maria-developers team mailing list archive

Thread
Date

Re: 6a72d15: MDEV-10767 /tmp/wsrep_recovery.${RANDOM} file created in unallowed SELinux context

To: maria-developers@xxxxxxxxxxxxxxxxxxx
From: Sergei Golubchik <serg@xxxxxxxxxxx>
Date: Thu, 31 Aug 2017 14:10:47 +0200
Cc: sachin@xxxxxxxxxxx
In-reply-to: <20170831070116.D5809D211A7@sachin-desk.localdomain>
User-agent: Mutt/1.7.2 (2016-11-26)

Hi, Sachin!

On Aug 31, sachin wrote:
> revision-id: 6a72d154d6ec231eeff861496e4d07101ac41553 (mariadb-10.1.26-16-g6a72d15)
> parent(s): dda40b930498b70bb5546f857b27744039a5649d
> author: sachin
> committer: sachin
> timestamp: 2017-08-31 12:17:10 +0530
> message:
> 
> MDEV-10767 /tmp/wsrep_recovery.${RANDOM} file created in unallowed SELinux context
> 
> Solution:- Allowed mysqld_t to open file with context initrc_tmp_t.

Why does the server need it?
I've only found scripts/galera_recovery.sh, that does:

log_file=$(mktemp /tmp/wsrep_recovery.XXXXXX)
/usr/sbin/mysqld $cmdline_args --user=$user --wsrep_recover --log-error="$log_file"

For that use case, I wouldn't bother with a new selinux policy, it'd be
safer to do

log_file=$(mktemp /tmp/wsrep_recovery.XXXXXX)
/usr/sbin/mysqld $cmdline_args --user=$user --wsrep_recover --disable-log-error 2>"$log_file"

Note, that the similar piece of code is used in mysqld_safe.sh, only
there it uses DATADIR/wsrep_recovery.XXXXXX, apparently somebody's
attempt to work around selinux. Better to make it identical to
galera_recovery.sh, I'd say.

Regards,
Sergei
Chief Architect MariaDB
and security@xxxxxxxxxxx

Follow ups

Re: 6a72d15: MDEV-10767 /tmp/wsrep_recovery.${RANDOM} file created in unallowed SELinux context
From: Sachin Setiya, 2017-09-13