[MDEV-15169] Provided SELinux FC/TE rules do not allow executing /usr/bin/wsrep_sst_* scripts Created: 2018-02-01  Updated: 2023-06-06  Resolved: 2023-06-06

Status: Closed
Project: MariaDB Server
Component/s: Galera, Galera SST, wsrep
Affects Version/s: 10.1.30
Fix Version/s: N/A

Type: Bug Priority: Minor
Reporter: Mathias Védrines Assignee: Julius Goryavsky
Resolution: Won't Fix Votes: 1
Labels: galera, patch, selinux, sst
Environment:

CentOS 7 with SELinux in enforcing mode
(MariaDB installed with packages from MariaDB YUM repo)

Attachments: File mariadb-server.te.diff    

 Description   

When using the 'mariadb-server' policy (files in /usr/share/mysql/policy/selinux from the MariaDB-server package):

  • mariadb-server.fc file gives type mysqld_safe_exec_t to /usr/bin/wsrep_* scripts
  • mariadb-server.te file makes no use of it, but allows needed calls for bin_t

$ grep mysqld_safe_exec_t mariadb-server.{fc,te}
 
mariadb-server.fc:/usr/bin/wsrep.*  -- gen_context(system_u:object_r:mysqld_safe_exec_t,s0)

Right after packages install, /usr/bin/wsrep_* have type bin_t so Galera SST can be performed successfully.

But after relabeling/restorecon, SST scripts get their mysqld_safe_exec_t type and Galera SST no longer works, showing denials like this:

type=AVC msg=audit(1517492933.954:1485): avc:  denied  { getattr } for  pid=5624 comm="sh" path="/usr/bin/wsrep_sst_rsync" dev="sda3" ino=295423 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:mysqld_safe_exec_t:s0 tclass=file

Could the attached patch represent the initial goal with labeling SST scripts as mysqld_safe_exec_t?

 Comments   
Comment by Daniel Black [ 2018-02-01 ]

Good start. Do ssts work with these changes?

Notes to do with selinux but not this bug:
mariadb-server.fc - missing label for mariabackup

Comment by Mathias Védrines [ 2018-02-02 ]

Hi Daniel, yes my SSTs do work with these changes.
I successfully tested rsync SST with patched policy yesterday, as well as mariabackup SST today.

Comment by Timofey Turenko [ 2021-10-29 ]

I can confirm for 10.3 CS:

type=AVC msg=audit(1635500516.442:1106): avc:  denied  { write } for  pid=13810 comm="mktemp" name="tmp" dev="sda2" ino=16777317 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=0
 
type=AVC msg=audit(1635501502.418:1164): avc:  denied  { write } for  pid=15100 comm="mktemp" name="tmp" dev="sda2" ino=16777317 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=0
 
type=AVC msg=audit(1635501564.218:1483): avc:  denied  { write } for  pid=16996 comm="mktemp" name="tmp" dev="sda2" ino=16777317 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=0

and it is not reproducible with 10.5 ES

Comment by Timofey Turenko [ 2021-10-29 ]

10.4 ES, Galera4:

Failed to start node1
 
---------- BEGIN LOGS ----------
 
Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: or misconfigured. This error can also be caused by malfunctioning hardware.
 
Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: To report this bug, see https://mariadb.com/kb/en/reporting-bugs
 
Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: We will try our best to scrape up some info that will hopefully help
 
Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: diagnose the problem, but since we have already crashed,
 
Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: something is definitely wrong and this may fail.
 
Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: Server version: 10.4.21-13-MariaDB-enterprise-log
 
Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: key_buffer_size=134217728
 
Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: read_buffer_size=131072
 
Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: max_used_connections=0
 
Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: max_threads=153
 
Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: thread_count=4
 
Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: It is possible that mysqld could use up to
 
Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: key_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 467776 K  bytes of memory
 
Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: Hope that's ok; if not, decrease some variables in the equation.
 
Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: Thread pointer: 0x7f2bc0000a88
 
Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: Attempting backtrace. You can use the following information to find out
 
Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: where mysqld died. If you see no messages after this, something went
 
Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: terribly wrong...
 
Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: 2021-10-29 12:32:30 2 [Warning] WSREP: Failed to prepare for incremental state transfer: Failed to open IST listener at tcp://10.166.0.2:4568', asio error 'Failed to listen: bind: Permission denied: 13 (Permission denied)
 
Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: at /home/jenkins/workspace/es-galera-4-RPM/label/rhel-7/galerautils/src/gu_asio_stream_react.cpp:listen():746': 13 (Permission denied)
 
Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: at /home/jenkins/workspace/es-galera-4-RPM/label/rhel-7/galera/src/ist.cpp:prepare():325. IST will be unavailable.
 
Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: stack_bottom = 0x7f2bd8f55ab0 thread_stack 0x49000
 
Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: 2021-10-29 12:32:30 0 [Note] WSREP: Member 1.0 (galera001) requested state transfer from '*any*'. Selected 0.0 (galera000)(SYNCED) as donor.
 
Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: 2021-10-29 12:32:30 0 [Note] WSREP: Shifting PRIMARY -> JOINER (TO: 2)
 
Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: 2021-10-29 12:32:30 2 [Note] WSREP: Requesting state transfer: success, donor: 0
 
Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: 2021-10-29 12:32:30 2 [Note] WSREP: Resetting GCache seqno map due to different histories.
 
Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: 2021-10-29 12:32:30 2 [Note] WSREP: GCache history reset: 00000000-0000-0000-0000-000000000000:0 -> 6de3b865-38a3-11ec-989f-ffe73aa5c715:2
 
Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: 2021-10-29 12:32:30 0 [Warning] WSREP: 0.0 (galera000): State transfer to 1.0 (galera001) failed: -42 (No message of desired type)
 
Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: 2021-10-29 12:32:30 0 [ERROR] WSREP: /home/jenkins/workspace/es-galera-4-RPM/label/rhel-7/gcs/src/gcs_group.cpp:gcs_group_handle_join_msg():1205: Will never receive state. Need to abort.
 
Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: 2021-10-29 12:32:30 0 [Note] WSREP: gcomm: terminating thread
 
Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: 2021-10-29 12:32:30 0 [Note] WSREP: gcomm: joining thread
 
Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: 2021-10-29 12:32:30 0 [Note] WSREP: gcomm: closing backend
 
Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: /usr/sbin/mysqld(my_print_stacktrace+0x2e)[0x55a84ac8059e]
 
Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: /usr/sbin/mysqld(handle_fatal_signal+0x30f)[0x55a84a6f97cf]
 
Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: sigaction.c:0(__restore_rt)[0x7f2bf5a45630]
 
Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: :0(__GI_raise)[0x7f2bf4e90387]
 
Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: :0(__GI_abort)[0x7f2bf4e91a78]
 
Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: /lib64/libstdc++.so.6(_ZN9__gnu_cxx27__verbose_terminate_handlerEv+0x165)[0x7f2bf558aa95]
 
Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: /lib64/libstdc++.so.6(+0x5ea06)[0x7f2bf5588a06]
 
Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: /lib64/libstdc++.so.6(+0x5ea33)[0x7f2bf5588a33]
 
Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: /lib64/libstdc++.so.6(+0x5ec53)[0x7f2bf5588c53]
 
Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: /usr/sbin/mysqld(_ZN5wsrep12server_state12sst_receivedERNS_14client_serviceEi+0xe11)[0x55a84ad13241]
 
Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: /usr/sbin/mysqld(+0x84af18)[0x55a84a662f18]
 
Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: /usr/sbin/mysqld(+0x84d3fe)[0x55a84a6653fe]
 
Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: pthread_create.c:0(start_thread)[0x7f2bf5a3dea5]
 
Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 mysqld[16763]: /lib64/libc.so.6(clone+0x6d)[0x7f2bf4f58b0d]
 
Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 systemd[1]: mariadb.service: main process exited, code=killed, status=6/ABRT
 
Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 systemd[1]: Failed to start MariaDB 10.4.21-13 database server.
 
Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 systemd[1]: Unit mariadb.service entered failed state.
 
Oct 29 12:32:30 mdbci-vg1crdp2-1635503059-galera-001 systemd[1]: mariadb.service failed.----------- END LOGS -----------
 
Job for mariadb.service failed because a fatal signal was delivered to the control process. See "systemctl status mariadb.service" and "journalctl -xe" for details.
 
Redirecting to /bin/systemctl start mysql.service
 
Failed to start mysql.service: Unit not found.

other nodes did not crash. Audit log does not have any "denied" on the first node_, but other nodes have:

sudo cat /var/log/audit/audit.log | grep den
 
type=AVC msg=audit(1635503554.398:2086): avc:  denied  { setpgid } for  pid=16942 comm="timeout" scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:mysqld_t:s0 tclass=process permissive=0
 
type=AVC msg=audit(1635503554.402:2087): avc:  denied  { name_bind } for  pid=16944 comm="socat" src=4444 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:kerberos_port_t:s0 tclass=tcp_socket permissive=0
 
type=AVC msg=audit(1635503589.703:2088): avc:  denied  { name_bind } for  pid=16765 comm="mysqld" src=4568 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=0
 
type=AVC msg=audit(1635503598.434:2113): avc:  denied  { setpgid } for  pid=17952 comm="timeout" scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:mysqld_t:s0 tclass=process permissive=0
 
type=AVC msg=audit(1635503598.438:2114): avc:  denied  { name_bind } for  pid=17954 comm="socat" src=4444 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:kerberos_port_t:s0 tclass=tcp_socket permissive=0
 
type=AVC msg=audit(1635503633.726:2115): avc:  denied  { name_bind } for  pid=17776 comm="mysqld" src=4568 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=0
 
type=AVC msg=audit(1635503642.643:2120): avc:  denied  { setpgid } for  pid=18937 comm="timeout" scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:mysqld_t:s0 tclass=process permissive=0
 
type=AVC msg=audit(1635503642.647:2121): avc:  denied  { name_bind } for  pid=18939 comm="socat" src=4444 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:kerberos_port_t:s0 tclass=tcp_socket permissive=0
 
type=AVC msg=audit(1635503677.923:2122): avc:  denied  { name_bind } for  pid=18762 comm="mysqld" src=4568 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=0
 
type=AVC msg=audit(1635503686.437:2127): avc:  denied  { setpgid } for  pid=19923 comm="timeout" scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:mysqld_t:s0 tclass=process permissive=0
 
type=AVC msg=audit(1635503686.440:2128): avc:  denied  { name_bind } for  pid=19925 comm="socat" src=4444 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:kerberos_port_t:s0 tclass=tcp_socket permissive=0
 
type=AVC msg=audit(1635503721.737:2152): avc:  denied  { name_bind } for  pid=19748 comm="mysqld" src=4568 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=0

Comment by Timofey Turenko [ 2021-10-29 ]

10.2 CS, Selinux is switched to Permissive mode:

type=AVC msg=audit(1635510380.471:1565): avc:  denied  { write } for  pid=18307 comm="mktemp" name="tmp" dev="sda2" ino=16777317 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=1
 
type=AVC msg=audit(1635510380.471:1565): avc:  denied  { add_name } for  pid=18307 comm="mktemp" name="wsrep_recovery.RPBfoe" scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=1
 
type=AVC msg=audit(1635510380.471:1565): avc:  denied  { create } for  pid=18307 comm="mktemp" name="wsrep_recovery.RPBfoe" scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=1
 
type=AVC msg=audit(1635510380.471:1565): avc:  denied  { write } for  pid=18307 comm="mktemp" path="/tmp/wsrep_recovery.RPBfoe" dev="sda2" ino=16777762 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=1
 
type=AVC msg=audit(1635510380.473:1566): avc:  denied  { setattr } for  pid=18308 comm="chmod" name="wsrep_recovery.RPBfoe" dev="sda2" ino=16777762 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=1
 
type=AVC msg=audit(1635510380.480:1567): avc:  denied  { write } for  pid=18313 comm="mysqld" path="/tmp/wsrep_recovery.RPBfoe" dev="sda2" ino=16777762 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=1
 
type=AVC msg=audit(1635510382.256:1568): avc:  denied  { remove_name } for  pid=18353 comm="rm" name="wsrep_recovery.RPBfoe" dev="sda2" ino=16777762 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=1
 
type=AVC msg=audit(1635510382.256:1568): avc:  denied  { unlink } for  pid=18353 comm="rm" name="wsrep_recovery.RPBfoe" dev="sda2" ino=16777762 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=1
 
type=AVC msg=audit(1635510532.450:1931): avc:  denied  { write } for  pid=20385 comm="mktemp" name="tmp" dev="sda2" ino=16777317 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=1
 
type=AVC msg=audit(1635510532.450:1931): avc:  denied  { add_name } for  pid=20385 comm="mktemp" name="wsrep_recovery.jPcblI" scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=1
 
type=AVC msg=audit(1635510532.450:1931): avc:  denied  { create } for  pid=20385 comm="mktemp" name="wsrep_recovery.jPcblI" scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=1
 
type=AVC msg=audit(1635510532.450:1931): avc:  denied  { write } for  pid=20385 comm="mktemp" path="/tmp/wsrep_recovery.jPcblI" dev="sda2" ino=16777762 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=1
 
type=AVC msg=audit(1635510532.452:1932): avc:  denied  { setattr } for  pid=20386 comm="chmod" name="wsrep_recovery.jPcblI" dev="sda2" ino=16777762 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=1
 
type=AVC msg=audit(1635510532.460:1933): avc:  denied  { write } for  pid=20391 comm="mysqld" path="/tmp/wsrep_recovery.jPcblI" dev="sda2" ino=16777762 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=1
 
type=AVC msg=audit(1635510534.299:1934): avc:  denied  { remove_name } for  pid=20432 comm="rm" name="wsrep_recovery.jPcblI" dev="sda2" ino=16777762 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=1
 
type=AVC msg=audit(1635510534.299:1934): avc:  denied  { unlink } for  pid=20432 comm="rm" name="wsrep_recovery.jPcblI" dev="sda2" ino=16777762 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=1

Comment by Jan Lindström [ 2023-06-06 ]

10.1 is EOL.

Generated at Thu Feb 08 08:19:12 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.