Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1692960 - mysql agent needs to work without DAC_OVERRIDE capability
Summary: mysql agent needs to work without DAC_OVERRIDE capability
Keywords:
Status: NEW
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: resource-agents
Version: 8.0
Hardware: Unspecified
OS: Unspecified
unspecified
urgent
Target Milestone: rc
: 8.0
Assignee: Oyvind Albrigtsen
QA Contact: cluster-qe@redhat.com
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-03-26 18:08 UTC by Patrik Hagara
Modified: 2019-03-26 18:20 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type: Bug
Target Upstream Version:


Attachments (Terms of Use)
proposed patch (deleted)
2019-03-26 18:08 UTC, Patrik Hagara
no flags Details | Diff

Description Patrik Hagara 2019-03-26 18:08:31 UTC
Created attachment 1548185 [details]
proposed patch

Description of problem:
SELinux policy in RHEL-8 removed the DAC_OVERRIDE capability from processes running as root.

The mysql resource agent starts the mysqld process as root, but passes `--user mysql` to it (so as to make it drop privileges by switching to mysql user after initialization). This stopped working in RHEL-8 due to the above-mentioned DAC_OVERRIDE capability removal.

Version-Release number of selected component (if applicable):
resource-agents-4.1.1-17.el8.x86_64

How reproducible:
always

Steps to Reproduce:
1. SELinux enforcing mode enabled (default)
2. pcs resource create db ocf:heartbeat:mysql
3.

Actual results:
resource fails to start with the following AVC denials:

> type=PROCTITLE msg=audit(03/12/2019 14:02:22.391:3121) : proctitle=/bin/sh /usr/bin/mysqld_safe --defaults-file=/etc/my.cnf --pid-file=/var/run/mysql/mysqld.pid --socket=/var/lib/mysql/mysql.sock 
> type=PATH msg=audit(03/12/2019 14:02:22.391:3121) : item=0 name=/ inode=128 dev=fd:00 mode=dir,555 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:root_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
> type=CWD msg=audit(03/12/2019 14:02:22.391:3121) : cwd=/var/lib/pacemaker/cores 
> type=SYSCALL msg=audit(03/12/2019 14:02:22.391:3121) : arch=x86_64 syscall=faccessat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x55e227b2d910 a2=W_OK a3=0x1 items=1 ppid=9864 pid=9986 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=mysqld_safe exe=/usr/bin/bash subj=system_u:system_r:mysqld_safe_t:s0 key=(null) 
> type=AVC msg=audit(03/12/2019 14:02:22.391:3121) : avc:  denied  { dac_override } for  pid=9986 comm=mysqld_safe capability=dac_override  scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:system_r:mysqld_safe_t:s0 tclass=capability permissive=0 
> ----
> type=PROCTITLE msg=audit(03/12/2019 14:02:22.584:3122) : proctitle=/usr/libexec/mysqld --defaults-file=/etc/my.cnf --basedir=/usr --datadir=/var/lib/mysql --plugin-dir=/usr/lib64/mariadb/plugin - 
> type=PATH msg=audit(03/12/2019 14:02:22.584:3122) : item=0 name=/var/lib/mysql/ inode=5259923 dev=fd:00 mode=dir,755 ouid=mysql ogid=mysql rdev=00:00 obj=system_u:object_r:mysqld_db_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
> type=CWD msg=audit(03/12/2019 14:02:22.584:3122) : cwd=/var/lib/pacemaker/cores 
> type=SYSCALL msg=audit(03/12/2019 14:02:22.584:3122) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x7ffd94309600 a2=O_RDWR|O_CREAT|O_CLOEXEC a3=0x1b6 items=1 ppid=9986 pid=10098 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=mysqld exe=/usr/libexec/mysqld subj=system_u:system_r:mysqld_t:s0 key=(null) 
> type=AVC msg=audit(03/12/2019 14:02:22.584:3122) : avc:  denied  { dac_override } for  pid=10098 comm=mysqld capability=dac_override  scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:mysqld_t:s0 tclass=capability permissive=0 

Expected results:
no AVC denials, mysql resource starts

Additional info:
see also bz#1687867, which tracks fix for AVC denials encountered later in the process of staring mysqld

Comment 1 Patrik Hagara 2019-03-26 18:20:44 UTC
small clarification:

before the fix for bz#1687867 lands in RHEL-8, the mysql resource will still fail to start due to an AVC denial -- specifically the following one:

> type=PROCTITLE msg=audit(03/12/2019 13:38:33.330:3042) : proctitle=/usr/libexec/mysqld --defaults-file=/etc/my.cnf --basedir=/usr --datadir=/var/lib/mysql --plugin-dir=/usr/lib64/mariadb/plugin -                                           
> type=PATH msg=audit(03/12/2019 13:38:33.330:3042) : item=1 name=/var/run/mysql/mysqld.pid inode=295606 dev=00:16 mode=file,660 ouid=mysql ogid=mysql rdev=00:00 obj=system_u:object_r:cluster_var_run_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
> type=PATH msg=audit(03/12/2019 13:38:33.330:3042) : item=0 name=/var/run/mysql/ inode=266787 dev=00:16 mode=dir,751 ouid=mysql ogid=mysql rdev=00:00 obj=system_u:object_r:cluster_var_run_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
> type=CWD msg=audit(03/12/2019 13:38:33.330:3042) : cwd=/var/lib/mysql
> type=SYSCALL msg=audit(03/12/2019 13:38:33.330:3042) : arch=x86_64 syscall=openat success=yes exit=25 a0=0xffffff9c a1=0x55aac3b02180 a2=O_WRONLY|O_CREAT|O_TRUNC|O_CLOEXEC a3=0x1b4 items=2 ppid=2999 pid=3111 auid=unset uid=mysql gid=mysql euid=mysql suid=mysql fsuid=mysql egid=mysql sgid=mysql fsgid=mysql tty=(none) ses=unset comm=mysqld exe=/usr/libexec/mysqld subj=system_u:system_r:mysqld_t:s0 key=(null)
> type=AVC msg=audit(03/12/2019 13:38:33.330:3042) : avc:  denied  { write } for  pid=3111 comm=mysqld path=/run/mysql/mysqld.pid dev="tmpfs" ino=295606 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:cluster_var_run_t:s0tclass=file permissive=1
> type=AVC msg=audit(03/12/2019 13:38:33.330:3042) : avc:  denied  { create } for  pid=3111 comm=mysqld name=mysqld.pid scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:cluster_var_run_t:s0 tclass=file permissive=1
> type=AVC msg=audit(03/12/2019 13:38:33.330:3042) : avc:  denied  { add_name } for  pid=3111 comm=mysqld name=mysqld.pid scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:cluster_var_run_t:s0 tclass=dir permissive=1
> type=AVC msg=audit(03/12/2019 13:38:33.330:3042) : avc:  denied  { write } for  pid=3111 comm=mysqld name=mysql dev="tmpfs" ino=266787 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:cluster_var_run_t:s0 tclass=dir permissive=1

this bug can be considered fixed when there are no AVC denials mentioning "dac_override" (see comment#0 for the specific denials).

alternatively, you can manually apply the bz# fix like this:

> # yum -y install selinux-policy-devel
> # cat > local_cluster_mysqld.te <<EOF
> policy_module(local_cluster_mysqld, 1.0)
> 
> gen_require(`
>     type cluster_t;
>     type mysqld_var_run_t;
> ')
> 
> files_pid_filetrans(cluster_t, mysqld_var_run_t, {dir}, "mysqld")
> files_pid_filetrans(cluster_t, mysqld_var_run_t, {dir}, "mysql")
> EOF
> # make -f /usr/share/selinux/devel/Makefile local_cluster_mysqld.pp
> # semodule -i local_cluster_mysqld.pp

afterwards, the mysql resource should start successfully.


Note You need to log in before you can comment on or make changes to this bug.