← Back to team overview

maria-discuss team mailing list archive

Re: Why does MariaDB needs SELinux capability for setuid/setgid?

 

This was relaxed in https://github.com/MariaDB/server/commit/27e6fd9a5968
where the setuid is only tried if mariadbd --user is specified.

This isn't the case with systemd service files (which set the user)
https://github.com/MariaDB/server/blob/10.5/support-files/mariadb.service.in#L50
where
the CAP_IPC_LOCK capability gives the user the memlock rather than setuid.

So maybe it is safe to drop the mysqld_t setgid setuid from the policy for
the common case of a user running systemd service which also works if they
are using memlock.

While we are looking at the list, assuming sys_resource maps to
CAP_SYS_RESOURCE that would only be raising the rlimit nofile, which is
done in the systemd service.
in the server code this is capped anyway -
https://github.com/MariaDB/server/blob/10.5/mysys/my_file.c#L42

sys_nice - seems to be related to a innodb setpriority(PRIO_PROCESS, tid,
-20), which isn't fatal if it doesn't succeed. no other CAP_SYS_NICE are
used.
Maybe we should have
https://www.freedesktop.org/software/systemd/man/systemd.exec.html#LimitNICE=
instead. Advice welcome.

allow mysqld_t self:shm create_shm_perms - not required in 10.5+ - shm no
longer used for large pages - anon mmap is used.

rw_fifo_file_perms - one test case created a fifo -
mysql-test/main/log_errchk.test, the server has some code to handle if log
files externally created are fifos, but it doesn't create them itself.
galera code mentions fifo's a lot, however its an internal structure.
Script
https://github.com/MariaDB/server/blob/10.5/scripts/wsrep_sst_mariabackup.sh#L454
mentios fifos, however this
appears to just be using pv to rate limit.

https://github.com/MariaDB/server/pull/1553 is probably needed too.

I see
https://github.com/fedora-selinux/selinux-policy/blob/rawhide/policy/modules/contrib/mysql.te#L106
probably covers https://github.com/MariaDB/server/pull/1131.




On Fri, Mar 12, 2021 at 10:14 PM Sergei Golubchik <serg@xxxxxxxxxxx> wrote:

> Hi, Lukas!
>
> > I found that setuid/setgid is used inside mysqld_safe_helper
> > (mariadbd-safe-helper).
> > Are there any other cases when MariaDB uses these functions?
>
> Yes, in the server. If the server is started with --memlock it does
>
>   mlockall(MCL_CURRENT)
>
> to prevent itself from being swapped. This needs root, and the server
> uses setuid/setgid to drop root privileges after mlockall.
>
> Regards,
> Sergei
> VP of MariaDB Server Engineering
> and security@xxxxxxxxxxx
>
> _______________________________________________
> Mailing list: https://launchpad.net/~maria-discuss
> Post to     : maria-discuss@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~maria-discuss
> More help   : https://help.launchpad.net/ListHelp
>

Follow ups

References