[MDEV-10404] Improved systemd service hardening causes SELinux problems Created: 2016-07-20  Updated: 2023-07-18  Resolved: 2016-08-23

Status: Closed
Project: MariaDB Server
Component/s: Scripts & Clients
Affects Version/s: 10.1.16
Fix Version/s: 10.1.17

Type: Bug Priority: Major
Reporter: Harald van Dijk Assignee: Sergey Vojtovich
Resolution: Fixed Votes: 1
Labels: None
Environment:

CentOS 7.2

Issue Links:
Duplicate
duplicates MDEV-10405 mysql.sock gets created with differen... Closed
is duplicated by MDEV-16718 Job for mariadb.service failed becaus... Closed
Problem/Incident
is caused by MDEV-10298 Improve systemd service hardening Closed
Relates
relates to MDEV-10519 MariaDB fails to start after upgrade ... Closed
Sprint: 10.1.17-1

 Description   

In MDEV-10298, NoNewPrivileges=true was added to the systemd service file. But when SELinux is enabled, this prevents mysqld from transitioning from init_t to mysqld_t, and that in turn prevents connecting from httpd_t. So after upgrading to 10.1.16, I see in ps auxZ:

system_u:system_r:init_t:s0     mysql     4080 11.8  7.2 779200 124164 ?       Ssl  08:54   0:00 /usr/sbin/mysqld

When I comment out the NoNewPrivileges=true, and restart, I see:

system_u:system_r:mysqld_t:s0   mysql     4185 27.0  7.3 779200 126220 ?       Ssl  08:55   0:00 /usr/sbin/mysqld



 Comments   
Comment by Daniel Black [ 2016-07-31 ]

https://bugzilla.redhat.com/show_bug.cgi?id=1293493 seems to be a related systemd bug. I can't find a systemd discussion about it in their mailing list or in the freedesktop bugzilla.

Comment by Daniel Black [ 2016-08-01 ]

https://www.freedesktop.org/software/systemd/man/systemd.exec.html#SELinuxContext=

Suggest testing:

SELinuxContext=system_u:system_r:mysqld_t:s0

note: may have troubles - https://bugzilla.redhat.com/show_bug.cgi?id=1293493#c11

Comment by Daniel Black [ 2016-08-01 ]

As per the systemd bug report (link above) this apparently isn't their bug to fix.

Comment by Sergey Vojtovich [ 2016-08-17 ]

serg, I disabled NoNewPrivileges. If you have an idea how to fix SELinux please do fix it, or just close this bug for now.

Comment by Daniel Black [ 2016-08-18 ]

I agree with svoj keep the NoNewPrivileges disabled until selinux contains the required transition rule or something radically simple happens in the combined selinux/systemd space.

Comment by Daniel Black [ 2018-04-01 ]

From systemd bug report:

4.14 kernel fixs to add NNP to have selinux transition rule as per detailed commit:

https://github.com/torvalds/linux/commit/af63f4193f9fbbbac50fc766417d74735afd87ef
Wonder if the RHEL/Centos7 has backported this?

Fedora fc26,27 are 4.15+ (https://apps.fedoraproject.org/packages/kernel)

RHEL/Centos6 isn't systemd.

I don't think the other distos mariadb builds packages for enable selinux.

If all distro kernel capable we could give mariadb the transition to its domain via a macro like on line 599 and enable NNP again:
and https://src.fedoraproject.org/rpms/selinux-policy/c/107eb82b3e182d72c7f2c7f8f03bda6dd790f441?branch=master#L599

Generated at Thu Feb 08 07:41:59 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.