Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Synchronize with 'mysql-selinux' upstream #2360

Open
wants to merge 5 commits into
base: rawhide
Choose a base branch
from
Open

Synchronize with 'mysql-selinux' upstream #2360

wants to merge 5 commits into from

Conversation

FaramosCZ
Copy link

Together with devexp-db/mysql-selinux#7 it completely synchronizes the content mysql.* files in these two repositories.

FaramosCZ and others added 5 commits September 24, 2024 04:10
@FaramosCZ
[1/5][sync from 'mysql-selinux'] Allow 'mysqld' to use '/usr/bin/host…
2fec644 
…name'

Resolves:
  https://bugzilla.redhat.com/show_bug.cgi?id=2089664
  https://bugzilla.redhat.com/show_bug.cgi?id=2073386

--

Cherry-picked commit:
  devexp-db/mysql-selinux@45d5f31
@FaramosCZ
[2/5][sync from 'mysql-selinux'] 2nd attempt to fix rhbz#2186996 rhbz…
5ee9518 
…#2221433 rhbz#2245705

I verified the policy compiles successfuly in Fedora before pushing

--

Cherry-picked commit:
  devexp-db/mysql-selinux@a672fbb
@FaramosCZ
[3/5][sync from 'mysql-selinux'] Allow mysqld_t to read and write to …
8e398db 
…the 'memory.pressure' file in cgroup2

--

Note:
The original suggestion was:
  allow mysqld_t cgroup_t:file { read write };
however one should not use a SELinux type from outside of their own SELinux module

--

Note from Daniel Black:
For clarity
  MariaDB/server@2323483#diff-ed06407705f2d1088e796ecb0c9592f1928f7b86fa8e48cbbe50f589fce18f3cR801
is the write to describe the PSI event desired from the kernel.
ref: https://www.kernel.org/doc/html/latest/accounting/psi.html

--

Resolves: RHBZ#2294899 RHBZ#2256002

--

Cherry-picked commit:
  devexp-db/mysql-selinux@d39fb26
@adobes1 @FaramosCZ
[4/5][sync from 'mysql-selinux'] Fix regex to also match '/var/lib/my…
69d38ca 
…sql/mysqlx.sock'

Resolves:
  https://bugzilla.redhat.com/show_bug.cgi?id=2186519

--

Cherry-picked commit:
  devexp-db/mysql-selinux@234de5d
@FaramosCZ
[5/5][sync from 'mysql-selinux'] Add mariadb-backup
43091a6 
--

Cherry-picked missing piece from commit:
  devexp-db/mysql-selinux@d4b14cd
@zpytela
Copy link
Contributor

zpytela commented Sep 24, 2024

Notes only partially related to this commit, but since we are here:

  1. Rules for different domains should be separated, i. e. do not mix rules for mysqld_t and mysqld_safe_t.
  2. Order of interfaces call should be kept, i. e. kernel is the first after manage rules and then alphabetically. Interfaces in optional blocks should be sorted alphabetically, too.
  3. Is there a reason for having mariadb-backup?
  4. Non-base interfaces should be in an optional block (sysnet, logging, auth, userdom, usermanage).

Anyway, we currently consider removing sources of modules like mysql and keep only interface files, mysql.if seems to be synced.

@FaramosCZ FaramosCZ mentioned this pull request Sep 25, 2024
Open
@FaramosCZ
Copy link
Author

I've prepared a devexp-db/mysql-selinux#8 based on your feedback.
Please review them.
Once merged, I'll update this PR accordingly.

Regarding the mariadb-backup, the original commit that introduced it states:

mariadb-backup needs to access raw files so give it the same context as the server.

Which IMO makes sense, it offers multiple backup methods, with some making physical backups of the raw DB files, so it needs to be permitted to work with them.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@FaramosCZ @zpytela @adobes1