← Back to team overview

maria-developers team mailing list archive

Re: 6a72d15: MDEV-10767 /tmp/wsrep_recovery.${RANDOM} file created in unallowed SELinux context

 

Hi Sergei!

Thanks for review!.

On Thu, Aug 31, 2017 at 5:40 PM, Sergei Golubchik <serg@xxxxxxxxxxx> wrote:
> Hi, Sachin!
>
> On Aug 31, sachin wrote:
>> revision-id: 6a72d154d6ec231eeff861496e4d07101ac41553 (mariadb-10.1.26-16-g6a72d15)
>> parent(s): dda40b930498b70bb5546f857b27744039a5649d
>> author: sachin
>> committer: sachin
>> timestamp: 2017-08-31 12:17:10 +0530
>> message:
>>
>> MDEV-10767 /tmp/wsrep_recovery.${RANDOM} file created in unallowed SELinux context
>>
>> Solution:- Allowed mysqld_t to open file with context initrc_tmp_t.
>
> Why does the server need it?
> I've only found scripts/galera_recovery.sh, that does:
>
> log_file=$(mktemp /tmp/wsrep_recovery.XXXXXX)
> /usr/sbin/mysqld $cmdline_args --user=$user --wsrep_recover --log-error="$log_file"
>
> For that use case, I wouldn't bother with a new selinux policy, it'd be
> safer to do
>
> log_file=$(mktemp /tmp/wsrep_recovery.XXXXXX)
> /usr/sbin/mysqld $cmdline_args --user=$user --wsrep_recover --disable-log-error 2>"$log_file"
I have done this , but did not quite understand the meaning
>
> Note, that the similar piece of code is used in mysqld_safe.sh, only
> there it uses DATADIR/wsrep_recovery.XXXXXX, apparently somebody's
> attempt to work around selinux. Better to make it identical to
> galera_recovery.sh, I'd say.
>
> Regards,
> Sergei
> Chief Architect MariaDB
> and security@xxxxxxxxxxx
>
> _______________________________________________
> Mailing list: https://launchpad.net/~maria-developers
> Post to     : maria-developers@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~maria-developers
> More help   : https://help.launchpad.net/ListHelp


All changes applied.

Please review the latest patch.

Revision-id: bd6986ea350048ee2825ef6b24d357dacfc12dbe
(mariadb-10.1.26-30-gbd6986e)
parent(s): 112d721a74c1f9dcf3321006418fd4abc2884751
author: sachin
committer: sachin
timestamp: 2017-09-11 17:46:56 +0530
message:

MDEV-10767 /tmp/wsrep_recovery.${RANDOM} file created in unallowed
SELinux context

Problem:- To create file in /tmp dir mysqld require permission initrc_tmp_t.
And mysqld does not have his permission.

Solution:- Instead of giving mysqld permission of initrc_tmp_t , we redirected
log to file in /tmp dir through shell. I also removed a earlier workarround
in mysqld_safe.sh , which create tmp log file in datadir.

---
 scripts/galera_recovery.sh | 2 +-
 scripts/mysqld_safe.sh     | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/scripts/galera_recovery.sh b/scripts/galera_recovery.sh
index d734ceb..de2e653 100644
--- a/scripts/galera_recovery.sh
+++ b/scripts/galera_recovery.sh
@@ -69,7 +69,7 @@ parse_arguments() {
 wsrep_recover_position() {
   # Redirect server's error log to the log file.
   eval /usr/sbin/mysqld $cmdline_args --user=$user --wsrep_recover \
-    --log-error="$log_file"
+    --disable-log-error 2> "$log_file"
   ret=$?
   if [ $ret -ne 0 ]; then
     # Something went wrong, let us also print the error log so that it
diff --git a/scripts/mysqld_safe.sh b/scripts/mysqld_safe.sh
index e5708b5..5564f92 100644
--- a/scripts/mysqld_safe.sh
+++ b/scripts/mysqld_safe.sh
@@ -246,7 +246,7 @@ wsrep_recover_position() {
   local euid=$(id -u)
   local ret=0

-  local wr_logfile=$(mktemp $DATADIR/wsrep_recovery.XXXXXX)
+  local wr_logfile=$(mktemp wsrep_recovery.XXXXXX)

   # safety checks
   if [ -z $wr_logfile ]; then
@@ -264,11 +264,11 @@ wsrep_recover_position() {

   local wr_pidfile="$DATADIR/"`@HOSTNAME@`"-recover.pid"

-  local wr_options="--log_error='$wr_logfile' --pid-file='$wr_pidfile'"
+  local wr_options="--disable-log-error  --pid-file='$wr_pidfile'"

   log_notice "WSREP: Running position recovery with $wr_options"

-  eval_log_error "$mysqld_cmd --wsrep_recover $wr_options"
+  eval_log_error "$mysqld_cmd --wsrep_recover $wr_options 2> $wr_logfile"

   local rp="$(grep 'WSREP: Recovered position:' $wr_logfile)"
   if [ -z "$rp" ]; then

-- 
Regards
Sachin Setiya
Software Engineer at  MariaDB


References