Bug 1692960

Summary: mysql: use runuser/su to work without DAC_OVERRIDE capability
Product: Red Hat Enterprise Linux 8 Reporter: Patrik Hagara <phagara>
Component: resource-agentsAssignee: Oyvind Albrigtsen <oalbrigt>
Status: CLOSED ERRATA QA Contact: cluster-qe <cluster-qe>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 8.0CC: agk, cfeist, cluster-maint, dciabrin, fdinitto, mjuricek
Target Milestone: rcKeywords: Regression, TestBlocker
Target Release: 8.0Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: resource-agents-4.1.1-32.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-11-05 20:34:25 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
proposed patch none

Description Patrik Hagara 2019-03-26 18:08:31 UTC 
Created attachment 1548185 [details]
proposed patch

Description of problem:
SELinux policy in RHEL-8 removed the DAC_OVERRIDE capability from processes running as root.

The mysql resource agent starts the mysqld process as root, but passes `--user mysql` to it (so as to make it drop privileges by switching to mysql user after initialization). This stopped working in RHEL-8 due to the above-mentioned DAC_OVERRIDE capability removal.

Version-Release number of selected component (if applicable):
resource-agents-4.1.1-17.el8.x86_64

How reproducible:
always

Steps to Reproduce:
1. SELinux enforcing mode enabled (default)
2. pcs resource create db ocf:heartbeat:mysql
3.

Actual results:
resource fails to start with the following AVC denials:

> type=PROCTITLE msg=audit(03/12/2019 14:02:22.391:3121) : proctitle=/bin/sh /usr/bin/mysqld_safe --defaults-file=/etc/my.cnf --pid-file=/var/run/mysql/mysqld.pid --socket=/var/lib/mysql/mysql.sock 
> type=PATH msg=audit(03/12/2019 14:02:22.391:3121) : item=0 name=/ inode=128 dev=fd:00 mode=dir,555 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:root_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
> type=CWD msg=audit(03/12/2019 14:02:22.391:3121) : cwd=/var/lib/pacemaker/cores 
> type=SYSCALL msg=audit(03/12/2019 14:02:22.391:3121) : arch=x86_64 syscall=faccessat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x55e227b2d910 a2=W_OK a3=0x1 items=1 ppid=9864 pid=9986 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=mysqld_safe exe=/usr/bin/bash subj=system_u:system_r:mysqld_safe_t:s0 key=(null) 
> type=AVC msg=audit(03/12/2019 14:02:22.391:3121) : avc:  denied  { dac_override } for  pid=9986 comm=mysqld_safe capability=dac_override  scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:system_r:mysqld_safe_t:s0 tclass=capability permissive=0 
> ----
> type=PROCTITLE msg=audit(03/12/2019 14:02:22.584:3122) : proctitle=/usr/libexec/mysqld --defaults-file=/etc/my.cnf --basedir=/usr --datadir=/var/lib/mysql --plugin-dir=/usr/lib64/mariadb/plugin - 
> type=PATH msg=audit(03/12/2019 14:02:22.584:3122) : item=0 name=/var/lib/mysql/ inode=5259923 dev=fd:00 mode=dir,755 ouid=mysql ogid=mysql rdev=00:00 obj=system_u:object_r:mysqld_db_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
> type=CWD msg=audit(03/12/2019 14:02:22.584:3122) : cwd=/var/lib/pacemaker/cores 
> type=SYSCALL msg=audit(03/12/2019 14:02:22.584:3122) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x7ffd94309600 a2=O_RDWR|O_CREAT|O_CLOEXEC a3=0x1b6 items=1 ppid=9986 pid=10098 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=mysqld exe=/usr/libexec/mysqld subj=system_u:system_r:mysqld_t:s0 key=(null) 
> type=AVC msg=audit(03/12/2019 14:02:22.584:3122) : avc:  denied  { dac_override } for  pid=10098 comm=mysqld capability=dac_override  scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:mysqld_t:s0 tclass=capability permissive=0 

Expected results:
no AVC denials, mysql resource starts

Additional info:
see also bz#1687867, which tracks fix for AVC denials encountered later in the process of staring mysqld
Comment 1 Patrik Hagara 2019-03-26 18:20:44 UTC 
small clarification:

before the fix for bz#1687867 lands in RHEL-8, the mysql resource will still fail to start due to an AVC denial -- specifically the following one:

> type=PROCTITLE msg=audit(03/12/2019 13:38:33.330:3042) : proctitle=/usr/libexec/mysqld --defaults-file=/etc/my.cnf --basedir=/usr --datadir=/var/lib/mysql --plugin-dir=/usr/lib64/mariadb/plugin -                                           
> type=PATH msg=audit(03/12/2019 13:38:33.330:3042) : item=1 name=/var/run/mysql/mysqld.pid inode=295606 dev=00:16 mode=file,660 ouid=mysql ogid=mysql rdev=00:00 obj=system_u:object_r:cluster_var_run_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
> type=PATH msg=audit(03/12/2019 13:38:33.330:3042) : item=0 name=/var/run/mysql/ inode=266787 dev=00:16 mode=dir,751 ouid=mysql ogid=mysql rdev=00:00 obj=system_u:object_r:cluster_var_run_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
> type=CWD msg=audit(03/12/2019 13:38:33.330:3042) : cwd=/var/lib/mysql
> type=SYSCALL msg=audit(03/12/2019 13:38:33.330:3042) : arch=x86_64 syscall=openat success=yes exit=25 a0=0xffffff9c a1=0x55aac3b02180 a2=O_WRONLY|O_CREAT|O_TRUNC|O_CLOEXEC a3=0x1b4 items=2 ppid=2999 pid=3111 auid=unset uid=mysql gid=mysql euid=mysql suid=mysql fsuid=mysql egid=mysql sgid=mysql fsgid=mysql tty=(none) ses=unset comm=mysqld exe=/usr/libexec/mysqld subj=system_u:system_r:mysqld_t:s0 key=(null)
> type=AVC msg=audit(03/12/2019 13:38:33.330:3042) : avc:  denied  { write } for  pid=3111 comm=mysqld path=/run/mysql/mysqld.pid dev="tmpfs" ino=295606 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:cluster_var_run_t:s0tclass=file permissive=1
> type=AVC msg=audit(03/12/2019 13:38:33.330:3042) : avc:  denied  { create } for  pid=3111 comm=mysqld name=mysqld.pid scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:cluster_var_run_t:s0 tclass=file permissive=1
> type=AVC msg=audit(03/12/2019 13:38:33.330:3042) : avc:  denied  { add_name } for  pid=3111 comm=mysqld name=mysqld.pid scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:cluster_var_run_t:s0 tclass=dir permissive=1
> type=AVC msg=audit(03/12/2019 13:38:33.330:3042) : avc:  denied  { write } for  pid=3111 comm=mysqld name=mysql dev="tmpfs" ino=266787 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:cluster_var_run_t:s0 tclass=dir permissive=1

this bug can be considered fixed when there are no AVC denials mentioning "dac_override" (see comment#0 for the specific denials).

alternatively, you can manually apply the bz# fix like this:

> # yum -y install selinux-policy-devel
> # cat > local_cluster_mysqld.te <<EOF
> policy_module(local_cluster_mysqld, 1.0)
> 
> gen_require(`
>     type cluster_t;
>     type mysqld_var_run_t;
> ')
> 
> files_pid_filetrans(cluster_t, mysqld_var_run_t, {dir}, "mysqld")
> files_pid_filetrans(cluster_t, mysqld_var_run_t, {dir}, "mysql")
> EOF
> # make -f /usr/share/selinux/devel/Makefile local_cluster_mysqld.pp
> # semodule -i local_cluster_mysqld.pp

afterwards, the mysql resource should start successfully.
Comment 7 errata-xmlrpc 2019-11-05 20:34:25 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:3307