Hi, Clint! On Jan 05, Clint Dilks wrote:
Hi,
Today I have updated a CentOS 6.8 system that has MariaDB-server installed from http://yum.mariadb.org/5.5/centos6-amd64 and found that I had an SELinux issue when I tried to restart the service.
Using the information at https://wiki.centos.org/HowTos/SELinux I have created a local policy that seems to fix things
module marialocal 1.0;
require { type mysqld_safe_t; class capability { setuid setgid }; }
#============= mysqld_safe_t ==============
allow mysqld_safe_t self:capability setgid; allow mysqld_safe_t self:capability setuid;
This seems to fix things for me, but I thought I had better see if others are experiencing the same problem ?
Yes, it's not only you. See, for example, https://jira.mariadb.org/browse/MDEV-11676 (although it is not about fixing the issue, only about a correct error message) 5.5.54 comes with a new helper binary that does setuid/setgid internally, that's why selinux is unhappy. This helper is used by mysqld_safe to drop root privileges before creating files, for example.
It may be useful to know that the particular rpms are MariaDB-server-5.5.54-1.el6.x86_64 and selinux-policy-3.7.19-292.el6_8.2.noarch.
If it is a bigger issue than just myself, should I report this somewhere else to see if we can get a fix added to the next MariaDB-server rpm ?
What could a fix be? * Include a new selinux policy into the rpm? - Is that possible? * Don't do setuid/setgid and create files as root? - This would be dangerous from a security point of view * Don't use a helper and use "su -c ..."? - It'll fill the syslog with noise. * Any other option? Regards, Sergei Chief Architect MariaDB and security@mariadb.org