[MDEV-10160] enabled cracklib plugin blocks all password changes with SELINUX=enforcing Created: 2016-05-31 Updated: 2019-01-25 Resolved: 2016-08-08 |
|
| Status: | Closed |
| Project: | MariaDB Server |
| Component/s: | Admin statements, Authentication and Privilege System, Documentation |
| Affects Version/s: | 10.1.14, 10.1 |
| Fix Version/s: | N/A |
| Type: | Bug | Priority: | Major |
| Reporter: | Hartmut Holzgraefe | Assignee: | Ian Gilfillan |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Environment: |
linux with SELINUX=enforcing |
||
| Issue Links: |
|
||||||||
| Description |
|
When using default settings cracklib tries to read the password database from /usr/share/cracklib/. When using the standard SELINUX profile mysqdl doesn't have access to that directory though. Workarounds:
|
| Comments |
| Comment by Elena Stepanova [ 2016-05-31 ] |
|
I'm not sure how it should be fixed. By not reading the passwords? |
| Comment by Ian Gilfillan [ 2016-08-08 ] |
|
Documentation updated |
| Comment by Hartmut Holzgraefe [ 2016-08-08 ] |
|
Unfortunately the semanage/restorecon approach doesn't work as intended, it takes away permissions on the password list files from cracklib itself and so e.g. breaks PAM ... I'll update the KB page accordingly ... |
| Comment by Geoff Montee (Inactive) [ 2019-01-25 ] |
|
This can probably be fixed by adding an SELinux policy to the cracklib_password_check packages. See |