Hi, Sachin! On Aug 31, sachin wrote:
revision-id: 6a72d154d6ec231eeff861496e4d07101ac41553 (mariadb-10.1.26-16-g6a72d15) parent(s): dda40b930498b70bb5546f857b27744039a5649d author: sachin committer: sachin timestamp: 2017-08-31 12:17:10 +0530 message:
MDEV-10767 /tmp/wsrep_recovery.${RANDOM} file created in unallowed SELinux context
Solution:- Allowed mysqld_t to open file with context initrc_tmp_t.
Why does the server need it? I've only found scripts/galera_recovery.sh, that does: log_file=$(mktemp /tmp/wsrep_recovery.XXXXXX) /usr/sbin/mysqld $cmdline_args --user=$user --wsrep_recover --log-error="$log_file" For that use case, I wouldn't bother with a new selinux policy, it'd be safer to do log_file=$(mktemp /tmp/wsrep_recovery.XXXXXX) /usr/sbin/mysqld $cmdline_args --user=$user --wsrep_recover --disable-log-error 2>"$log_file" Note, that the similar piece of code is used in mysqld_safe.sh, only there it uses DATADIR/wsrep_recovery.XXXXXX, apparently somebody's attempt to work around selinux. Better to make it identical to galera_recovery.sh, I'd say. Regards, Sergei Chief Architect MariaDB and security@mariadb.org