So IIRC, we don't need the setuid/setgid capability in Fedora/RHEL OS because we use systemd services right?
Thanks for clarifying Lukas On Sun, Mar 14, 2021 at 12:42 AM Daniel Black <[email protected]> wrote: > > This was relaxed in https://github.com/MariaDB/server/commit/27e6fd9a5968 > where the setuid is only tried if mariadbd --user is specified. > > This isn't the case with systemd service files (which set the user) > https://github.com/MariaDB/server/blob/10.5/support-files/mariadb.service.in#L50 > where > the CAP_IPC_LOCK capability gives the user the memlock rather than setuid. > > So maybe it is safe to drop the mysqld_t setgid setuid from the policy for > the common case of a user running systemd service which also works if they > are using memlock. > > While we are looking at the list, assuming sys_resource maps to > CAP_SYS_RESOURCE that would only be raising the rlimit nofile, which is > done in the systemd service. > in the server code this is capped anyway - > https://github.com/MariaDB/server/blob/10.5/mysys/my_file.c#L42 > > sys_nice - seems to be related to a innodb setpriority(PRIO_PROCESS, tid, > -20), which isn't fatal if it doesn't succeed. no other CAP_SYS_NICE are > used. > Maybe we should have > https://www.freedesktop.org/software/systemd/man/systemd.exec.html#LimitNICE= > instead. Advice welcome. > > allow mysqld_t self:shm create_shm_perms - not required in 10.5+ - shm no > longer used for large pages - anon mmap is used. > > rw_fifo_file_perms - one test case created a fifo - > mysql-test/main/log_errchk.test, the server has some code to handle if log > files externally created are fifos, but it doesn't create them itself. > galera code mentions fifo's a lot, however its an internal structure. > Script > https://github.com/MariaDB/server/blob/10.5/scripts/wsrep_sst_mariabackup.sh#L454 > mentios fifos, however this > appears to just be using pv to rate limit. > > https://github.com/MariaDB/server/pull/1553 is probably needed too. > > I see > https://github.com/fedora-selinux/selinux-policy/blob/rawhide/policy/modules/contrib/mysql.te#L106 > probably covers https://github.com/MariaDB/server/pull/1131. > > > > > On Fri, Mar 12, 2021 at 10:14 PM Sergei Golubchik <[email protected]> > wrote: > >> Hi, Lukas! >> >> > I found that setuid/setgid is used inside mysqld_safe_helper >> > (mariadbd-safe-helper). >> > Are there any other cases when MariaDB uses these functions? >> >> Yes, in the server. If the server is started with --memlock it does >> >> mlockall(MCL_CURRENT) >> >> to prevent itself from being swapped. This needs root, and the server >> uses setuid/setgid to drop root privileges after mlockall. >> >> Regards, >> Sergei >> VP of MariaDB Server Engineering >> and [email protected] >> >> _______________________________________________ >> Mailing list: https://launchpad.net/~maria-discuss >> Post to : [email protected] >> Unsubscribe : https://launchpad.net/~maria-discuss >> More help : https://help.launchpad.net/ListHelp >> > -- S pozdravom/ Best regards Lukáš Javorský Associate Software Engineer, Core service - Databases Red Hat <https://www.redhat.com> Purkyňova 115 (TPB-C) 612 00 Brno - Královo Pole [email protected] <https://www.redhat.com>
_______________________________________________ Mailing list: https://launchpad.net/~maria-discuss Post to : [email protected] Unsubscribe : https://launchpad.net/~maria-discuss More help : https://help.launchpad.net/ListHelp
