[#MDEV-10767] /tmp/wsrep_recovery.${RANDOM} file created in unallowed SELinux context

[MDEV-10767] /tmp/wsrep_recovery.${RANDOM} file created in unallowed SELinux context Created: 2016-09-07 Updated: 2020-08-25 Resolved: 2017-09-21
Status:	Closed
Project:	MariaDB Server
Component/s:	Galera, wsrep
Affects Version/s:	10.1.17
Fix Version/s:	10.1.27, 10.2.10

Type:

Bug

Priority:

Critical

Reporter:

Geoff Montee (Inactive)

Assignee:

Sachin Setiya (Inactive)

Resolution:

Fixed

Votes:

Labels:

galera, wsrep

Issue Links:

Problem/Incident
causes	~~MDEV-13950~~	mysqld_safe could not start Galera no...	Closed
causes	~~MDEV-14063~~	mariadb102-server 10.2.9 cannot start...	Closed
Relates
relates to	~~MDEV-10753~~	selinux policies prevent 10.1.17-1.el...	Closed

Sprint:

10.1.22

Description

A user reported the following error in /var/log/audit/audit.log when trying to start a cluster node:

type=AVC msg=audit(1473264262.081:132): avc: denied { open } for pid=11191 comm="mysqld" path="/tmp/wsrep_recovery.mx7VGR" dev="dm-1" ino=101950206 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file

This user fixed it with the following addition to their SELinux policy:

allow mysqld_t initrc_tmp_t:file open;

Should this file actually be created in the mysqld_tmp_t context, or should we modify our SELinux policy to allow access to files in the initrc_tmp_t context?

Comments

Comment by Elena Stepanova [ 2016-09-07 ]

Looks similar to ~~MDEV-10753~~.
svoj, FYI.

Comment by Daniel Black [ 2017-04-10 ]

perhaps setting TMPDIR to /var/run/mysql

Comment by Sachin Setiya (Inactive) [ 2017-09-18 ]

http://lists.askmonty.org/pipermail/commits/2017-September/011456.html

Comment by Sergei Golubchik [ 2017-09-18 ]

ok to push

Comment by Honza Horak [ 2017-11-17 ]

I'm puzzled here – from description it seems like writing to /tmp/wsrep_recovery.XXXXXX is not what we need, because of the SELinux. Yet it is the current implementation. I'm asking because I indeed see SELinux AVC on RHEL 6 with version 10.1.29.
It's also not clear to me what was wrong about original location $DATADIR/wsrep_recovery.XXXXXX. Can somebody explain to me, please?

Comment by Andrii Nikitin (Inactive) [ 2017-11-17 ]

hhorak In my understanding SELinux complains if mysqld is writing to /tmp ; after the patch it is mysqld_safe and galera_recovery scripts which use /tmp directly and SELinux should be OK with that. (because those scripts usually started by privileged user, while 'mysqld' process is started with context of 'mysql' user)

Comment by Sergei Golubchik [ 2017-11-18 ]

hhorak using $DATADIR/wsrep_recovery.XXXXXX works too. We just didn't want different scripts to use different solutions for the same problem. (And I hope we'll be able to remove the duplicate code and have only one copy of it)

Generated at Thu Feb 08 07:44:45 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.

[MDEV-10767] /tmp/wsrep_recovery.${RANDOM} file created in unallowed SELinux context Created: 2016-09-07 Updated: 2020-08-25 Resolved: 2017-09-21