maria-discuss team mailing list archive

[Sergei Golubchik <serg@xxxxxxxxxxx>]

Hi, Clint!

On Jan 05, Clint Dilks wrote:
> Hi,
> 
> Today I have updated a CentOS 6.8 system that has MariaDB-server
> installed from http://yum.mariadb.org/5.5/centos6-amd64 and found that
> I had an SELinux issue when I tried to restart the service.
> 
> Using the information at https://wiki.centos.org/HowTos/SELinux I have
> created a local policy that seems to fix things
> 
> module marialocal 1.0;
> 
> require {
>         type mysqld_safe_t;
>         class capability { setuid setgid };
> }
> 
> #============= mysqld_safe_t ==============
> 
> allow mysqld_safe_t self:capability setgid;
> allow mysqld_safe_t self:capability setuid;
> 
> This seems to fix things for me, but I thought I had better see if
> others are experiencing the same problem ?

Yes, it's not only you. See, for example,
https://jira.mariadb.org/browse/MDEV-11676
(although it is not about fixing the issue,
only about a correct error message)

5.5.54 comes with a new helper binary that does setuid/setgid
internally, that's why selinux is unhappy.

This helper is used by mysqld_safe to drop root privileges before
creating files, for example.

> It may be useful to know that the particular rpms are
> MariaDB-server-5.5.54-1.el6.x86_64 and
> selinux-policy-3.7.19-292.el6_8.2.noarch.
> 
> If it is a bigger issue than just myself, should I report this somewhere
> else to see if we can get a fix added to the next MariaDB-server rpm ?

What could a fix be?

* Include a new selinux policy into the rpm? - Is that possible?
* Don't do setuid/setgid and create files as root? - This would be
  dangerous from a security point of view
* Don't use a helper and use "su -c ..."? - It'll fill the syslog with
  noise.
* Any other option?

Regards,
Sergei
Chief Architect MariaDB
and security@xxxxxxxxxxx