On Mon, Mar 15, 2021 at 10:31 PM Lukas Javorsky <[email protected]> wrote:
> So IIRC, we don't need the setuid/setgid capability in Fedora/RHEL OS > because we use systemd services right? > correct Seems using mariadb memlock requires a LimitMEMLOCK too which needs extended documentation in https://mariadb.com/kb/en/systemd/. Packaging / selinux related: 1. /etc/my.cnf.d/mariadb-server.cnf contains log-error=/var/log/mariadb/mariadb.log Without log-error set, the service will output to stdout/error and be captured by journald. Would this be better packaging for you? This would help your outstanding rhbz on logrotation that I also haven't fixed upstream. 2. exec names now mariadb in 10.4 we put mariadb names on executables a symlinks to mysql named binaries. in 10.5 this was reverse. This is a slow move to phase out these mysql names that I hope you can help with. e.g. (10.4) ls -al /usr/libexec/mariadbd lrwxrwxrwx. 1 root root 6 Nov 12 11:44 /usr/libexec/mariadbd -> mysqld What would help significantly is if the mariadb names got into the selinux fc file. In https://github.com/fedora-selinux/selinux-policy/blob/rawhide/policy/modules/contrib/mysql.fc, I'm With this the executables in the service could change. 2. mariadb.service /usr/libexec/mysql-check-socket is excessive - recent systemd won't allow a second process in the same cgroup when it has SendSIGKILL=no (https://github.com/systemd/systemd/issues/8630) On other Start{Pre,Post} in the service would you consider changing the name to mariadb? Documentation="man:mariadbd(8)" There's a fair few comments in https://github.com/MariaDB/server/blob/10.5/support-files/mariadb.service.in and its history that are probably relevant. selinux and the mariadb PAM probably need a test/investigation too. Happy to help if I can. Thanks for clarifying > Lukas > > On Sun, Mar 14, 2021 at 12:42 AM Daniel Black <[email protected]> wrote: > >> >> This was relaxed in https://github.com/MariaDB/server/commit/27e6fd9a5968 >> where the setuid is only tried if mariadbd --user is specified. >> >> This isn't the case with systemd service files (which set the user) >> https://github.com/MariaDB/server/blob/10.5/support-files/mariadb.service.in#L50 >> where >> the CAP_IPC_LOCK capability gives the user the memlock rather than setuid. >> >> So maybe it is safe to drop the mysqld_t setgid setuid from the policy >> for the common case of a user running systemd service which also works if >> they are using memlock. >> >> While we are looking at the list, assuming sys_resource maps to >> CAP_SYS_RESOURCE that would only be raising the rlimit nofile, which is >> done in the systemd service. >> in the server code this is capped anyway - >> https://github.com/MariaDB/server/blob/10.5/mysys/my_file.c#L42 >> >> sys_nice - seems to be related to a innodb setpriority(PRIO_PROCESS, tid, >> -20), which isn't fatal if it doesn't succeed. no other CAP_SYS_NICE are >> used. >> Maybe we should have >> https://www.freedesktop.org/software/systemd/man/systemd.exec.html#LimitNICE= >> instead. Advice welcome. >> >> allow mysqld_t self:shm create_shm_perms - not required in 10.5+ - shm no >> longer used for large pages - anon mmap is used. >> >> rw_fifo_file_perms - one test case created a fifo - >> mysql-test/main/log_errchk.test, the server has some code to handle if log >> files externally created are fifos, but it doesn't create them itself. >> galera code mentions fifo's a lot, however its an internal structure. >> Script >> https://github.com/MariaDB/server/blob/10.5/scripts/wsrep_sst_mariabackup.sh#L454 >> mentios fifos, however this >> appears to just be using pv to rate limit. >> >> https://github.com/MariaDB/server/pull/1553 is probably needed too. >> >> I see >> https://github.com/fedora-selinux/selinux-policy/blob/rawhide/policy/modules/contrib/mysql.te#L106 >> probably covers https://github.com/MariaDB/server/pull/1131. >> >> >> >> >> On Fri, Mar 12, 2021 at 10:14 PM Sergei Golubchik <[email protected]> >> wrote: >> >>> Hi, Lukas! >>> >>> > I found that setuid/setgid is used inside mysqld_safe_helper >>> > (mariadbd-safe-helper). >>> > Are there any other cases when MariaDB uses these functions? >>> >>> Yes, in the server. If the server is started with --memlock it does >>> >>> mlockall(MCL_CURRENT) >>> >>> to prevent itself from being swapped. This needs root, and the server >>> uses setuid/setgid to drop root privileges after mlockall. >>> >>> Regards, >>> Sergei >>> VP of MariaDB Server Engineering >>> and [email protected] >>> >>> _______________________________________________ >>> Mailing list: https://launchpad.net/~maria-discuss >>> Post to : [email protected] >>> Unsubscribe : https://launchpad.net/~maria-discuss >>> More help : https://help.launchpad.net/ListHelp >>> >> > > -- > S pozdravom/ Best regards > > Lukáš Javorský > > Associate Software Engineer, Core service - Databases > > Red Hat <https://www.redhat.com> > > Purkyňova 115 (TPB-C) > > 612 00 Brno - Královo Pole > > [email protected] > <https://www.redhat.com> >
_______________________________________________ Mailing list: https://launchpad.net/~maria-discuss Post to : [email protected] Unsubscribe : https://launchpad.net/~maria-discuss More help : https://help.launchpad.net/ListHelp
