[Maria-discuss] Why does MariaDB needs SELinux capability for setuid/setgid?
Hi guys, I'm looking into SELinux in Fedora's MariaDB package and I can see that we have two types in MariaDB that have setuid/setgid capability. 1st: https://github.com/fedora-selinux/selinux-policy/blob/rawhide/policy/modules... 2nd: https://github.com/fedora-selinux/selinux-policy/blob/rawhide/policy/modules... My question is, does mysqld_t need to have this capability? I found that setuid/setgid is used inside mysqld_safe_helper (mariadbd-safe-helper). Are there any other cases when MariaDB uses these functions? Thank you for letting me know Lukas -- S pozdravom/ Best regards Lukáš Javorský Associate Software Engineer, Core service - Databases Red Hat https://www.redhat.com Purkyňova 115 (TPB-C) 612 00 Brno - Královo Pole ljavorsk@redhat.com https://www.redhat.com
Hi, Lukas!
I found that setuid/setgid is used inside mysqld_safe_helper (mariadbd-safe-helper). Are there any other cases when MariaDB uses these functions?
Yes, in the server. If the server is started with --memlock it does mlockall(MCL_CURRENT) to prevent itself from being swapped. This needs root, and the server uses setuid/setgid to drop root privileges after mlockall. Regards, Sergei VP of MariaDB Server Engineering and security@mariadb.org
This was relaxed in https://github.com/MariaDB/server/commit/27e6fd9a5968
where the setuid is only tried if mariadbd --user is specified.
This isn't the case with systemd service files (which set the user)
https://github.com/MariaDB/server/blob/10.5/support-files/mariadb.service.in...
where
the CAP_IPC_LOCK capability gives the user the memlock rather than setuid.
So maybe it is safe to drop the mysqld_t setgid setuid from the policy for
the common case of a user running systemd service which also works if they
are using memlock.
While we are looking at the list, assuming sys_resource maps to
CAP_SYS_RESOURCE that would only be raising the rlimit nofile, which is
done in the systemd service.
in the server code this is capped anyway -
https://github.com/MariaDB/server/blob/10.5/mysys/my_file.c#L42
sys_nice - seems to be related to a innodb setpriority(PRIO_PROCESS, tid,
-20), which isn't fatal if it doesn't succeed. no other CAP_SYS_NICE are
used.
Maybe we should have
https://www.freedesktop.org/software/systemd/man/systemd.exec.html#LimitNICE...
instead. Advice welcome.
allow mysqld_t self:shm create_shm_perms - not required in 10.5+ - shm no
longer used for large pages - anon mmap is used.
rw_fifo_file_perms - one test case created a fifo -
mysql-test/main/log_errchk.test, the server has some code to handle if log
files externally created are fifos, but it doesn't create them itself.
galera code mentions fifo's a lot, however its an internal structure.
Script
https://github.com/MariaDB/server/blob/10.5/scripts/wsrep_sst_mariabackup.sh...
mentios fifos, however this
appears to just be using pv to rate limit.
https://github.com/MariaDB/server/pull/1553 is probably needed too.
I see
https://github.com/fedora-selinux/selinux-policy/blob/rawhide/policy/modules...
probably covers https://github.com/MariaDB/server/pull/1131.
On Fri, Mar 12, 2021 at 10:14 PM Sergei Golubchik
Hi, Lukas!
I found that setuid/setgid is used inside mysqld_safe_helper (mariadbd-safe-helper). Are there any other cases when MariaDB uses these functions?
Yes, in the server. If the server is started with --memlock it does
mlockall(MCL_CURRENT)
to prevent itself from being swapped. This needs root, and the server uses setuid/setgid to drop root privileges after mlockall.
Regards, Sergei VP of MariaDB Server Engineering and security@mariadb.org
_______________________________________________ Mailing list: https://launchpad.net/~maria-discuss Post to : maria-discuss@lists.launchpad.net Unsubscribe : https://launchpad.net/~maria-discuss More help : https://help.launchpad.net/ListHelp
So IIRC, we don't need the setuid/setgid capability in Fedora/RHEL OS
because we use systemd services right?
Thanks for clarifying
Lukas
On Sun, Mar 14, 2021 at 12:42 AM Daniel Black
This was relaxed in https://github.com/MariaDB/server/commit/27e6fd9a5968 where the setuid is only tried if mariadbd --user is specified.
This isn't the case with systemd service files (which set the user) https://github.com/MariaDB/server/blob/10.5/support-files/mariadb.service.in... where the CAP_IPC_LOCK capability gives the user the memlock rather than setuid.
So maybe it is safe to drop the mysqld_t setgid setuid from the policy for the common case of a user running systemd service which also works if they are using memlock.
While we are looking at the list, assuming sys_resource maps to CAP_SYS_RESOURCE that would only be raising the rlimit nofile, which is done in the systemd service. in the server code this is capped anyway - https://github.com/MariaDB/server/blob/10.5/mysys/my_file.c#L42
sys_nice - seems to be related to a innodb setpriority(PRIO_PROCESS, tid, -20), which isn't fatal if it doesn't succeed. no other CAP_SYS_NICE are used. Maybe we should have https://www.freedesktop.org/software/systemd/man/systemd.exec.html#LimitNICE... instead. Advice welcome.
allow mysqld_t self:shm create_shm_perms - not required in 10.5+ - shm no longer used for large pages - anon mmap is used.
rw_fifo_file_perms - one test case created a fifo - mysql-test/main/log_errchk.test, the server has some code to handle if log files externally created are fifos, but it doesn't create them itself. galera code mentions fifo's a lot, however its an internal structure. Script https://github.com/MariaDB/server/blob/10.5/scripts/wsrep_sst_mariabackup.sh... mentios fifos, however this appears to just be using pv to rate limit.
https://github.com/MariaDB/server/pull/1553 is probably needed too.
I see https://github.com/fedora-selinux/selinux-policy/blob/rawhide/policy/modules... probably covers https://github.com/MariaDB/server/pull/1131.
On Fri, Mar 12, 2021 at 10:14 PM Sergei Golubchik
wrote: Hi, Lukas!
I found that setuid/setgid is used inside mysqld_safe_helper (mariadbd-safe-helper). Are there any other cases when MariaDB uses these functions?
Yes, in the server. If the server is started with --memlock it does
mlockall(MCL_CURRENT)
to prevent itself from being swapped. This needs root, and the server uses setuid/setgid to drop root privileges after mlockall.
Regards, Sergei VP of MariaDB Server Engineering and security@mariadb.org
_______________________________________________ Mailing list: https://launchpad.net/~maria-discuss Post to : maria-discuss@lists.launchpad.net Unsubscribe : https://launchpad.net/~maria-discuss More help : https://help.launchpad.net/ListHelp
-- S pozdravom/ Best regards Lukáš Javorský Associate Software Engineer, Core service - Databases Red Hat https://www.redhat.com Purkyňova 115 (TPB-C) 612 00 Brno - Královo Pole ljavorsk@redhat.com https://www.redhat.com
On Mon, Mar 15, 2021 at 10:31 PM Lukas Javorsky
So IIRC, we don't need the setuid/setgid capability in Fedora/RHEL OS because we use systemd services right?
correct Seems using mariadb memlock requires a LimitMEMLOCK too which needs extended documentation in https://mariadb.com/kb/en/systemd/. Packaging / selinux related: 1. /etc/my.cnf.d/mariadb-server.cnf contains log-error=/var/log/mariadb/mariadb.log Without log-error set, the service will output to stdout/error and be captured by journald. Would this be better packaging for you? This would help your outstanding rhbz on logrotation that I also haven't fixed upstream. 2. exec names now mariadb in 10.4 we put mariadb names on executables a symlinks to mysql named binaries. in 10.5 this was reverse. This is a slow move to phase out these mysql names that I hope you can help with. e.g. (10.4) ls -al /usr/libexec/mariadbd lrwxrwxrwx. 1 root root 6 Nov 12 11:44 /usr/libexec/mariadbd -> mysqld What would help significantly is if the mariadb names got into the selinux fc file. In https://github.com/fedora-selinux/selinux-policy/blob/rawhide/policy/modules..., I'm With this the executables in the service could change. 2. mariadb.service /usr/libexec/mysql-check-socket is excessive - recent systemd won't allow a second process in the same cgroup when it has SendSIGKILL=no (https://github.com/systemd/systemd/issues/8630) On other Start{Pre,Post} in the service would you consider changing the name to mariadb? Documentation="man:mariadbd(8)" There's a fair few comments in https://github.com/MariaDB/server/blob/10.5/support-files/mariadb.service.in and its history that are probably relevant. selinux and the mariadb PAM probably need a test/investigation too. Happy to help if I can. Thanks for clarifying
Lukas
On Sun, Mar 14, 2021 at 12:42 AM Daniel Black
wrote: This was relaxed in https://github.com/MariaDB/server/commit/27e6fd9a5968 where the setuid is only tried if mariadbd --user is specified.
This isn't the case with systemd service files (which set the user) https://github.com/MariaDB/server/blob/10.5/support-files/mariadb.service.in... where the CAP_IPC_LOCK capability gives the user the memlock rather than setuid.
So maybe it is safe to drop the mysqld_t setgid setuid from the policy for the common case of a user running systemd service which also works if they are using memlock.
While we are looking at the list, assuming sys_resource maps to CAP_SYS_RESOURCE that would only be raising the rlimit nofile, which is done in the systemd service. in the server code this is capped anyway - https://github.com/MariaDB/server/blob/10.5/mysys/my_file.c#L42
sys_nice - seems to be related to a innodb setpriority(PRIO_PROCESS, tid, -20), which isn't fatal if it doesn't succeed. no other CAP_SYS_NICE are used. Maybe we should have https://www.freedesktop.org/software/systemd/man/systemd.exec.html#LimitNICE... instead. Advice welcome.
allow mysqld_t self:shm create_shm_perms - not required in 10.5+ - shm no longer used for large pages - anon mmap is used.
rw_fifo_file_perms - one test case created a fifo - mysql-test/main/log_errchk.test, the server has some code to handle if log files externally created are fifos, but it doesn't create them itself. galera code mentions fifo's a lot, however its an internal structure. Script https://github.com/MariaDB/server/blob/10.5/scripts/wsrep_sst_mariabackup.sh... mentios fifos, however this appears to just be using pv to rate limit.
https://github.com/MariaDB/server/pull/1553 is probably needed too.
I see https://github.com/fedora-selinux/selinux-policy/blob/rawhide/policy/modules... probably covers https://github.com/MariaDB/server/pull/1131.
On Fri, Mar 12, 2021 at 10:14 PM Sergei Golubchik
wrote: Hi, Lukas!
I found that setuid/setgid is used inside mysqld_safe_helper (mariadbd-safe-helper). Are there any other cases when MariaDB uses these functions?
Yes, in the server. If the server is started with --memlock it does
mlockall(MCL_CURRENT)
to prevent itself from being swapped. This needs root, and the server uses setuid/setgid to drop root privileges after mlockall.
Regards, Sergei VP of MariaDB Server Engineering and security@mariadb.org
_______________________________________________ Mailing list: https://launchpad.net/~maria-discuss Post to : maria-discuss@lists.launchpad.net Unsubscribe : https://launchpad.net/~maria-discuss More help : https://help.launchpad.net/ListHelp
-- S pozdravom/ Best regards
Lukáš Javorský
Associate Software Engineer, Core service - Databases
Red Hat https://www.redhat.com
Purkyňova 115 (TPB-C)
612 00 Brno - Královo Pole
ljavorsk@redhat.com https://www.redhat.com
1. /etc/my.cnf.d/mariadb-server.cnf contains log-error=/var/log/mariadb/mariadb.log
Without log-error set, the service will output to stdout/error and be captured by journald. Would this be better packaging for you?
This would help your outstanding rhbz on logrotation that I also haven't fixed upstream.
We have a lot of tests built on top of this behavior, also there are some known issues with logrotate, so we are not changing at this time, maybe it will be some future feature.
2. exec names now mariadb
in 10.4 we put mariadb names on executables a symlinks to mysql named binaries.
in 10.5 this was reverse.
This is a slow move to phase out these mysql names that I hope you can help with.
e.g. (10.4) ls -al /usr/libexec/mariadbd lrwxrwxrwx. 1 root root 6 Nov 12 11:44 /usr/libexec/mariadbd -> mysqld
What would help significantly is if the mariadb names got into the selinux fc file.
In https://github.com/fedora-selinux/selinux-policy/blob/rawhide/policy/modules..., I'm
With this the executables in the service could change.
I have created PR today and selinux is already handling it: https://github.com/fedora-selinux/selinux-policy/pull/641
2. mariadb.service
/usr/libexec/mysql-check-socket
is excessive - recent systemd won't allow a second process in the same cgroup when it has SendSIGKILL=no (https://github.com/systemd/systemd/issues/8630)
On other Start{Pre,Post} in the service would you consider changing the name to mariadb? Documentation="man:mariadbd(8)"
There's a fair few comments in https://github.com/MariaDB/server/blob/10.5/support-files/mariadb.service.in and its history that are probably relevant.
What are you suggesting?
Thanks for help
Lukas
On Tue, Mar 16, 2021 at 1:13 PM Daniel Black
On Mon, Mar 15, 2021 at 10:31 PM Lukas Javorsky
wrote: So IIRC, we don't need the setuid/setgid capability in Fedora/RHEL OS because we use systemd services right?
correct
Seems using mariadb memlock requires a LimitMEMLOCK too which needs extended documentation in https://mariadb.com/kb/en/systemd/.
Packaging / selinux related:
1. /etc/my.cnf.d/mariadb-server.cnf contains log-error=/var/log/mariadb/mariadb.log
Without log-error set, the service will output to stdout/error and be captured by journald. Would this be better packaging for you?
This would help your outstanding rhbz on logrotation that I also haven't fixed upstream.
2. exec names now mariadb
in 10.4 we put mariadb names on executables a symlinks to mysql named binaries.
in 10.5 this was reverse.
This is a slow move to phase out these mysql names that I hope you can help with.
e.g. (10.4) ls -al /usr/libexec/mariadbd lrwxrwxrwx. 1 root root 6 Nov 12 11:44 /usr/libexec/mariadbd -> mysqld
What would help significantly is if the mariadb names got into the selinux fc file.
In https://github.com/fedora-selinux/selinux-policy/blob/rawhide/policy/modules..., I'm
With this the executables in the service could change.
2. mariadb.service
/usr/libexec/mysql-check-socket
is excessive - recent systemd won't allow a second process in the same cgroup when it has SendSIGKILL=no (https://github.com/systemd/systemd/issues/8630)
On other Start{Pre,Post} in the service would you consider changing the name to mariadb? Documentation="man:mariadbd(8)"
There's a fair few comments in https://github.com/MariaDB/server/blob/10.5/support-files/mariadb.service.in and its history that are probably relevant.
selinux and the mariadb PAM probably need a test/investigation too.
Happy to help if I can.
Thanks for clarifying
Lukas
On Sun, Mar 14, 2021 at 12:42 AM Daniel Black
wrote: This was relaxed in https://github.com/MariaDB/server/commit/27e6fd9a5968 where the setuid is only tried if mariadbd --user is specified.
This isn't the case with systemd service files (which set the user) https://github.com/MariaDB/server/blob/10.5/support-files/mariadb.service.in... where the CAP_IPC_LOCK capability gives the user the memlock rather than setuid.
So maybe it is safe to drop the mysqld_t setgid setuid from the policy for the common case of a user running systemd service which also works if they are using memlock.
While we are looking at the list, assuming sys_resource maps to CAP_SYS_RESOURCE that would only be raising the rlimit nofile, which is done in the systemd service. in the server code this is capped anyway - https://github.com/MariaDB/server/blob/10.5/mysys/my_file.c#L42
sys_nice - seems to be related to a innodb setpriority(PRIO_PROCESS, tid, -20), which isn't fatal if it doesn't succeed. no other CAP_SYS_NICE are used. Maybe we should have https://www.freedesktop.org/software/systemd/man/systemd.exec.html#LimitNICE... instead. Advice welcome.
allow mysqld_t self:shm create_shm_perms - not required in 10.5+ - shm no longer used for large pages - anon mmap is used.
rw_fifo_file_perms - one test case created a fifo - mysql-test/main/log_errchk.test, the server has some code to handle if log files externally created are fifos, but it doesn't create them itself. galera code mentions fifo's a lot, however its an internal structure. Script https://github.com/MariaDB/server/blob/10.5/scripts/wsrep_sst_mariabackup.sh... mentios fifos, however this appears to just be using pv to rate limit.
https://github.com/MariaDB/server/pull/1553 is probably needed too.
I see https://github.com/fedora-selinux/selinux-policy/blob/rawhide/policy/modules... probably covers https://github.com/MariaDB/server/pull/1131.
On Fri, Mar 12, 2021 at 10:14 PM Sergei Golubchik
wrote: Hi, Lukas!
I found that setuid/setgid is used inside mysqld_safe_helper (mariadbd-safe-helper). Are there any other cases when MariaDB uses these functions?
Yes, in the server. If the server is started with --memlock it does
mlockall(MCL_CURRENT)
to prevent itself from being swapped. This needs root, and the server uses setuid/setgid to drop root privileges after mlockall.
Regards, Sergei VP of MariaDB Server Engineering and security@mariadb.org
_______________________________________________ Mailing list: https://launchpad.net/~maria-discuss Post to : maria-discuss@lists.launchpad.net Unsubscribe : https://launchpad.net/~maria-discuss More help : https://help.launchpad.net/ListHelp
-- S pozdravom/ Best regards
Lukáš Javorský
Associate Software Engineer, Core service - Databases
Red Hat https://www.redhat.com
Purkyňova 115 (TPB-C)
612 00 Brno - Královo Pole
ljavorsk@redhat.com https://www.redhat.com
-- S pozdravom/ Best regards Lukáš Javorský Associate Software Engineer, Core service - Databases Red Hat https://www.redhat.com Purkyňova 115 (TPB-C) 612 00 Brno - Královo Pole ljavorsk@redhat.com https://www.redhat.com
participants (3)
-
Daniel Black
-
Lukas Javorsky
-
Sergei Golubchik