2186519 – Allow fcontext to recognize mysqlx.sock and label appropriately

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2186519 - Allow fcontext to recognize mysqlx.sock and label appropriately

Summary: Allow fcontext to recognize mysqlx.sock and label appropriately

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	mysql-selinux
Sub Component:
Version:	8.7
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Adam Dobes
QA Contact:	Jakub Heger
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-04-13 15:37 UTC by gmcnealy@redhat.com
Modified:	2023-11-14 17:04 UTC (History)
CC List:	6 users (show)
Fixed In Version:	mysql-selinux-1.0.6-1.el8
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed:	2023-11-14 15:36:05 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:
Flags:	pm-rhel: mirror+

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-154630	0	None	None	None	2023-04-13 16:57:41 UTC
Red Hat Product Errata	RHBA-2023:7040	0	None	None	None	2023-11-14 15:36:07 UTC

Description gmcnealy@redhat.com 2023-04-13 15:37:46 UTC

Description of problem:

The fcontexts are only have support for mysql.sock and not the mysqlx.sock:
~~~
[cb/LI] hoiroot@li-lc-2796:~$ sudo semanage fcontext -l | grep /var/lib/mysql
/var/lib/mysql(-files|-keyring)?(/.*)?             all files          system_u:object_r:mysqld_db_t:s0
/var/lib/mysql/mysql\.sock                         socket             system_u:object_r:mysqld_var_run_t:s0
[cb/LI] hoiroot@li-lc-2796:~$
~~~

Proposed solution is to change the regex to match also 'mysqlx', e.g. to use '/var/lib/mysql/mysql(x)?\.sock'


Version-Release number of selected component (if applicable):

mysql-server  x86_64  8.0.30-1.module+el8.6.0+16523+5cb0e868        

How reproducible:

Always

Steps to Reproduce:

Reproducer:

~~~
[cb/LI] hoiroot@li-lc-2796:~$ sudo yum install mysql-server
Updating Subscription Management repositories.
HOIOS-8.7.99-ci                                                                                              17 kB/s | 2.0 kB     00:00
HOIPRODUCTS-3.0.99-ci                                                                                        19 kB/s | 2.0 kB     00:00
HOICI-3.0.99-ci                                                                                              17 kB/s | 2.0 kB     00:00
Red Hat CodeReady Linux Builder for RHEL 8 x86_64 (RPMs)                                                     27 kB/s | 2.9 kB     00:00
HOIRHEL-8.7-d20230326                                                                                        19 kB/s | 2.0 kB     00:00
Dependencies resolved.
============================================================================================================================================
 Package                 Architecture     Version                                          Repository                                  Size
============================================================================================================================================
Installing:
 mysql-server            x86_64           8.0.30-1.module+el8.6.0+16523+5cb0e868           rhel-8-for-x86_64-appstream-rpms            25 M
Installing dependencies:
 mecab                   x86_64           0.996-2.module+el8.6.0+16523+5cb0e868            rhel-8-for-x86_64-appstream-rpms           393 k
 mysql                   x86_64           8.0.30-1.module+el8.6.0+16523+5cb0e868           rhel-8-for-x86_64-appstream-rpms            13 M
 mysql-common            x86_64           8.0.30-1.module+el8.6.0+16523+5cb0e868           rhel-8-for-x86_64-appstream-rpms           137 k
 mysql-errmsg            x86_64           8.0.30-1.module+el8.6.0+16523+5cb0e868           rhel-8-for-x86_64-appstream-rpms           620 k
 protobuf-lite           x86_64           3.5.0-15.el8                                     rhel-8-for-x86_64-appstream-rpms           149 k
Enabling module streams:
 mysql                                    8.0

Transaction Summary
============================================================================================================================================
Install  6 Packages

Total download size: 39 M
Installed size: 198 M
Is this ok [y/N]: y
Downloading Packages:
(1/6): mysql-common-8.0.30-1.module+el8.6.0+16523+5cb0e868.x86_64.rpm                                       740 kB/s | 137 kB     00:00
(2/6): mecab-0.996-2.module+el8.6.0+16523+5cb0e868.x86_64.rpm                                               1.6 MB/s | 393 kB     00:00
(3/6): mysql-errmsg-8.0.30-1.module+el8.6.0+16523+5cb0e868.x86_64.rpm                                       6.5 MB/s | 620 kB     00:00
(4/6): protobuf-lite-3.5.0-15.el8.x86_64.rpm                                                                1.4 MB/s | 149 kB     00:00
(5/6): mysql-8.0.30-1.module+el8.6.0+16523+5cb0e868.x86_64.rpm                                              3.4 MB/s |  13 MB     00:03
(6/6): mysql-server-8.0.30-1.module+el8.6.0+16523+5cb0e868.x86_64.rpm                                       3.6 MB/s |  25 MB     00:06
--------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                       5.5 MB/s |  39 MB     00:07
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                                                                                    1/1
  Installing       : mysql-common-8.0.30-1.module+el8.6.0+16523+5cb0e868.x86_64                                                         1/6
  Installing       : mysql-8.0.30-1.module+el8.6.0+16523+5cb0e868.x86_64                                                                2/6
  Installing       : mysql-errmsg-8.0.30-1.module+el8.6.0+16523+5cb0e868.x86_64                                                         3/6
  Installing       : protobuf-lite-3.5.0-15.el8.x86_64                                                                                  4/6
  Installing       : mecab-0.996-2.module+el8.6.0+16523+5cb0e868.x86_64                                                                 5/6
  Running scriptlet: mecab-0.996-2.module+el8.6.0+16523+5cb0e868.x86_64                                                                 5/6
  Running scriptlet: mysql-server-8.0.30-1.module+el8.6.0+16523+5cb0e868.x86_64                                                         6/6
  Installing       : mysql-server-8.0.30-1.module+el8.6.0+16523+5cb0e868.x86_64                                                         6/6
  Running scriptlet: mysql-server-8.0.30-1.module+el8.6.0+16523+5cb0e868.x86_64                                                         6/6
ValueError: File context for /var/log/mysql(/.*)? already defined

  Verifying        : mecab-0.996-2.module+el8.6.0+16523+5cb0e868.x86_64                                                                 1/6
  Verifying        : mysql-8.0.30-1.module+el8.6.0+16523+5cb0e868.x86_64                                                                2/6
  Verifying        : mysql-common-8.0.30-1.module+el8.6.0+16523+5cb0e868.x86_64                                                         3/6
  Verifying        : mysql-errmsg-8.0.30-1.module+el8.6.0+16523+5cb0e868.x86_64                                                         4/6
  Verifying        : mysql-server-8.0.30-1.module+el8.6.0+16523+5cb0e868.x86_64                                                         5/6
  Verifying        : protobuf-lite-3.5.0-15.el8.x86_64                                                                                  6/6
Installed products updated.

Installed:
  mecab-0.996-2.module+el8.6.0+16523+5cb0e868.x86_64                   mysql-8.0.30-1.module+el8.6.0+16523+5cb0e868.x86_64
  mysql-common-8.0.30-1.module+el8.6.0+16523+5cb0e868.x86_64           mysql-errmsg-8.0.30-1.module+el8.6.0+16523+5cb0e868.x86_64
  mysql-server-8.0.30-1.module+el8.6.0+16523+5cb0e868.x86_64           protobuf-lite-3.5.0-15.el8.x86_64

Complete!
[cb/LI] hoiroot@li-lc-2796:~$ sudo systemctl start mysqld
[cb/LI] hoiroot@li-lc-2796:~$ sudo systemctl status mysqld
● mysqld.service - MySQL 8.0 database server
   Loaded: loaded (/usr/lib/systemd/system/mysqld.service; disabled; vendor preset: disabled)
   Active: active (running) since Thu 2023-03-30 12:02:55 UTC; 3s ago
  Process: 750961 ExecStartPost=/usr/libexec/mysql-check-upgrade (code=exited, status=0/SUCCESS)
  Process: 750830 ExecStartPre=/usr/libexec/mysql-prepare-db-dir mysqld.service (code=exited, status=0/SUCCESS)
  Process: 750806 ExecStartPre=/usr/libexec/mysql-check-socket (code=exited, status=0/SUCCESS)
 Main PID: 750914 (mysqld)
   Status: "Server is operational"
    Tasks: 39 (limit: 23625)
   Memory: 448.3M
   CGroup: /system.slice/mysqld.service
           └─750914 /usr/libexec/mysqld --basedir=/usr

Mar 30 12:02:49 li-lc-2796 systemd[1]: Starting MySQL 8.0 database server...
Mar 30 12:02:49 li-lc-2796 mysql-prepare-db-dir[750830]: Initializing MySQL database
Mar 30 12:02:55 li-lc-2796 systemd[1]: Started MySQL 8.0 database server.
[cb/LI] hoiroot@li-lc-2796:~$ ls -lZ /var/lib/mysql
total 90576
-rw-r-----. 1 mysql mysql system_u:object_r:mysqld_db_t:s0            56 Mar 30 12:02  auto.cnf
-rw-r-----. 1 mysql mysql system_u:object_r:mysqld_db_t:s0           157 Mar 30 12:02  binlog.000001
-rw-r-----. 1 mysql mysql system_u:object_r:mysqld_db_t:s0            16 Mar 30 12:02  binlog.index
-rw-------. 1 mysql mysql system_u:object_r:mysqld_db_t:s0          1676 Mar 30 12:02  ca-key.pem
-rw-r--r--. 1 mysql mysql system_u:object_r:mysqld_db_t:s0          1112 Mar 30 12:02  ca.pem
-rw-r--r--. 1 mysql mysql system_u:object_r:mysqld_db_t:s0          1112 Mar 30 12:02  client-cert.pem
-rw-------. 1 mysql mysql system_u:object_r:mysqld_db_t:s0          1676 Mar 30 12:02  client-key.pem
-rw-r-----. 1 mysql mysql system_u:object_r:mysqld_db_t:s0        196608 Mar 30 12:02 '#ib_16384_0.dblwr'
-rw-r-----. 1 mysql mysql system_u:object_r:mysqld_db_t:s0       8585216 Mar 30 12:02 '#ib_16384_1.dblwr'
-rw-r-----. 1 mysql mysql system_u:object_r:mysqld_db_t:s0          5913 Mar 30 12:02  ib_buffer_pool
-rw-r-----. 1 mysql mysql system_u:object_r:mysqld_db_t:s0      12582912 Mar 30 12:02  ibdata1
-rw-r-----. 1 mysql mysql system_u:object_r:mysqld_db_t:s0      12582912 Mar 30 12:02  ibtmp1
drwxr-x---. 2 mysql mysql system_u:object_r:mysqld_db_t:s0          4096 Mar 30 12:02 '#innodb_redo'
drwxr-x---. 2 mysql mysql system_u:object_r:mysqld_db_t:s0           187 Mar 30 12:02 '#innodb_temp'
drwxr-x---. 2 mysql mysql system_u:object_r:mysqld_db_t:s0           143 Mar 30 12:02  mysql
-rw-r-----. 1 mysql mysql system_u:object_r:mysqld_db_t:s0      25165824 Mar 30 12:02  mysql.ibd
srwxrwxrwx. 1 mysql mysql system_u:object_r:mysqld_var_run_t:s0        0 Mar 30 12:02  mysql.sock
-rw-------. 1 mysql mysql system_u:object_r:mysqld_db_t:s0             7 Mar 30 12:02  mysql.sock.lock
-rw-r--r--. 1 mysql mysql system_u:object_r:mysqld_db_t:s0             7 Mar 30 12:02  mysql_upgrade_info
srwxrwxrwx. 1 mysql mysql system_u:object_r:mysqld_var_run_t:s0        0 Mar 30 12:02  mysqlx.sock
-rw-------. 1 mysql mysql system_u:object_r:mysqld_db_t:s0             7 Mar 30 12:02  mysqlx.sock.lock
drwxr-x---. 2 mysql mysql system_u:object_r:mysqld_db_t:s0          8192 Mar 30 12:02  performance_schema
-rw-------. 1 mysql mysql system_u:object_r:mysqld_db_t:s0          1680 Mar 30 12:02  private_key.pem
-rw-r--r--. 1 mysql mysql system_u:object_r:mysqld_db_t:s0           452 Mar 30 12:02  public_key.pem
-rw-r--r--. 1 mysql mysql system_u:object_r:mysqld_db_t:s0          1112 Mar 30 12:02  server-cert.pem
-rw-------. 1 mysql mysql system_u:object_r:mysqld_db_t:s0          1676 Mar 30 12:02  server-key.pem
drwxr-x---. 2 mysql mysql system_u:object_r:mysqld_db_t:s0            28 Mar 30 12:02  sys
-rw-r-----. 1 mysql mysql system_u:object_r:mysqld_db_t:s0      16777216 Mar 30 12:02  undo_001
-rw-r-----. 1 mysql mysql system_u:object_r:mysqld_db_t:s0      16777216 Mar 30 12:02  undo_002
[cb/LI] hoiroot@li-lc-2796:~$ sudo restorecon -Rvn /var/lib/mysql
Would relabel /var/lib/mysql/mysqlx.sock from system_u:object_r:mysqld_var_run_t:s0 to system_u:object_r:mysqld_db_t:s0
[cb/LI] hoiroot@li-lc-2796:~$
~~~



Actual results:

The fcontexts are only have support for mysql.sock and not the mysqlx.sock:
~~~
[cb/LI] hoiroot@li-lc-2796:~$ sudo semanage fcontext -l | grep /var/lib/mysql
/var/lib/mysql(-files|-keyring)?(/.*)?             all files          system_u:object_r:mysqld_db_t:s0
/var/lib/mysql/mysql\.sock                         socket             system_u:object_r:mysqld_var_run_t:s0
[cb/LI] hoiroot@li-lc-2796:~$
~~~

Expected results:

Proposed solution is to change the regex to match also 'mysqlx', e.g. to use '/var/lib/mysql/mysql(x)?\.sock'

Additional info:

Comment 1 Lukas Javorsky 2023-07-11 09:32:26 UTC

Fix by adobes: https://github.com/devexp-db/mysql-selinux/pull/3

Comment 2 Adam Dobes 2023-07-18 10:54:00 UTC

CentOS Stream 8 MR created: https://gitlab.com/redhat/centos-stream/rpms/mysql-selinux/-/merge_requests/4

Comment 8 errata-xmlrpc 2023-11-14 15:36:05 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (mysql-selinux bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:7040

Note You need to log in before you can comment on or make changes to this bug.