2221433 – SELinux is preventing mariadbd from 'search' accesses on the directory net.

Bug 2221433 - SELinux is preventing mariadbd from 'search' accesses on the directory net.

Summary: SELinux is preventing mariadbd from 'search' accesses on the directory net.

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	mysql-selinux
Sub Component:
Version:	38
Hardware:	x86_64
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Michal Schorm
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	abrt_hash:4543e3b644fd226b4089e115da1...
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-07-08 23:59 UTC by dan
Modified:	2024-11-20 10:59 UTC (History)
CC List:	5 users (show)
Fixed In Version:	mysql-selinux-1.0.9-1.fc40 mysql-selinux-1.0.10-1.fc40 mysql-selinux-1.0.10-1.fc39 mysql-selinux-1.0.10-1.fc38 mysql-selinux-1.0.10-1.fc37
Clone Of:
Environment:
Last Closed:	2023-11-27 01:53:51 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
File: description (1.85 KB, text/plain) 2023-07-08 23:59 UTC, dan	no flags	Details
File: os_info (734 bytes, text/plain) 2023-07-08 23:59 UTC, dan	no flags	Details
View All

Description dan 2023-07-08 23:59:11 UTC

Description of problem:
SELinux is preventing mariadbd from 'search' accesses on the directory net.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that mariadbd should be allowed search access on the net directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'mariadbd' --raw | audit2allow -M my-mariadbd
# semodule -X 300 -i my-mariadbd.pp

Additional Information:
Source Context                system_u:system_r:mysqld_t:s0
Target Context                system_u:object_r:sysctl_net_t:s0
Target Objects                net [ dir ]
Source                        mariadbd
Source Path                   mariadbd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-38.17-1.fc38.noarch
Local Policy RPM              mysql-selinux-1.0.5-3.fc38.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 6.3.8-200.fc38.x86_64 #1 SMP
                              PREEMPT_DYNAMIC Thu Jun 15 02:15:40 UTC 2023
                              x86_64
Alert Count                   22
First Seen                    2023-04-15 13:59:39 EDT
Last Seen                     2023-07-08 16:13:42 EDT
Local ID                      81b23eb7-79bb-4070-94f3-208998c1eebd

Raw Audit Messages
type=AVC msg=audit(1688847222.756:17470): avc:  denied  { search } for  pid=1379 comm="mariadbd" name="net" dev="proc" ino=18692 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir permissive=0


Hash: mariadbd,mysqld_t,sysctl_net_t,dir,search

Version-Release number of selected component:
selinux-policy-targeted-38.17-1.fc38.noarch

Additional info:
reporter:       libreport-2.17.10
package:        selinux-policy-targeted-38.17-1.fc38.noarch
component:      mysql-selinux
hashmarkername: setroubleshoot
type:           libreport
reason:         SELinux is preventing mariadbd from 'search' accesses on the directory net.
kernel:         6.3.8-200.fc38.x86_64
component:      mysql-selinux



Potential duplicate: bug 2186996

Comment 1 dan 2023-07-08 23:59:14 UTC

Created attachment 1974816 [details]
File: description

Comment 2 dan 2023-07-08 23:59:15 UTC

Created attachment 1974817 [details]
File: os_info

Comment 3 Michal Schorm 2023-07-27 08:17:18 UTC

Hello,
could you please describe your intention or use-case, that led you to this situation?

Because I'd guess that the 'mariadbd' would likely want not only to 'search' the directory, but also operate on the files inside.
A description or reproducer would help me understand what's going on and fix the SELinux rules in more accurate way.

Comment 4 dan 2023-07-27 13:26:02 UTC

Cause is unknown.  I don't do anything special other than access the db across the network.

Comment 5 dan 2023-10-05 15:15:45 UTC

Accessed DB across the network from a Windows mysql ODBC client.


package:        selinux-policy-targeted-38.22-1.fc38.noarch
comment:        Accessed DB across the network from a Windows mysql ODBC client.
hashmarkername: setroubleshoot
type:           libreport
reason:         SELinux is preventing mariadbd from 'search' accesses on the directory net.
kernel:         6.4.7-200.fc38.x86_64

Comment 6 Anthony Messina 2023-11-11 17:22:18 UTC

Is this the same as #2186996?

I can confirm this issue exists in Fedora 39.

Comment 7 Fedora Update System 2023-11-17 22:59:03 UTC

FEDORA-2023-2b65fa4f45 has been submitted as an update to Fedora 40. https://bodhi.fedoraproject.org/updates/FEDORA-2023-2b65fa4f45

Comment 8 Fedora Update System 2023-11-17 23:09:39 UTC

FEDORA-2023-2b65fa4f45 has been pushed to the Fedora 40 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 9 Michal Schorm 2023-11-17 23:19:37 UTC

Sorry for the misleading Fedora Update reports.
This issue has NOT been fixed.

I've made an attempt to fix it, but I was unsuccessful.
I've reverted the respective commit on the upstream of the 'mysql-selinux' package, however the update automation still picked up the BZ number from the reverted commit message and used them to mark those BZs as resolved.

While the fix attempt I made wasn't working, I believe the research behind it I've made should be correct.
  https://github.com/devexp-db/mysql-selinux/commit/de84778e555b891fd9ea5f3111c87a4990650d6c

I'll try again after consultation with someone proficient in writing SELinux rules.

Comment 10 Fedora Update System 2023-11-18 12:33:44 UTC

FEDORA-2023-26954ac6f4 has been submitted as an update to Fedora 40. https://bodhi.fedoraproject.org/updates/FEDORA-2023-26954ac6f4

Comment 11 Fedora Update System 2023-11-18 12:36:36 UTC

FEDORA-2023-26954ac6f4 has been pushed to the Fedora 40 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 12 Fedora Update System 2023-11-18 15:15:50 UTC

FEDORA-2023-de0c445f23 has been submitted as an update to Fedora 39. https://bodhi.fedoraproject.org/updates/FEDORA-2023-de0c445f23

Comment 13 Fedora Update System 2023-11-18 15:15:51 UTC

FEDORA-2023-50b22e7196 has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-50b22e7196

Comment 14 Michal Schorm 2023-11-18 15:18:37 UTC

This is the actual update that should fix your issue, please test it:
  https://bodhi.fedoraproject.org/updates/?search=mysql-selinux-1.0.10

Comment 15 Fedora Update System 2023-11-19 02:49:22 UTC

FEDORA-2023-de0c445f23 has been pushed to the Fedora 39 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-de0c445f23`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-de0c445f23

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 16 Fedora Update System 2023-11-19 03:06:17 UTC

FEDORA-2023-50b22e7196 has been pushed to the Fedora 38 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-50b22e7196`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-50b22e7196

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 17 Fedora Update System 2023-11-19 03:19:07 UTC

FEDORA-2023-f5860f0475 has been pushed to the Fedora 37 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-f5860f0475`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-f5860f0475

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 18 Fedora Update System 2023-11-27 01:53:51 UTC

FEDORA-2023-de0c445f23 has been pushed to the Fedora 39 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 19 Fedora Update System 2023-11-27 02:31:18 UTC

FEDORA-2023-50b22e7196 has been pushed to the Fedora 38 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 20 Fedora Update System 2023-11-27 02:40:47 UTC

FEDORA-2023-f5860f0475 has been pushed to the Fedora 37 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 21 Fedora Update System 2024-11-20 08:43:37 UTC

FEDORA-2024-8beb0aba20 (selinux-policy-41.26-1.fc42) has been submitted as an update to Fedora 42.
https://bodhi.fedoraproject.org/updates/FEDORA-2024-8beb0aba20

Comment 22 Fedora Update System 2024-11-20 10:59:29 UTC

FEDORA-2024-8beb0aba20 (selinux-policy-41.26-1.fc42) has been pushed to the Fedora 42 stable repository.
If problem still persists, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.