maria-discuss team mailing list archive
-
maria-discuss team
-
Mailing list archive
-
Message #05995
Re: Why does MariaDB needs SELinux capability for setuid/setgid?
On Mon, Mar 15, 2021 at 10:31 PM Lukas Javorsky <ljavorsk@xxxxxxxxxx> wrote:
> So IIRC, we don't need the setuid/setgid capability in Fedora/RHEL OS
> because we use systemd services right?
>
correct
Seems using mariadb memlock requires a LimitMEMLOCK too which needs
extended documentation in https://mariadb.com/kb/en/systemd/.
Packaging / selinux related:
1. /etc/my.cnf.d/mariadb-server.cnf
contains log-error=/var/log/mariadb/mariadb.log
Without log-error set, the service will output to stdout/error and be
captured by journald. Would this be better packaging for you?
This would help your outstanding rhbz on logrotation that I also haven't
fixed upstream.
2. exec names now mariadb
in 10.4 we put mariadb names on executables a symlinks to mysql named
binaries.
in 10.5 this was reverse.
This is a slow move to phase out these mysql names that I hope you can help
with.
e.g. (10.4)
ls -al /usr/libexec/mariadbd
lrwxrwxrwx. 1 root root 6 Nov 12 11:44 /usr/libexec/mariadbd -> mysqld
What would help significantly is if the mariadb names got into the selinux
fc file.
In
https://github.com/fedora-selinux/selinux-policy/blob/rawhide/policy/modules/contrib/mysql.fc,
I'm
With this the executables in the service could change.
2. mariadb.service
/usr/libexec/mysql-check-socket
is excessive - recent systemd won't allow a second process in the same
cgroup when it has SendSIGKILL=no
(https://github.com/systemd/systemd/issues/8630)
On other Start{Pre,Post} in the service would you consider changing the
name to mariadb?
Documentation="man:mariadbd(8)"
There's a fair few comments in
https://github.com/MariaDB/server/blob/10.5/support-files/mariadb.service.in
and its history that are probably relevant.
selinux and the mariadb PAM probably need a test/investigation too.
Happy to help if I can.
Thanks for clarifying
> Lukas
>
> On Sun, Mar 14, 2021 at 12:42 AM Daniel Black <daniel@xxxxxxxxxxx> wrote:
>
>>
>> This was relaxed in https://github.com/MariaDB/server/commit/27e6fd9a5968
>> where the setuid is only tried if mariadbd --user is specified.
>>
>> This isn't the case with systemd service files (which set the user)
>> https://github.com/MariaDB/server/blob/10.5/support-files/mariadb.service.in#L50
>> where
>> the CAP_IPC_LOCK capability gives the user the memlock rather than setuid.
>>
>> So maybe it is safe to drop the mysqld_t setgid setuid from the policy
>> for the common case of a user running systemd service which also works if
>> they are using memlock.
>>
>> While we are looking at the list, assuming sys_resource maps to
>> CAP_SYS_RESOURCE that would only be raising the rlimit nofile, which is
>> done in the systemd service.
>> in the server code this is capped anyway -
>> https://github.com/MariaDB/server/blob/10.5/mysys/my_file.c#L42
>>
>> sys_nice - seems to be related to a innodb setpriority(PRIO_PROCESS, tid,
>> -20), which isn't fatal if it doesn't succeed. no other CAP_SYS_NICE are
>> used.
>> Maybe we should have
>> https://www.freedesktop.org/software/systemd/man/systemd.exec.html#LimitNICE=
>> instead. Advice welcome.
>>
>> allow mysqld_t self:shm create_shm_perms - not required in 10.5+ - shm no
>> longer used for large pages - anon mmap is used.
>>
>> rw_fifo_file_perms - one test case created a fifo -
>> mysql-test/main/log_errchk.test, the server has some code to handle if log
>> files externally created are fifos, but it doesn't create them itself.
>> galera code mentions fifo's a lot, however its an internal structure.
>> Script
>> https://github.com/MariaDB/server/blob/10.5/scripts/wsrep_sst_mariabackup.sh#L454
>> mentios fifos, however this
>> appears to just be using pv to rate limit.
>>
>> https://github.com/MariaDB/server/pull/1553 is probably needed too.
>>
>> I see
>> https://github.com/fedora-selinux/selinux-policy/blob/rawhide/policy/modules/contrib/mysql.te#L106
>> probably covers https://github.com/MariaDB/server/pull/1131.
>>
>>
>>
>>
>> On Fri, Mar 12, 2021 at 10:14 PM Sergei Golubchik <serg@xxxxxxxxxxx>
>> wrote:
>>
>>> Hi, Lukas!
>>>
>>> > I found that setuid/setgid is used inside mysqld_safe_helper
>>> > (mariadbd-safe-helper).
>>> > Are there any other cases when MariaDB uses these functions?
>>>
>>> Yes, in the server. If the server is started with --memlock it does
>>>
>>> mlockall(MCL_CURRENT)
>>>
>>> to prevent itself from being swapped. This needs root, and the server
>>> uses setuid/setgid to drop root privileges after mlockall.
>>>
>>> Regards,
>>> Sergei
>>> VP of MariaDB Server Engineering
>>> and security@xxxxxxxxxxx
>>>
>>> _______________________________________________
>>> Mailing list: https://launchpad.net/~maria-discuss
>>> Post to : maria-discuss@xxxxxxxxxxxxxxxxxxx
>>> Unsubscribe : https://launchpad.net/~maria-discuss
>>> More help : https://help.launchpad.net/ListHelp
>>>
>>
>
> --
> S pozdravom/ Best regards
>
> Lukáš Javorský
>
> Associate Software Engineer, Core service - Databases
>
> Red Hat <https://www.redhat.com>
>
> Purkyňova 115 (TPB-C)
>
> 612 00 Brno - Královo Pole
>
> ljavorsk@xxxxxxxxxx
> <https://www.redhat.com>
>
Follow ups
References