maria-discuss team mailing list archive
-
maria-discuss team
-
Mailing list archive
-
Message #06001
Re: Why does MariaDB needs SELinux capability for setuid/setgid?
>1. /etc/my.cnf.d/mariadb-server.cnf
>contains log-error=/var/log/mariadb/mariadb.log
>
>Without log-error set, the service will output to stdout/error and be
captured by journald. Would this be better packaging for you?
>
>This would help your outstanding rhbz on logrotation that I also haven't
fixed upstream.
We have a lot of tests built on top of this behavior, also there are some
known issues with logrotate, so we are not changing at this time, maybe it
will be some future feature.
>2. exec names now mariadb
>
>in 10.4 we put mariadb names on executables a symlinks to mysql named
binaries.
>
>in 10.5 this was reverse.
>
>This is a slow move to phase out these mysql names that I hope you can
help with.
>
>e.g. (10.4)
>ls -al /usr/libexec/mariadbd
>lrwxrwxrwx. 1 root root 6 Nov 12 11:44 /usr/libexec/mariadbd -> mysqld
>
>What would help significantly is if the mariadb names got into the selinux
fc file.
>
>In
https://github.com/fedora-selinux/selinux-policy/blob/rawhide/policy/modules/contrib/mysql.fc,
I'm
>
>With this the executables in the service could change.
I have created PR today and selinux is already handling it:
https://github.com/fedora-selinux/selinux-policy/pull/641
>2. mariadb.service
>
>/usr/libexec/mysql-check-socket
>
>is excessive - recent systemd won't allow a second process in the same
cgroup when it has SendSIGKILL=no
>(https://github.com/systemd/systemd/issues/8630)
>
>On other Start{Pre,Post} in the service would you consider changing the
name to mariadb?
>Documentation="man:mariadbd(8)"
>
>There's a fair few comments in
https://github.com/MariaDB/server/blob/10.5/support-files/mariadb.service.in
and
its history that are probably relevant.
What are you suggesting?
Thanks for help
Lukas
On Tue, Mar 16, 2021 at 1:13 PM Daniel Black <daniel@xxxxxxxxxxx> wrote:
>
>
> On Mon, Mar 15, 2021 at 10:31 PM Lukas Javorsky <ljavorsk@xxxxxxxxxx>
> wrote:
>
>> So IIRC, we don't need the setuid/setgid capability in Fedora/RHEL OS
>> because we use systemd services right?
>>
>
> correct
>
> Seems using mariadb memlock requires a LimitMEMLOCK too which needs
> extended documentation in https://mariadb.com/kb/en/systemd/.
>
> Packaging / selinux related:
>
> 1. /etc/my.cnf.d/mariadb-server.cnf
> contains log-error=/var/log/mariadb/mariadb.log
>
> Without log-error set, the service will output to stdout/error and be
> captured by journald. Would this be better packaging for you?
>
> This would help your outstanding rhbz on logrotation that I also haven't
> fixed upstream.
>
> 2. exec names now mariadb
>
> in 10.4 we put mariadb names on executables a symlinks to mysql named
> binaries.
>
> in 10.5 this was reverse.
>
> This is a slow move to phase out these mysql names that I hope you can
> help with.
>
> e.g. (10.4)
> ls -al /usr/libexec/mariadbd
> lrwxrwxrwx. 1 root root 6 Nov 12 11:44 /usr/libexec/mariadbd -> mysqld
>
> What would help significantly is if the mariadb names got into the selinux
> fc file.
>
> In
> https://github.com/fedora-selinux/selinux-policy/blob/rawhide/policy/modules/contrib/mysql.fc,
> I'm
>
> With this the executables in the service could change.
>
> 2. mariadb.service
>
> /usr/libexec/mysql-check-socket
>
> is excessive - recent systemd won't allow a second process in the same
> cgroup when it has SendSIGKILL=no
> (https://github.com/systemd/systemd/issues/8630)
>
> On other Start{Pre,Post} in the service would you consider changing the
> name to mariadb?
> Documentation="man:mariadbd(8)"
>
> There's a fair few comments in
> https://github.com/MariaDB/server/blob/10.5/support-files/mariadb.service.in
> and its history that are probably relevant.
>
> selinux and the mariadb PAM probably need a test/investigation too.
>
> Happy to help if I can.
>
> Thanks for clarifying
>> Lukas
>>
>> On Sun, Mar 14, 2021 at 12:42 AM Daniel Black <daniel@xxxxxxxxxxx> wrote:
>>
>>>
>>> This was relaxed in
>>> https://github.com/MariaDB/server/commit/27e6fd9a5968 where the setuid
>>> is only tried if mariadbd --user is specified.
>>>
>>> This isn't the case with systemd service files (which set the user)
>>> https://github.com/MariaDB/server/blob/10.5/support-files/mariadb.service.in#L50
>>> where
>>> the CAP_IPC_LOCK capability gives the user the memlock rather than
>>> setuid.
>>>
>>> So maybe it is safe to drop the mysqld_t setgid setuid from the policy
>>> for the common case of a user running systemd service which also works if
>>> they are using memlock.
>>>
>>> While we are looking at the list, assuming sys_resource maps to
>>> CAP_SYS_RESOURCE that would only be raising the rlimit nofile, which is
>>> done in the systemd service.
>>> in the server code this is capped anyway -
>>> https://github.com/MariaDB/server/blob/10.5/mysys/my_file.c#L42
>>>
>>> sys_nice - seems to be related to a innodb setpriority(PRIO_PROCESS,
>>> tid, -20), which isn't fatal if it doesn't succeed. no other CAP_SYS_NICE
>>> are used.
>>> Maybe we should have
>>> https://www.freedesktop.org/software/systemd/man/systemd.exec.html#LimitNICE=
>>> instead. Advice welcome.
>>>
>>> allow mysqld_t self:shm create_shm_perms - not required in 10.5+ - shm
>>> no longer used for large pages - anon mmap is used.
>>>
>>> rw_fifo_file_perms - one test case created a fifo -
>>> mysql-test/main/log_errchk.test, the server has some code to handle if log
>>> files externally created are fifos, but it doesn't create them itself.
>>> galera code mentions fifo's a lot, however its an internal structure.
>>> Script
>>> https://github.com/MariaDB/server/blob/10.5/scripts/wsrep_sst_mariabackup.sh#L454
>>> mentios fifos, however this
>>> appears to just be using pv to rate limit.
>>>
>>> https://github.com/MariaDB/server/pull/1553 is probably needed too.
>>>
>>> I see
>>> https://github.com/fedora-selinux/selinux-policy/blob/rawhide/policy/modules/contrib/mysql.te#L106
>>> probably covers https://github.com/MariaDB/server/pull/1131.
>>>
>>>
>>>
>>>
>>> On Fri, Mar 12, 2021 at 10:14 PM Sergei Golubchik <serg@xxxxxxxxxxx>
>>> wrote:
>>>
>>>> Hi, Lukas!
>>>>
>>>> > I found that setuid/setgid is used inside mysqld_safe_helper
>>>> > (mariadbd-safe-helper).
>>>> > Are there any other cases when MariaDB uses these functions?
>>>>
>>>> Yes, in the server. If the server is started with --memlock it does
>>>>
>>>> mlockall(MCL_CURRENT)
>>>>
>>>> to prevent itself from being swapped. This needs root, and the server
>>>> uses setuid/setgid to drop root privileges after mlockall.
>>>>
>>>> Regards,
>>>> Sergei
>>>> VP of MariaDB Server Engineering
>>>> and security@xxxxxxxxxxx
>>>>
>>>> _______________________________________________
>>>> Mailing list: https://launchpad.net/~maria-discuss
>>>> Post to : maria-discuss@xxxxxxxxxxxxxxxxxxx
>>>> Unsubscribe : https://launchpad.net/~maria-discuss
>>>> More help : https://help.launchpad.net/ListHelp
>>>>
>>>
>>
>> --
>> S pozdravom/ Best regards
>>
>> Lukáš Javorský
>>
>> Associate Software Engineer, Core service - Databases
>>
>> Red Hat <https://www.redhat.com>
>>
>> Purkyňova 115 (TPB-C)
>>
>> 612 00 Brno - Královo Pole
>>
>> ljavorsk@xxxxxxxxxx
>> <https://www.redhat.com>
>>
>
--
S pozdravom/ Best regards
Lukáš Javorský
Associate Software Engineer, Core service - Databases
Red Hat <https://www.redhat.com>
Purkyňova 115 (TPB-C)
612 00 Brno - Královo Pole
ljavorsk@xxxxxxxxxx
<https://www.redhat.com>
References
