[MDEV-24277] policy support files missing from "our" Ubuntu packages Created: 2020-11-25  Updated: 2021-04-05

Status: Stalled
Project: MariaDB Server
Component/s: Packaging, Platform Debian
Affects Version/s: 10.4.17, 10.5.8
Fix Version/s: 10.4, 10.5

Type: Bug Priority: Major
Reporter: Hartmut Holzgraefe Assignee: Otto Kekäläinen
Resolution: Unresolved Votes: 0
Labels: None


 Description   

Original MariaDB mariadb-server ubuntu packages install selinux and apparmor policy templates from the github support-files/policy source folder to /usr/share/mysql/policy

Our own mariadb-server packages do not include these files, so when switching from distro packages to our own this information is lost.

 Comments   
Comment by Sergei Golubchik [ 2021-01-26 ]

what version is it?

Comment by Hartmut Holzgraefe [ 2021-01-26 ]

Original customer support was for 10.4, it is the same for latest10.5 still

Comment by Otto Kekäläinen [ 2021-04-04 ]

We have the following files in 10.5 sources:

support-files/policy
 
support-files/policy/selinux
 
support-files/policy/selinux/mariadb.te
 
support-files/policy/selinux/mariadb-server.te
 
support-files/policy/selinux/mariadb-server.fc
 
support-files/policy/selinux/README
 
support-files/policy/apparmor
 
support-files/policy/apparmor/usr.sbin.mysqld.local
 
support-files/policy/apparmor/usr.sbin.mysqld
 
support-files/policy/apparmor/README

These are practically unmaintained, there is nobody testing or updating the SELinux or AppArmor profiles, thus they are very likely to stop the server from doing completely valid things as the system access whitelists are outdated.

± git log --format="%Cgreen%ci%Creset <%aE> %s" --since=2015-01-01 support-files/policy/
 
2020-08-24 19:09:37 +1000 <daniel@mariadb.org> MDEV-18841: /var/run -> /run for apparmor/systemd service
 
2020-06-16 12:59:30 +0300 <otto@kekalainen.net> MDEV-22569: Run bin/mariadbd instead of bin/mysqld
 
2019-01-22 13:28:03 +0100 <sysprg@gmail.com> MDEV-17835: Remove wsrep-sst-method=xtrabackup
 
2018-06-21 23:47:39 +0200 <serg@mariadb.org> Merge branch '10.1' into 10.2
 
2018-06-12 19:39:37 +0300 <vicentiu@mariadb.org> Merge branch '10.0-galera' into 10.1
 
2017-09-18 22:04:42 +0400 <agx@sigxcpu.org> apparmor: allow to read /etc/mysql/mariadb.conf.d/*
 
2017-01-17 20:16:01 +0100 <serg@mariadb.org> selinux fixes for 10.0->10.1 merge
 
2017-01-17 04:16:38 +0200 <vicentiu@mariadb.org> Post merge review fixes
 
2015-09-04 10:32:02 +0200 <serg@mariadb.org> package new SELinux/AppArmor policies instead of old ones

In my opinion we should not ship these. If some distro is shipping them, I guess they have their own versions that they are maintaining. The priority would be to encourage them to submit their updated SELinux or AppArmor policies upstream first.

We should ship these only once the policy files are indeed up-to-date and preferably also used somethere to run MTR or other testing to validate that they work at least in the most basic use case.

Comment by Sergei Golubchik [ 2021-04-05 ]

mariadb.te is supported, maintained, and installed.
mariadb-server.te and mariadb-server.fc aren't and should be deleted.
apparmor files — in debian/not-installed, so, I suppose, not installed.

Generated at Thu Feb 08 09:28:46 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.