From 2fec644b1a4eba330e91636c312955038e331d7e Mon Sep 17 00:00:00 2001 From: Michal Schorm Date: Wed, 8 Jun 2022 14:35:05 +0200 Subject: [PATCH 1/5] [1/5][sync from 'mysql-selinux'] Allow 'mysqld' to use '/usr/bin/hostname' Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2089664 https://bugzilla.redhat.com/show_bug.cgi?id=2073386 -- Cherry-picked commit: https://github.com/devexp-db/mysql-selinux/commit/45d5f31921a770db842a178d0f71e61823eda606 --- policy/modules/contrib/mysql.te | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/contrib/mysql.te b/policy/modules/contrib/mysql.te index 13e14d78b0..610c052c4b 100644 --- a/policy/modules/contrib/mysql.te +++ b/policy/modules/contrib/mysql.te @@ -251,6 +251,7 @@ mysql_write_log(mysqld_safe_t) optional_policy(` hostname_exec(mysqld_safe_t) + hostname_exec(mysqld_t) ') ######################################## From 5ee9518da7a431d531602dcdea28a9ef58b27153 Mon Sep 17 00:00:00 2001 From: Michal Schorm Date: Sat, 18 Nov 2023 13:05:06 +0100 Subject: [PATCH 2/5] [2/5][sync from 'mysql-selinux'] 2nd attempt to fix rhbz#2186996 rhbz#2221433 rhbz#2245705 I verified the policy compiles successfuly in Fedora before pushing -- Cherry-picked commit: https://github.com/devexp-db/mysql-selinux/commit/a672fbbb107afe2529f68b4c4ad8841d97c5ddb2 --- policy/modules/contrib/mysql.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/policy/modules/contrib/mysql.te b/policy/modules/contrib/mysql.te index 610c052c4b..656d4f922a 100644 --- a/policy/modules/contrib/mysql.te +++ b/policy/modules/contrib/mysql.te @@ -76,6 +76,9 @@ allow mysqld_t self:unix_stream_socket create_stream_socket_perms; allow mysqld_t self:tcp_socket create_stream_socket_perms; allow mysqld_t self:udp_socket create_socket_perms; +kernel_read_network_state(mysqld_t) +kernel_read_net_sysctls(mysqld_t) + manage_dirs_pattern(mysqld_t, mysqld_db_t, mysqld_db_t) manage_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t) manage_sock_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t) From 8e398db4b33bb6cc415c52aafd1919d358152043 Mon Sep 17 00:00:00 2001 From: Michal Schorm Date: Fri, 16 Aug 2024 00:39:25 +0200 Subject: [PATCH 3/5] [3/5][sync from 'mysql-selinux'] Allow mysqld_t to read and write to the 'memory.pressure' file in cgroup2 -- Note: The original suggestion was: allow mysqld_t cgroup_t:file { read write }; however one should not use a SELinux type from outside of their own SELinux module -- Note from Daniel Black: For clarity https://github.com/MariaDB/server/commit/2323483528fbc5116c2990a208afddd775ee0e85#diff-ed06407705f2d1088e796ecb0c9592f1928f7b86fa8e48cbbe50f589fce18f3cR801 is the write to describe the PSI event desired from the kernel. ref: https://www.kernel.org/doc/html/latest/accounting/psi.html -- Resolves: RHBZ#2294899 RHBZ#2256002 -- Cherry-picked commit: https://github.com/devexp-db/mysql-selinux/commit/d39fb268348ea3b1bdbee08bc8c4e945e313cb6f --- policy/modules/contrib/mysql.te | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/policy/modules/contrib/mysql.te b/policy/modules/contrib/mysql.te index 656d4f922a..38f358e05b 100644 --- a/policy/modules/contrib/mysql.te +++ b/policy/modules/contrib/mysql.te @@ -79,6 +79,10 @@ allow mysqld_t self:udp_socket create_socket_perms; kernel_read_network_state(mysqld_t) kernel_read_net_sysctls(mysqld_t) +# Allow mysqld_t to read to memory.pressure in cgroup +fs_read_cgroup_files(mysqld_t) +fs_write_cgroup_files(mysqld_t) + manage_dirs_pattern(mysqld_t, mysqld_db_t, mysqld_db_t) manage_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t) manage_sock_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t) From 69d38ca75f46d0c0e8663aca7850677b2c7466e4 Mon Sep 17 00:00:00 2001 From: Adam Dobes Date: Tue, 11 Jul 2023 10:33:00 +0200 Subject: [PATCH 4/5] [4/5][sync from 'mysql-selinux'] Fix regex to also match '/var/lib/mysql/mysqlx.sock' Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2186519 -- Cherry-picked commit: https://github.com/devexp-db/mysql-selinux/commit/234de5d9b980e446a06dd1ef86f8fc5215c4b5d7 --- policy/modules/contrib/mysql.fc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policy/modules/contrib/mysql.fc b/policy/modules/contrib/mysql.fc index 5ec3a0e774..b48b8ec378 100644 --- a/policy/modules/contrib/mysql.fc +++ b/policy/modules/contrib/mysql.fc @@ -48,7 +48,7 @@ HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t, s0) # /var # /var/lib/mysql(-files|-keyring)?(/.*)? gen_context(system_u:object_r:mysqld_db_t,s0) -/var/lib/mysql/mysql\.sock -s gen_context(system_u:object_r:mysqld_var_run_t,s0) +/var/lib/mysql/mysql(x)?\.sock -s gen_context(system_u:object_r:mysqld_var_run_t,s0) /var/log/mariadb(/.*)? gen_context(system_u:object_r:mysqld_log_t,s0) /var/log/mysql(/.*)? gen_context(system_u:object_r:mysqld_log_t,s0) From 43091a676f296a8229623a4022c9713884f76fc7 Mon Sep 17 00:00:00 2001 From: Michal Schorm Date: Tue, 24 Sep 2024 03:42:01 +0200 Subject: [PATCH 5/5] [5/5][sync from 'mysql-selinux'] Add mariadb-backup -- Cherry-picked missing piece from commit: https://github.com/devexp-db/mysql-selinux/commit/d4b14cddbb43234dace42bdcd51af57a27a005c6 --- policy/modules/contrib/mysql.fc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/policy/modules/contrib/mysql.fc b/policy/modules/contrib/mysql.fc index b48b8ec378..0799345b12 100644 --- a/policy/modules/contrib/mysql.fc +++ b/policy/modules/contrib/mysql.fc @@ -44,6 +44,8 @@ HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t, s0) /usr/libexec/mariadbd -- gen_context(system_u:object_r:mysqld_exec_t,s0) +/usr/bin/mariadb-backup -- gen_context(system_u:object_r:mysqld_exec_t,s0) + # # /var #