← Back to team overview

maria-developers team mailing list archive

Re: 6a72d15: MDEV-10767 /tmp/wsrep_recovery.${RANDOM} file created in unallowed SELinux context


Hi, Sachin!

On Aug 31, sachin wrote:
> revision-id: 6a72d154d6ec231eeff861496e4d07101ac41553 (mariadb-10.1.26-16-g6a72d15)
> parent(s): dda40b930498b70bb5546f857b27744039a5649d
> author: sachin
> committer: sachin
> timestamp: 2017-08-31 12:17:10 +0530
> message:
> MDEV-10767 /tmp/wsrep_recovery.${RANDOM} file created in unallowed SELinux context
> Solution:- Allowed mysqld_t to open file with context initrc_tmp_t.

Why does the server need it?
I've only found scripts/galera_recovery.sh, that does:

log_file=$(mktemp /tmp/wsrep_recovery.XXXXXX)
/usr/sbin/mysqld $cmdline_args --user=$user --wsrep_recover --log-error="$log_file"

For that use case, I wouldn't bother with a new selinux policy, it'd be
safer to do

log_file=$(mktemp /tmp/wsrep_recovery.XXXXXX)
/usr/sbin/mysqld $cmdline_args --user=$user --wsrep_recover --disable-log-error 2>"$log_file"

Note, that the similar piece of code is used in mysqld_safe.sh, only
there it uses DATADIR/wsrep_recovery.XXXXXX, apparently somebody's
attempt to work around selinux. Better to make it identical to
galera_recovery.sh, I'd say.

Chief Architect MariaDB
and security@xxxxxxxxxxx

Follow ups