maria-discuss team mailing list archive

Thread
Date

Why does MariaDB needs SELinux capability for setuid/setgid?

To: maria-discuss@xxxxxxxxxxxxxxxxxxx
From: Lukas Javorsky <ljavorsk@xxxxxxxxxx>
Date: Fri, 12 Mar 2021 10:56:28 +0100
Authentication-results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=ljavorsk@xxxxxxxxxx

Hi guys,

I'm looking into SELinux in Fedora's MariaDB package and I can see that we
have two types in MariaDB that have setuid/setgid capability.

1st:
https://github.com/fedora-selinux/selinux-policy/blob/rawhide/policy/modules/contrib/mysql.te#L70

2nd:
https://github.com/fedora-selinux/selinux-policy/blob/rawhide/policy/modules/contrib/mysql.te#L199

My question is, does mysqld_t need to have this capability?

I found that setuid/setgid is used inside mysqld_safe_helper
(mariadbd-safe-helper).
Are there any other cases when MariaDB uses these functions?

Thank you for letting me know
Lukas

-- 
S pozdravom/ Best regards

Lukáš Javorský

Associate Software Engineer, Core service - Databases

Red Hat <https://www.redhat.com>

Purkyňova 115 (TPB-C)

612 00 Brno - Královo Pole

ljavorsk@xxxxxxxxxx
<https://www.redhat.com>

Follow ups

Re: Why does MariaDB needs SELinux capability for setuid/setgid?
From: Sergei Golubchik, 2021-03-12