[#MDEV-10405] mysql.sock gets created with different SELinux context

[MDEV-10405] mysql.sock gets created with different SELinux context Created: 2016-07-20 Updated: 2023-10-13 Resolved: 2016-08-17
Status:	Closed
Project:	MariaDB Server
Component/s:	Platform RedHat
Affects Version/s:	10.1.16
Fix Version/s:	10.1.17

Type:

Bug

Priority:

Critical

Reporter:

Florian Bezdeka

Assignee:

Sergey Vojtovich

Resolution:

Fixed

Votes:

Labels:

None

Environment:

CentOS 7 updating from 10.1.14 to 10.1.16

Issue Links:

Duplicate
is duplicated by	~~MDEV-10404~~	Improved systemd service hardening ca...	Closed
Problem/Incident
is caused by	~~MDEV-10298~~	Improve systemd service hardening	Closed
Relates
relates to	MDEV-24941	SElinux incorrect label for server so...	Open

Description

Hi there,

I tried updating some mariadb installations from version 10.1.14 to version 10.1.16.
After restarting the daemon php-fpm and some other daemons (like apache mod_php) were no longer able to connect via unix socket.

Due to this problem I am not able to update to the latest version.
I did not try 10.1.15. Maybe this version is also affected.

The working permissions/contexts (as of 10.1.14)

> ls -alZ /var/lib/mysql

...

srwxrwxrwx. mysql mysql system_u:object_r:mysqld_var_run_t:s0 mysql.sock

...

The new but not working permissions/contexts (as of 10.1.16)

> ls -alZ /var/lib/mysql

...

srwxrwxrwx. mysql mysql system_u:object_r:mysqld_db_t:s0 mysql.sock

...

The error inside /var/log/audit/audit.log

type=AVC msg=audit(1469001191.978:508572): avc:  denied  { connectto } for  pid=65240 comm="php-fpm" path="/var/lib/mysql/mysql.sock" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket

Comments

Comment by Sergei Golubchik [ 2016-07-20 ]

Is it the same as ~~MDEV-10404~~?

Comment by Florian Bezdeka [ 2016-07-21 ]

Yes. Thanks for the hint.

What I did to test this:

Modiefied /lib/systemd/system/mariadb.service and commented out NoNewPrivileges=true
Shell as root: systemctl daemon-reload
Restarted mariadb service

Result: The socket is now created with "correct" permissions as mentioned in the description above.

This issue (together with ~~MDEV-10404~~) breaks all CentOS installations with SELinux enabled.

Comment by Sergey Vojtovich [ 2016-08-17 ]

I disabled NoNewPrivileges. Better fix to be developed within the scope of ~~MDEV-10404~~ (If we manage to find SELinux guru).

Comment by Simon Hanmer [ 2016-11-08 ]

Not sure if I can make a suggestion - I'm using this simple selinux policy:

module MariaDB 1.0;

require {

	type mysqld_db_t;

	type mysqld_var_run_t;

	class filesystem associate;

#============= mysqld_var_run_t ==============

allow mysqld_var_run_t mysqld_db_t:filesystem associate;

the module name might need changing.

Generated at Thu Feb 08 07:41:59 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.

[MDEV-10405] mysql.sock gets created with different SELinux context Created: 2016-07-20 Updated: 2023-10-13 Resolved: 2016-08-17