Bug 2186519
| Summary: | Allow fcontext to recognize mysqlx.sock and label appropriately | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | gmcnealy <gmcnealy> |
| Component: | mysql-selinux | Assignee: | Adam Dobes <adobes> |
| Status: | VERIFIED --- | QA Contact: | Jakub Heger <jheger> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 8.7 | CC: | adobes, databases-maint, hhorak, jheger, ljavorsk, peter.vreman |
| Target Milestone: | rc | Keywords: | Triaged |
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | mysql-selinux-1.0.6-1.el8 | Doc Type: | No Doc Update |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | Bug | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Fix by adobes: https://github.com/devexp-db/mysql-selinux/pull/3 CentOS Stream 8 MR created: https://gitlab.com/redhat/centos-stream/rpms/mysql-selinux/-/merge_requests/4 |
Description of problem: The fcontexts are only have support for mysql.sock and not the mysqlx.sock: ~~~ [cb/LI] hoiroot@li-lc-2796:~$ sudo semanage fcontext -l | grep /var/lib/mysql /var/lib/mysql(-files|-keyring)?(/.*)? all files system_u:object_r:mysqld_db_t:s0 /var/lib/mysql/mysql\.sock socket system_u:object_r:mysqld_var_run_t:s0 [cb/LI] hoiroot@li-lc-2796:~$ ~~~ Proposed solution is to change the regex to match also 'mysqlx', e.g. to use '/var/lib/mysql/mysql(x)?\.sock' Version-Release number of selected component (if applicable): mysql-server x86_64 8.0.30-1.module+el8.6.0+16523+5cb0e868 How reproducible: Always Steps to Reproduce: Reproducer: ~~~ [cb/LI] hoiroot@li-lc-2796:~$ sudo yum install mysql-server Updating Subscription Management repositories. HOIOS-8.7.99-ci 17 kB/s | 2.0 kB 00:00 HOIPRODUCTS-3.0.99-ci 19 kB/s | 2.0 kB 00:00 HOICI-3.0.99-ci 17 kB/s | 2.0 kB 00:00 Red Hat CodeReady Linux Builder for RHEL 8 x86_64 (RPMs) 27 kB/s | 2.9 kB 00:00 HOIRHEL-8.7-d20230326 19 kB/s | 2.0 kB 00:00 Dependencies resolved. ============================================================================================================================================ Package Architecture Version Repository Size ============================================================================================================================================ Installing: mysql-server x86_64 8.0.30-1.module+el8.6.0+16523+5cb0e868 rhel-8-for-x86_64-appstream-rpms 25 M Installing dependencies: mecab x86_64 0.996-2.module+el8.6.0+16523+5cb0e868 rhel-8-for-x86_64-appstream-rpms 393 k mysql x86_64 8.0.30-1.module+el8.6.0+16523+5cb0e868 rhel-8-for-x86_64-appstream-rpms 13 M mysql-common x86_64 8.0.30-1.module+el8.6.0+16523+5cb0e868 rhel-8-for-x86_64-appstream-rpms 137 k mysql-errmsg x86_64 8.0.30-1.module+el8.6.0+16523+5cb0e868 rhel-8-for-x86_64-appstream-rpms 620 k protobuf-lite x86_64 3.5.0-15.el8 rhel-8-for-x86_64-appstream-rpms 149 k Enabling module streams: mysql 8.0 Transaction Summary ============================================================================================================================================ Install 6 Packages Total download size: 39 M Installed size: 198 M Is this ok [y/N]: y Downloading Packages: (1/6): mysql-common-8.0.30-1.module+el8.6.0+16523+5cb0e868.x86_64.rpm 740 kB/s | 137 kB 00:00 (2/6): mecab-0.996-2.module+el8.6.0+16523+5cb0e868.x86_64.rpm 1.6 MB/s | 393 kB 00:00 (3/6): mysql-errmsg-8.0.30-1.module+el8.6.0+16523+5cb0e868.x86_64.rpm 6.5 MB/s | 620 kB 00:00 (4/6): protobuf-lite-3.5.0-15.el8.x86_64.rpm 1.4 MB/s | 149 kB 00:00 (5/6): mysql-8.0.30-1.module+el8.6.0+16523+5cb0e868.x86_64.rpm 3.4 MB/s | 13 MB 00:03 (6/6): mysql-server-8.0.30-1.module+el8.6.0+16523+5cb0e868.x86_64.rpm 3.6 MB/s | 25 MB 00:06 -------------------------------------------------------------------------------------------------------------------------------------------- Total 5.5 MB/s | 39 MB 00:07 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Installing : mysql-common-8.0.30-1.module+el8.6.0+16523+5cb0e868.x86_64 1/6 Installing : mysql-8.0.30-1.module+el8.6.0+16523+5cb0e868.x86_64 2/6 Installing : mysql-errmsg-8.0.30-1.module+el8.6.0+16523+5cb0e868.x86_64 3/6 Installing : protobuf-lite-3.5.0-15.el8.x86_64 4/6 Installing : mecab-0.996-2.module+el8.6.0+16523+5cb0e868.x86_64 5/6 Running scriptlet: mecab-0.996-2.module+el8.6.0+16523+5cb0e868.x86_64 5/6 Running scriptlet: mysql-server-8.0.30-1.module+el8.6.0+16523+5cb0e868.x86_64 6/6 Installing : mysql-server-8.0.30-1.module+el8.6.0+16523+5cb0e868.x86_64 6/6 Running scriptlet: mysql-server-8.0.30-1.module+el8.6.0+16523+5cb0e868.x86_64 6/6 ValueError: File context for /var/log/mysql(/.*)? already defined Verifying : mecab-0.996-2.module+el8.6.0+16523+5cb0e868.x86_64 1/6 Verifying : mysql-8.0.30-1.module+el8.6.0+16523+5cb0e868.x86_64 2/6 Verifying : mysql-common-8.0.30-1.module+el8.6.0+16523+5cb0e868.x86_64 3/6 Verifying : mysql-errmsg-8.0.30-1.module+el8.6.0+16523+5cb0e868.x86_64 4/6 Verifying : mysql-server-8.0.30-1.module+el8.6.0+16523+5cb0e868.x86_64 5/6 Verifying : protobuf-lite-3.5.0-15.el8.x86_64 6/6 Installed products updated. Installed: mecab-0.996-2.module+el8.6.0+16523+5cb0e868.x86_64 mysql-8.0.30-1.module+el8.6.0+16523+5cb0e868.x86_64 mysql-common-8.0.30-1.module+el8.6.0+16523+5cb0e868.x86_64 mysql-errmsg-8.0.30-1.module+el8.6.0+16523+5cb0e868.x86_64 mysql-server-8.0.30-1.module+el8.6.0+16523+5cb0e868.x86_64 protobuf-lite-3.5.0-15.el8.x86_64 Complete! [cb/LI] hoiroot@li-lc-2796:~$ sudo systemctl start mysqld [cb/LI] hoiroot@li-lc-2796:~$ sudo systemctl status mysqld ● mysqld.service - MySQL 8.0 database server Loaded: loaded (/usr/lib/systemd/system/mysqld.service; disabled; vendor preset: disabled) Active: active (running) since Thu 2023-03-30 12:02:55 UTC; 3s ago Process: 750961 ExecStartPost=/usr/libexec/mysql-check-upgrade (code=exited, status=0/SUCCESS) Process: 750830 ExecStartPre=/usr/libexec/mysql-prepare-db-dir mysqld.service (code=exited, status=0/SUCCESS) Process: 750806 ExecStartPre=/usr/libexec/mysql-check-socket (code=exited, status=0/SUCCESS) Main PID: 750914 (mysqld) Status: "Server is operational" Tasks: 39 (limit: 23625) Memory: 448.3M CGroup: /system.slice/mysqld.service └─750914 /usr/libexec/mysqld --basedir=/usr Mar 30 12:02:49 li-lc-2796 systemd[1]: Starting MySQL 8.0 database server... Mar 30 12:02:49 li-lc-2796 mysql-prepare-db-dir[750830]: Initializing MySQL database Mar 30 12:02:55 li-lc-2796 systemd[1]: Started MySQL 8.0 database server. [cb/LI] hoiroot@li-lc-2796:~$ ls -lZ /var/lib/mysql total 90576 -rw-r-----. 1 mysql mysql system_u:object_r:mysqld_db_t:s0 56 Mar 30 12:02 auto.cnf -rw-r-----. 1 mysql mysql system_u:object_r:mysqld_db_t:s0 157 Mar 30 12:02 binlog.000001 -rw-r-----. 1 mysql mysql system_u:object_r:mysqld_db_t:s0 16 Mar 30 12:02 binlog.index -rw-------. 1 mysql mysql system_u:object_r:mysqld_db_t:s0 1676 Mar 30 12:02 ca-key.pem -rw-r--r--. 1 mysql mysql system_u:object_r:mysqld_db_t:s0 1112 Mar 30 12:02 ca.pem -rw-r--r--. 1 mysql mysql system_u:object_r:mysqld_db_t:s0 1112 Mar 30 12:02 client-cert.pem -rw-------. 1 mysql mysql system_u:object_r:mysqld_db_t:s0 1676 Mar 30 12:02 client-key.pem -rw-r-----. 1 mysql mysql system_u:object_r:mysqld_db_t:s0 196608 Mar 30 12:02 '#ib_16384_0.dblwr' -rw-r-----. 1 mysql mysql system_u:object_r:mysqld_db_t:s0 8585216 Mar 30 12:02 '#ib_16384_1.dblwr' -rw-r-----. 1 mysql mysql system_u:object_r:mysqld_db_t:s0 5913 Mar 30 12:02 ib_buffer_pool -rw-r-----. 1 mysql mysql system_u:object_r:mysqld_db_t:s0 12582912 Mar 30 12:02 ibdata1 -rw-r-----. 1 mysql mysql system_u:object_r:mysqld_db_t:s0 12582912 Mar 30 12:02 ibtmp1 drwxr-x---. 2 mysql mysql system_u:object_r:mysqld_db_t:s0 4096 Mar 30 12:02 '#innodb_redo' drwxr-x---. 2 mysql mysql system_u:object_r:mysqld_db_t:s0 187 Mar 30 12:02 '#innodb_temp' drwxr-x---. 2 mysql mysql system_u:object_r:mysqld_db_t:s0 143 Mar 30 12:02 mysql -rw-r-----. 1 mysql mysql system_u:object_r:mysqld_db_t:s0 25165824 Mar 30 12:02 mysql.ibd srwxrwxrwx. 1 mysql mysql system_u:object_r:mysqld_var_run_t:s0 0 Mar 30 12:02 mysql.sock -rw-------. 1 mysql mysql system_u:object_r:mysqld_db_t:s0 7 Mar 30 12:02 mysql.sock.lock -rw-r--r--. 1 mysql mysql system_u:object_r:mysqld_db_t:s0 7 Mar 30 12:02 mysql_upgrade_info srwxrwxrwx. 1 mysql mysql system_u:object_r:mysqld_var_run_t:s0 0 Mar 30 12:02 mysqlx.sock -rw-------. 1 mysql mysql system_u:object_r:mysqld_db_t:s0 7 Mar 30 12:02 mysqlx.sock.lock drwxr-x---. 2 mysql mysql system_u:object_r:mysqld_db_t:s0 8192 Mar 30 12:02 performance_schema -rw-------. 1 mysql mysql system_u:object_r:mysqld_db_t:s0 1680 Mar 30 12:02 private_key.pem -rw-r--r--. 1 mysql mysql system_u:object_r:mysqld_db_t:s0 452 Mar 30 12:02 public_key.pem -rw-r--r--. 1 mysql mysql system_u:object_r:mysqld_db_t:s0 1112 Mar 30 12:02 server-cert.pem -rw-------. 1 mysql mysql system_u:object_r:mysqld_db_t:s0 1676 Mar 30 12:02 server-key.pem drwxr-x---. 2 mysql mysql system_u:object_r:mysqld_db_t:s0 28 Mar 30 12:02 sys -rw-r-----. 1 mysql mysql system_u:object_r:mysqld_db_t:s0 16777216 Mar 30 12:02 undo_001 -rw-r-----. 1 mysql mysql system_u:object_r:mysqld_db_t:s0 16777216 Mar 30 12:02 undo_002 [cb/LI] hoiroot@li-lc-2796:~$ sudo restorecon -Rvn /var/lib/mysql Would relabel /var/lib/mysql/mysqlx.sock from system_u:object_r:mysqld_var_run_t:s0 to system_u:object_r:mysqld_db_t:s0 [cb/LI] hoiroot@li-lc-2796:~$ ~~~ Actual results: The fcontexts are only have support for mysql.sock and not the mysqlx.sock: ~~~ [cb/LI] hoiroot@li-lc-2796:~$ sudo semanage fcontext -l | grep /var/lib/mysql /var/lib/mysql(-files|-keyring)?(/.*)? all files system_u:object_r:mysqld_db_t:s0 /var/lib/mysql/mysql\.sock socket system_u:object_r:mysqld_var_run_t:s0 [cb/LI] hoiroot@li-lc-2796:~$ ~~~ Expected results: Proposed solution is to change the regex to match also 'mysqlx', e.g. to use '/var/lib/mysql/mysql(x)?\.sock' Additional info: