← Back to team overview

maria-discuss team mailing list archive

Re: Why does MariaDB needs SELinux capability for setuid/setgid?

 

So IIRC, we don't need the setuid/setgid capability in Fedora/RHEL OS
because we use systemd services right?

Thanks for clarifying
Lukas

On Sun, Mar 14, 2021 at 12:42 AM Daniel Black <daniel@xxxxxxxxxxx> wrote:

>
> This was relaxed in https://github.com/MariaDB/server/commit/27e6fd9a5968
> where the setuid is only tried if mariadbd --user is specified.
>
> This isn't the case with systemd service files (which set the user)
> https://github.com/MariaDB/server/blob/10.5/support-files/mariadb.service.in#L50
> where
> the CAP_IPC_LOCK capability gives the user the memlock rather than setuid.
>
> So maybe it is safe to drop the mysqld_t setgid setuid from the policy for
> the common case of a user running systemd service which also works if they
> are using memlock.
>
> While we are looking at the list, assuming sys_resource maps to
> CAP_SYS_RESOURCE that would only be raising the rlimit nofile, which is
> done in the systemd service.
> in the server code this is capped anyway -
> https://github.com/MariaDB/server/blob/10.5/mysys/my_file.c#L42
>
> sys_nice - seems to be related to a innodb setpriority(PRIO_PROCESS, tid,
> -20), which isn't fatal if it doesn't succeed. no other CAP_SYS_NICE are
> used.
> Maybe we should have
> https://www.freedesktop.org/software/systemd/man/systemd.exec.html#LimitNICE=
> instead. Advice welcome.
>
> allow mysqld_t self:shm create_shm_perms - not required in 10.5+ - shm no
> longer used for large pages - anon mmap is used.
>
> rw_fifo_file_perms - one test case created a fifo -
> mysql-test/main/log_errchk.test, the server has some code to handle if log
> files externally created are fifos, but it doesn't create them itself.
> galera code mentions fifo's a lot, however its an internal structure.
> Script
> https://github.com/MariaDB/server/blob/10.5/scripts/wsrep_sst_mariabackup.sh#L454
> mentios fifos, however this
> appears to just be using pv to rate limit.
>
> https://github.com/MariaDB/server/pull/1553 is probably needed too.
>
> I see
> https://github.com/fedora-selinux/selinux-policy/blob/rawhide/policy/modules/contrib/mysql.te#L106
> probably covers https://github.com/MariaDB/server/pull/1131.
>
>
>
>
> On Fri, Mar 12, 2021 at 10:14 PM Sergei Golubchik <serg@xxxxxxxxxxx>
> wrote:
>
>> Hi, Lukas!
>>
>> > I found that setuid/setgid is used inside mysqld_safe_helper
>> > (mariadbd-safe-helper).
>> > Are there any other cases when MariaDB uses these functions?
>>
>> Yes, in the server. If the server is started with --memlock it does
>>
>>   mlockall(MCL_CURRENT)
>>
>> to prevent itself from being swapped. This needs root, and the server
>> uses setuid/setgid to drop root privileges after mlockall.
>>
>> Regards,
>> Sergei
>> VP of MariaDB Server Engineering
>> and security@xxxxxxxxxxx
>>
>> _______________________________________________
>> Mailing list: https://launchpad.net/~maria-discuss
>> Post to     : maria-discuss@xxxxxxxxxxxxxxxxxxx
>> Unsubscribe : https://launchpad.net/~maria-discuss
>> More help   : https://help.launchpad.net/ListHelp
>>
>

-- 
S pozdravom/ Best regards

Lukáš Javorský

Associate Software Engineer, Core service - Databases

Red Hat <https://www.redhat.com>

Purkyňova 115 (TPB-C)

612 00 Brno - Královo Pole

ljavorsk@xxxxxxxxxx
<https://www.redhat.com>

Follow ups

References