Re: [Maria-developers] 6a72d15: MDEV-10767 /tmp/wsrep_recovery.${RANDOM} file created in unallowed SELinux context
Hi, Sachin! On Aug 31, sachin wrote:
revision-id: 6a72d154d6ec231eeff861496e4d07101ac41553 (mariadb-10.1.26-16-g6a72d15) parent(s): dda40b930498b70bb5546f857b27744039a5649d author: sachin committer: sachin timestamp: 2017-08-31 12:17:10 +0530 message:
MDEV-10767 /tmp/wsrep_recovery.${RANDOM} file created in unallowed SELinux context
Solution:- Allowed mysqld_t to open file with context initrc_tmp_t.
Why does the server need it? I've only found scripts/galera_recovery.sh, that does: log_file=$(mktemp /tmp/wsrep_recovery.XXXXXX) /usr/sbin/mysqld $cmdline_args --user=$user --wsrep_recover --log-error="$log_file" For that use case, I wouldn't bother with a new selinux policy, it'd be safer to do log_file=$(mktemp /tmp/wsrep_recovery.XXXXXX) /usr/sbin/mysqld $cmdline_args --user=$user --wsrep_recover --disable-log-error 2>"$log_file" Note, that the similar piece of code is used in mysqld_safe.sh, only there it uses DATADIR/wsrep_recovery.XXXXXX, apparently somebody's attempt to work around selinux. Better to make it identical to galera_recovery.sh, I'd say. Regards, Sergei Chief Architect MariaDB and security@mariadb.org
Hi Sergei!
Thanks for review!.
On Thu, Aug 31, 2017 at 5:40 PM, Sergei Golubchik
Hi, Sachin!
On Aug 31, sachin wrote:
revision-id: 6a72d154d6ec231eeff861496e4d07101ac41553 (mariadb-10.1.26-16-g6a72d15) parent(s): dda40b930498b70bb5546f857b27744039a5649d author: sachin committer: sachin timestamp: 2017-08-31 12:17:10 +0530 message:
MDEV-10767 /tmp/wsrep_recovery.${RANDOM} file created in unallowed SELinux context
Solution:- Allowed mysqld_t to open file with context initrc_tmp_t.
Why does the server need it? I've only found scripts/galera_recovery.sh, that does:
log_file=$(mktemp /tmp/wsrep_recovery.XXXXXX) /usr/sbin/mysqld $cmdline_args --user=$user --wsrep_recover --log-error="$log_file"
For that use case, I wouldn't bother with a new selinux policy, it'd be safer to do
log_file=$(mktemp /tmp/wsrep_recovery.XXXXXX) /usr/sbin/mysqld $cmdline_args --user=$user --wsrep_recover --disable-log-error 2>"$log_file" I have done this , but did not quite understand the meaning
Note, that the similar piece of code is used in mysqld_safe.sh, only there it uses DATADIR/wsrep_recovery.XXXXXX, apparently somebody's attempt to work around selinux. Better to make it identical to galera_recovery.sh, I'd say.
Regards, Sergei Chief Architect MariaDB and security@mariadb.org
_______________________________________________ Mailing list: https://launchpad.net/~maria-developers Post to : maria-developers@lists.launchpad.net Unsubscribe : https://launchpad.net/~maria-developers More help : https://help.launchpad.net/ListHelp
All changes applied. Please review the latest patch. Revision-id: bd6986ea350048ee2825ef6b24d357dacfc12dbe (mariadb-10.1.26-30-gbd6986e) parent(s): 112d721a74c1f9dcf3321006418fd4abc2884751 author: sachin committer: sachin timestamp: 2017-09-11 17:46:56 +0530 message: MDEV-10767 /tmp/wsrep_recovery.${RANDOM} file created in unallowed SELinux context Problem:- To create file in /tmp dir mysqld require permission initrc_tmp_t. And mysqld does not have his permission. Solution:- Instead of giving mysqld permission of initrc_tmp_t , we redirected log to file in /tmp dir through shell. I also removed a earlier workarround in mysqld_safe.sh , which create tmp log file in datadir. --- scripts/galera_recovery.sh | 2 +- scripts/mysqld_safe.sh | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/scripts/galera_recovery.sh b/scripts/galera_recovery.sh index d734ceb..de2e653 100644 --- a/scripts/galera_recovery.sh +++ b/scripts/galera_recovery.sh @@ -69,7 +69,7 @@ parse_arguments() { wsrep_recover_position() { # Redirect server's error log to the log file. eval /usr/sbin/mysqld $cmdline_args --user=$user --wsrep_recover \ - --log-error="$log_file" + --disable-log-error 2> "$log_file" ret=$? if [ $ret -ne 0 ]; then # Something went wrong, let us also print the error log so that it diff --git a/scripts/mysqld_safe.sh b/scripts/mysqld_safe.sh index e5708b5..5564f92 100644 --- a/scripts/mysqld_safe.sh +++ b/scripts/mysqld_safe.sh @@ -246,7 +246,7 @@ wsrep_recover_position() { local euid=$(id -u) local ret=0 - local wr_logfile=$(mktemp $DATADIR/wsrep_recovery.XXXXXX) + local wr_logfile=$(mktemp wsrep_recovery.XXXXXX) # safety checks if [ -z $wr_logfile ]; then @@ -264,11 +264,11 @@ wsrep_recover_position() { local wr_pidfile="$DATADIR/"`@HOSTNAME@`"-recover.pid" - local wr_options="--log_error='$wr_logfile' --pid-file='$wr_pidfile'" + local wr_options="--disable-log-error --pid-file='$wr_pidfile'" log_notice "WSREP: Running position recovery with $wr_options" - eval_log_error "$mysqld_cmd --wsrep_recover $wr_options" + eval_log_error "$mysqld_cmd --wsrep_recover $wr_options 2> $wr_logfile" local rp="$(grep 'WSREP: Recovered position:' $wr_logfile)" if [ -z "$rp" ]; then -- Regards Sachin Setiya Software Engineer at MariaDB
participants (2)
-
Sachin Setiya -
Sergei Golubchik