So IIRC, we don't need the setuid/setgid capability in Fedora/RHEL OS because we use systemd services right? Thanks for clarifying Lukas On Sun, Mar 14, 2021 at 12:42 AM Daniel Black <daniel@mariadb.org> wrote:

This was relaxed in https://github.com/MariaDB/server/commit/27e6fd9a5968 where the setuid is only tried if mariadbd --user is specified.

This isn't the case with systemd service files (which set the user) https://github.com/MariaDB/server/blob/10.5/support-files/mariadb.service.in... where the CAP_IPC_LOCK capability gives the user the memlock rather than setuid.

So maybe it is safe to drop the mysqld_t setgid setuid from the policy for the common case of a user running systemd service which also works if they are using memlock.

While we are looking at the list, assuming sys_resource maps to CAP_SYS_RESOURCE that would only be raising the rlimit nofile, which is done in the systemd service. in the server code this is capped anyway - https://github.com/MariaDB/server/blob/10.5/mysys/my_file.c#L42

sys_nice - seems to be related to a innodb setpriority(PRIO_PROCESS, tid, -20), which isn't fatal if it doesn't succeed. no other CAP_SYS_NICE are used. Maybe we should have https://www.freedesktop.org/software/systemd/man/systemd.exec.html#LimitNICE... instead. Advice welcome.

allow mysqld_t self:shm create_shm_perms - not required in 10.5+ - shm no longer used for large pages - anon mmap is used.

rw_fifo_file_perms - one test case created a fifo - mysql-test/main/log_errchk.test, the server has some code to handle if log files externally created are fifos, but it doesn't create them itself. galera code mentions fifo's a lot, however its an internal structure. Script https://github.com/MariaDB/server/blob/10.5/scripts/wsrep_sst_mariabackup.sh... mentios fifos, however this appears to just be using pv to rate limit.

https://github.com/MariaDB/server/pull/1553 is probably needed too.

I see https://github.com/fedora-selinux/selinux-policy/blob/rawhide/policy/modules... probably covers https://github.com/MariaDB/server/pull/1131.

On Fri, Mar 12, 2021 at 10:14 PM Sergei Golubchik <serg@mariadb.org> wrote:

...

Hi, Lukas!

...

I found that setuid/setgid is used inside mysqld_safe_helper (mariadbd-safe-helper). Are there any other cases when MariaDB uses these functions?

Yes, in the server. If the server is started with --memlock it does

mlockall(MCL_CURRENT)

to prevent itself from being swapped. This needs root, and the server uses setuid/setgid to drop root privileges after mlockall.

Regards, Sergei VP of MariaDB Server Engineering and security@mariadb.org

_______________________________________________ Mailing list: https://launchpad.net/~maria-discuss Post to : maria-discuss@lists.launchpad.net Unsubscribe : https://launchpad.net/~maria-discuss More help : https://help.launchpad.net/ListHelp

-- S pozdravom/ Best regards Lukáš Javorský Associate Software Engineer, Core service - Databases Red Hat <https://www.redhat.com> Purkyňova 115 (TPB-C) 612 00 Brno - Královo Pole ljavorsk@redhat.com <https://www.redhat.com>

1. /etc/my.cnf.d/mariadb-server.cnf contains log-error=/var/log/mariadb/mariadb.log

Without log-error set, the service will output to stdout/error and be captured by journald. Would this be better packaging for you?

This would help your outstanding rhbz on logrotation that I also haven't fixed upstream.

We have a lot of tests built on top of this behavior, also there are some known issues with logrotate, so we are not changing at this time, maybe it will be some future feature.

2. exec names now mariadb

in 10.4 we put mariadb names on executables a symlinks to mysql named binaries.

in 10.5 this was reverse.

This is a slow move to phase out these mysql names that I hope you can help with.

e.g. (10.4) ls -al /usr/libexec/mariadbd lrwxrwxrwx. 1 root root 6 Nov 12 11:44 /usr/libexec/mariadbd -> mysqld

What would help significantly is if the mariadb names got into the selinux fc file.

In https://github.com/fedora-selinux/selinux-policy/blob/rawhide/policy/modules..., I'm

With this the executables in the service could change.

I have created PR today and selinux is already handling it: https://github.com/fedora-selinux/selinux-policy/pull/641

2. mariadb.service

/usr/libexec/mysql-check-socket

is excessive - recent systemd won't allow a second process in the same cgroup when it has SendSIGKILL=no (https://github.com/systemd/systemd/issues/8630)

On other Start{Pre,Post} in the service would you consider changing the name to mariadb? Documentation="man:mariadbd(8)"

There's a fair few comments in https://github.com/MariaDB/server/blob/10.5/support-files/mariadb.service.in and its history that are probably relevant.

What are you suggesting? Thanks for help Lukas On Tue, Mar 16, 2021 at 1:13 PM Daniel Black <daniel@mariadb.org> wrote:

On Mon, Mar 15, 2021 at 10:31 PM Lukas Javorsky <ljavorsk@redhat.com> wrote:

...

So IIRC, we don't need the setuid/setgid capability in Fedora/RHEL OS because we use systemd services right?

correct

Seems using mariadb memlock requires a LimitMEMLOCK too which needs extended documentation in https://mariadb.com/kb/en/systemd/.

Packaging / selinux related:

1. /etc/my.cnf.d/mariadb-server.cnf contains log-error=/var/log/mariadb/mariadb.log

Without log-error set, the service will output to stdout/error and be captured by journald. Would this be better packaging for you?

This would help your outstanding rhbz on logrotation that I also haven't fixed upstream.

2. exec names now mariadb

in 10.4 we put mariadb names on executables a symlinks to mysql named binaries.

in 10.5 this was reverse.

This is a slow move to phase out these mysql names that I hope you can help with.

e.g. (10.4) ls -al /usr/libexec/mariadbd lrwxrwxrwx. 1 root root 6 Nov 12 11:44 /usr/libexec/mariadbd -> mysqld

What would help significantly is if the mariadb names got into the selinux fc file.

In https://github.com/fedora-selinux/selinux-policy/blob/rawhide/policy/modules..., I'm

With this the executables in the service could change.

2. mariadb.service

/usr/libexec/mysql-check-socket

is excessive - recent systemd won't allow a second process in the same cgroup when it has SendSIGKILL=no (https://github.com/systemd/systemd/issues/8630)

On other Start{Pre,Post} in the service would you consider changing the name to mariadb? Documentation="man:mariadbd(8)"

There's a fair few comments in https://github.com/MariaDB/server/blob/10.5/support-files/mariadb.service.in and its history that are probably relevant.

selinux and the mariadb PAM probably need a test/investigation too.

Happy to help if I can.

Thanks for clarifying

...

Lukas

On Sun, Mar 14, 2021 at 12:42 AM Daniel Black <daniel@mariadb.org> wrote:

...

This was relaxed in https://github.com/MariaDB/server/commit/27e6fd9a5968 where the setuid is only tried if mariadbd --user is specified.

This isn't the case with systemd service files (which set the user) https://github.com/MariaDB/server/blob/10.5/support-files/mariadb.service.in... where the CAP_IPC_LOCK capability gives the user the memlock rather than setuid.

So maybe it is safe to drop the mysqld_t setgid setuid from the policy for the common case of a user running systemd service which also works if they are using memlock.

While we are looking at the list, assuming sys_resource maps to CAP_SYS_RESOURCE that would only be raising the rlimit nofile, which is done in the systemd service. in the server code this is capped anyway - https://github.com/MariaDB/server/blob/10.5/mysys/my_file.c#L42

sys_nice - seems to be related to a innodb setpriority(PRIO_PROCESS, tid, -20), which isn't fatal if it doesn't succeed. no other CAP_SYS_NICE are used. Maybe we should have https://www.freedesktop.org/software/systemd/man/systemd.exec.html#LimitNICE... instead. Advice welcome.

allow mysqld_t self:shm create_shm_perms - not required in 10.5+ - shm no longer used for large pages - anon mmap is used.

rw_fifo_file_perms - one test case created a fifo - mysql-test/main/log_errchk.test, the server has some code to handle if log files externally created are fifos, but it doesn't create them itself. galera code mentions fifo's a lot, however its an internal structure. Script https://github.com/MariaDB/server/blob/10.5/scripts/wsrep_sst_mariabackup.sh... mentios fifos, however this appears to just be using pv to rate limit.

https://github.com/MariaDB/server/pull/1553 is probably needed too.

I see https://github.com/fedora-selinux/selinux-policy/blob/rawhide/policy/modules... probably covers https://github.com/MariaDB/server/pull/1131.

On Fri, Mar 12, 2021 at 10:14 PM Sergei Golubchik <serg@mariadb.org> wrote:

...

Hi, Lukas!

...

I found that setuid/setgid is used inside mysqld_safe_helper (mariadbd-safe-helper). Are there any other cases when MariaDB uses these functions?

Yes, in the server. If the server is started with --memlock it does

mlockall(MCL_CURRENT)

to prevent itself from being swapped. This needs root, and the server uses setuid/setgid to drop root privileges after mlockall.

Regards, Sergei VP of MariaDB Server Engineering and security@mariadb.org

_______________________________________________ Mailing list: https://launchpad.net/~maria-discuss Post to : maria-discuss@lists.launchpad.net Unsubscribe : https://launchpad.net/~maria-discuss More help : https://help.launchpad.net/ListHelp

-- S pozdravom/ Best regards

Lukáš Javorský

Associate Software Engineer, Core service - Databases

Red Hat <https://www.redhat.com>

Purkyňova 115 (TPB-C)

612 00 Brno - Královo Pole

ljavorsk@redhat.com <https://www.redhat.com>

-- S pozdravom/ Best regards Lukáš Javorský Associate Software Engineer, Core service - Databases Red Hat <https://www.redhat.com> Purkyňova 115 (TPB-C) 612 00 Brno - Královo Pole ljavorsk@redhat.com <https://www.redhat.com>