service files of MariaDB dd93028dae with a comment that private devices implies no new privileges. The case where this was evident was in the PAM tests of MariaDB.
Per MDEV-13207 and by inference Debian bug 911152 there was a the time s kernel fault that resulted in this behaviours.
As PrivateDevices=true is the default of a systemd service we can remove the security disabling directive. Note it is possible to configure InnoDB to use raw devices, its barely documented and I haven't seen cases where its used, however its worth a release notes saying if this is the case, a user will need to configure an override to set PrivateDevices=false.
RHEL8 tests where manually tested to have have a correctly functioning PAM with this removed. bb-10.11-systemd-remove-privatedevices-pkgtest tests the rest of this.
Also tested locally on RHEL8 only was the 1e160e5cb387 which disabled NoNewPrivileges=true. NoNewPrivileges still disables the PAM helper, and even with a selinux rule of below wasn't sufficient for the pam helper to function correctly so this directive will remain.
|
draft selinux rule enabling nnp for mysqld_t to the chkpwd_t used by unix_pam |
module mariadb_pam 1.0;
|
|
|
require {
|
type chkpwd_t;
|
type mysqld_t;
|
class process2 nnp_transition;
|
}
|
|
|
#============= mysqld_t ==============
|
allow mysqld_t chkpwd_t:process2 nnp_transition;
|
Attachments
Issue Links
- relates to
-
-
- Closed
-