Percona Server moved to https://jira.percona.com/projects/PS

mysqld_safe selinux root_dir_t

Bug #1203278 reported by David Busby
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Percona Server moved to https://jira.percona.com/projects/PS
Expired
Undecided
Unassigned

Bug Description

Getting the following on Fedora 19 (Before it's suggested Fedora is not supported, it's more than likely the configuration of selinux in fedora will end up on redhat; and as such Fedora should be considered as the "edge" distribution).

---

type=AVC msg=audit(1374317650.000:680): avc: denied { write } for pid=9163 comm="mysqld_safe" name="/" dev="dm-1" ino=2 scontext=unconfined_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir

---

Why would mysqld_safe be trying to write to / ?

setenforce 0 (permissive) && Lsof:

---
 mysqld_safe
9607 mysqld
[root@phantasos etc]# lsof -p 9427
lsof: WARNING: can't stat() fuse.gvfsd-fuse file system /run/user/1000/gvfs
      Output information may be incomplete.
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
mysqld_sa 9427 root cwd DIR 253,1 4096 5505025 /usr
mysqld_sa 9427 root rtd DIR 253,1 4096 2 /
mysqld_sa 9427 root txt REG 253,1 982296 5512636 /usr/bin/bash
mysqld_sa 9427 root mem REG 253,1 162472 5505141 /usr/lib64/ld-2.17.so
mysqld_sa 9427 root mem REG 253,1 2104376 5505142 /usr/lib64/libc-2.17.so
mysqld_sa 9427 root mem REG 253,1 22440 5505424 /usr/lib64/libdl-2.17.so
mysqld_sa 9427 root mem REG 253,1 171464 5512005 /usr/lib64/libtinfo.so.5.9
mysqld_sa 9427 root mem REG 253,1 62368 5514609 /usr/lib64/libnss_files-2.17.so
mysqld_sa 9427 root 0r CHR 1,3 0t0 1028 /dev/null
mysqld_sa 9427 root 1w CHR 1,3 0t0 1028 /dev/null
mysqld_sa 9427 root 2w CHR 1,3 0t0 1028 /dev/null
mysqld_sa 9427 root 255r REG 253,1 26520 5505607 /usr/bin/mysqld_safe

---

Audit2allow

---

#============= mysqld_safe_t ==============

#!!!! This avc can be allowed using the boolean 'daemons_dump_core'
allow mysqld_safe_t root_t:dir write;

---

This doesn't seem right to me at all I can't think of a valid reason why mysqld_safe would need to write to / ?

esp given no reference to root_dir_t in : http://bazaar.launchpad.net/~percona-core/percona-server/5.6/view/head:/policy/selinux/percona-server.te

Affects: https://bugs.launchpad.net/percona-xtradb-cluster/+bug/1131102

Thoughts?

Cheers

David

David Busby (d-busby)
affects: percona-xtradb-cluster → percona-server
Revision history for this message
David Busby (d-busby) wrote :

dbusby@icleus-oneiroi-co-uk ~/Downloads$ sealert -l 9debc518-425f-46a8-bdae-0a7cc2c01e62
SELinux is preventing /usr/bin/bash from write access on the directory /.

***** Plugin catchall_boolean (89.3 confidence) suggests *******************

If you want to allow all daemons to write corefiles to /
Then you must tell SELinux about this by enabling the 'daemons_dump_core' boolean.
You can read 'None' man page for more details.
Do
setsebool -P daemons_dump_core 1

***** Plugin catchall (11.6 confidence) suggests ***************************

If you believe that bash should be allowed write access on the directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep mysqld_safe /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context unconfined_u:system_r:mysqld_safe_t:s0
Target Context system_u:object_r:root_t:s0
Target Objects / [ dir ]
Source mysqld_safe
Source Path /usr/bin/bash
Port <Unknown>
Host icleus-oneiroi-co-uk
Source RPM Packages bash-4.2.45-1.fc18.x86_64
Target RPM Packages filesystem-3.1-2.fc18.x86_64
Policy RPM selinux-policy-3.11.1-97.fc18.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name icleus-oneiroi-co-uk
Platform Linux icleus-oneiroi-co-uk 3.9.9-201.fc18.x86_64
                              #1 SMP Fri Jul 5 16:42:02 UTC 2013 x86_64 x86_64
Alert Count 70
First Seen 2013-05-13 12:25:17 BST
Last Seen 2013-07-22 10:02:10 BST
Local ID 9debc518-425f-46a8-bdae-0a7cc2c01e62

Raw Audit Messages
type=AVC msg=audit(1374483730.171:461): avc: denied { write } for pid=30153 comm="mysqld_safe" name="/" dev="dm-2" ino=2 scontext=unconfined_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir

type=SYSCALL msg=audit(1374483730.171:461): arch=x86_64 syscall=faccessat success=no exit=EACCES a0=ffffffffffffff9c a1=1330280 a2=2 a3=1335ce0 items=0 ppid=30144 pid=30153 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=2 tty=(none) comm=mysqld_safe exe=/usr/bin/bash subj=unconfined_u:system_r:mysqld_safe_t:s0 key=(null)

Hash: mysqld_safe,mysqld_safe_t,root_t,dir,write

audit2allow

#============= mysqld_safe_t ==============
#!!!! This avc can be allowed using the boolean 'daemons_dump_core'

allow mysqld_safe_t root_t:dir write;

audit2allow -R
require {
 type mysqld_safe_t;
}

#============= mysqld_safe_t ==============

Revision history for this message
David Busby (d-busby) wrote :

my.cnf

[mysqld]
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock
# Disabling symbolic-links is recommended to prevent assorted security risks
symbolic-links=0
# Settings user and group are ignored when systemd is used.
# If you need to run mysqld under a different user or group,
# customize your systemd unit file for mysqld according to the
# instructions in http://fedoraproject.org/wiki/Systemd
innodb-file-per-table

[mysqld_safe]
log-error=/var/log/mysqld.log
pid-file=/var/run/mysqld/mysqld.pid

#
# include all files from the config directory
#
#!includedir /etc/my.cnf.d

Revision history for this message
Raghavendra D Prabhu (raghavendra-prabhu) wrote :

a) As discussed on irc, can you also provide a xtrace output (set -x in mysqld_safe or in the shebang) with enforcing mode? It may be a case of unset variable causing writes to /

b) I also noticed
                    if test -w / -o "$USER" = "root"

in mysqld_safe, that is what may be triggering this and hence, a false positive. However, if it is failing to start in enforcing mode then it may in turn be causing something else to fail.

Revision history for this message
David Busby (d-busby) wrote :

This is in enforcing mode: `setsebool daemons_dump_core=1` is allowing it to start

Aug 27 12:36:59 localhost setroubleshoot: SELinux is preventing /usr/bin/bash from write access on the directory /. For complete SELinux messages. run sealert -l 89442e61-d867-4d53-98ed-eb5f2a09f179

---
[root@icleus-oneiroi-co-uk ~]# sealert -l 89442e61-d867-4d53-98ed-eb5f2a09f179
SELinux is preventing /usr/bin/bash from write access on the directory /.

***** Plugin catchall_boolean (89.3 confidence) suggests *******************

If you want to allow all daemons to write corefiles to /
Then you must tell SELinux about this by enabling the 'daemons_dump_core' boolean.
You can read 'None' man page for more details.
Do
setsebool -P daemons_dump_core 1

***** Plugin catchall (11.6 confidence) suggests ***************************

If you believe that bash should be allowed write access on the directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep mysqld_safe /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context unconfined_u:system_r:mysqld_safe_t:s0
Target Context system_u:object_r:root_t:s0
Target Objects / [ dir ]
Source mysqld_safe
Source Path /usr/bin/bash
Port <Unknown>
Host icleus-oneiroi-co-uk
Source RPM Packages bash-4.2.45-1.fc19.x86_64
Target RPM Packages filesystem-3.2-13.fc19.x86_64
Policy RPM selinux-policy-3.12.1-73.fc19.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name icleus-oneiroi-co-uk
Platform Linux icleus-oneiroi-co-uk 3.10.9-200.fc19.x86_64
                              #1 SMP Wed Aug 21 19:27:58 UTC 2013 x86_64 x86_64
Alert Count 1
First Seen 2013-08-27 12:36:57 BST
Last Seen 2013-08-27 12:36:57 BST
Local ID 89442e61-d867-4d53-98ed-eb5f2a09f179

Raw Audit Messages
type=AVC msg=audit(1377603417.126:1180): avc: denied { write } for pid=22304 comm="mysqld_safe" name="/" dev="dm-2" ino=2 scontext=unconfined_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir

type=SYSCALL msg=audit(1377603417.126:1180): arch=x86_64 syscall=faccessat success=no exit=EACCES a0=ffffffffffffff9c a1=10152d0 a2=2 a3=8 items=0 ppid=22295 pid=22304 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=1 tty=(none) comm=mysqld_safe exe=/usr/bin/bash subj=unconfined_u:system_r:mysqld_safe_t:s0 key=(null)

Hash: mysqld_safe,mysqld_safe_t,root_t,dir,write

---

manually switching up to root and running direct with the -x option does not yield startup failiure at all, so I'm guessing it's something in the sysvinit script

Revision history for this message
Valerii Kravchuk (valerii-kravchuk) wrote :

So, maybe we should just change this code in mysqld_safe to NOT check / at all:

if test -w / -o "$USER" = "root"
then
  if test "$user" != "root" -o $SET_USER = 1
  then
    USER_OPTION="--user=$user"
  fi
  # Change the err log to the right user, if it is in use
  if [ $want_syslog -eq 0 ]; then
    touch "$err_log"
    chown $user "$err_log"
  fi
  if test -n "$open_files"
  then
    ulimit -n $open_files
  fi
fi

or report upstream bug (as upstream mysqld_safe has the same code), or something else?

Changed in percona-server:
status: New → Incomplete
Laurynas Biveinis (laurynas-biveinis)
Changed in percona-server:
assignee: Raghavendra D Prabhu (raghavendra-prabhu) → nobody
tags: added: pkg
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for Percona Server because there has been no activity for 60 days.]

Changed in percona-server:
status: Incomplete → Expired
Revision history for this message
Shahriyar Rzayev (rzayev-sehriyar) wrote :

Percona now uses JIRA for bug reports so this bug report is migrated to: https://jira.percona.com/browse/PS-2993

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.