Hi, Clint! On Jan 05, Clint Dilks wrote: > Hi, > > Today I have updated a CentOS 6.8 system that has MariaDB-server > installed from http://yum.mariadb.org/5.5/centos6-amd64 and found that > I had an SELinux issue when I tried to restart the service. > > Using the information at https://wiki.centos.org/HowTos/SELinux I have > created a local policy that seems to fix things > > module marialocal 1.0; > > require { > type mysqld_safe_t; > class capability { setuid setgid }; > } > > #============= mysqld_safe_t ============== > > allow mysqld_safe_t self:capability setgid; > allow mysqld_safe_t self:capability setuid; > > This seems to fix things for me, but I thought I had better see if > others are experiencing the same problem ?
Yes, it's not only you. See, for example, https://jira.mariadb.org/browse/MDEV-11676 (although it is not about fixing the issue, only about a correct error message) 5.5.54 comes with a new helper binary that does setuid/setgid internally, that's why selinux is unhappy. This helper is used by mysqld_safe to drop root privileges before creating files, for example. > It may be useful to know that the particular rpms are > MariaDB-server-5.5.54-1.el6.x86_64 and > selinux-policy-3.7.19-292.el6_8.2.noarch. > > If it is a bigger issue than just myself, should I report this somewhere > else to see if we can get a fix added to the next MariaDB-server rpm ? What could a fix be? * Include a new selinux policy into the rpm? - Is that possible? * Don't do setuid/setgid and create files as root? - This would be dangerous from a security point of view * Don't use a helper and use "su -c ..."? - It'll fill the syslog with noise. * Any other option? Regards, Sergei Chief Architect MariaDB and secur...@mariadb.org _______________________________________________ Mailing list: https://launchpad.net/~maria-discuss Post to : maria-discuss@lists.launchpad.net Unsubscribe : https://launchpad.net/~maria-discuss More help : https://help.launchpad.net/ListHelp
