Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 607928 - dev-db/mariadb-10.0.29 and problems with centos6 selinux policy
Summary: dev-db/mariadb-10.0.29 and problems with centos6 selinux policy
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: SELinux (show other bugs)
Hardware: AMD64 Linux
: Normal normal (vote)
Assignee: SE Linux Bugs
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-02-01 17:36 UTC by Kent F. Davis
Modified: 2017-04-19 17:06 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
build.log (file_607928.txt,97.80 KB, text/plain)
2017-02-01 17:36 UTC, Kent F. Davis 		Details
environment (file_607928.txt,253.51 KB, text/plain)
2017-02-01 17:36 UTC, Kent F. Davis 		Details
emerge --info (file_607928.txt,5.73 KB, text/plain)
2017-02-01 17:37 UTC, Kent F. Davis 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Kent F. Davis 2017-02-01 17:36:10 UTC 
Created attachment 462106 [details]
build.log

dev-db/mariadb will not upgrade from 10.0.28 to 10.0.29 on x64 hardened/linux/amd64/selinux profile.

[  1%] Built target comp_sql
make -f support-files/SELinux/CMakeFiles/centos6-mariadb-pp.dir/build.make support-files/SELinux/CMakeFiles/centos6-mariadb-pp.dir/depend
make[2]: Entering directory '/var/tmp/portage/dev-db/mariadb-10.0.29/work/mysql-abi_x86_64.amd64'
cd /var/tmp/portage/dev-db/mariadb-10.0.29/work/mysql-abi_x86_64.amd64 && /usr/bin/cmake -E cmake_depends "Unix Makefiles" /var/tmp/portage/dev-db/mariadb-10.0.29/work/mysql /var/tmp/portage/dev-db/mariadb-10.0.29/work/mysql/support-files/SELinux /var/tmp/portage/dev-db/mariadb-10.0.29/work/mysql-abi_x86_64.amd64 /var/tmp/portage/dev-db/mariadb-10.0.29/work/mysql-abi_x86_64.amd64/support-files/SELinux /var/tmp/portage/dev-db/mariadb-10.0.29/work/mysql-abi_x86_64.amd64/support-files/SELinux/CMakeFiles/centos6-mariadb-pp.dir/DependInfo.cmake
Dependee "/var/tmp/portage/dev-db/mariadb-10.0.29/work/mysql-abi_x86_64.amd64/support-files/SELinux/CMakeFiles/centos6-mariadb-pp.dir/DependInfo.cmake" is newer than depender "/var/tmp/portage/dev-db/mariadb-10.0.29/work/mysql-abi_x86_64.amd64/support-files/SELinux/CMakeFiles/centos6-mariadb-pp.dir/depend.internal".
Dependee "/var/tmp/portage/dev-db/mariadb-10.0.29/work/mysql-abi_x86_64.amd64/support-files/SELinux/CMakeFiles/CMakeDirectoryInformation.cmake" is newer than depender "/var/tmp/portage/dev-db/mariadb-10.0.29/work/mysql-abi_x86_64.amd64/support-files/SELinux/CMakeFiles/centos6-mariadb-pp.dir/depend.internal".
Scanning dependencies of target centos6-mariadb-pp
make[2]: Leaving directory '/var/tmp/portage/dev-db/mariadb-10.0.29/work/mysql-abi_x86_64.amd64'
make -f support-files/SELinux/CMakeFiles/centos6-mariadb-pp.dir/build.make support-files/SELinux/CMakeFiles/centos6-mariadb-pp.dir/build
make[2]: Entering directory '/var/tmp/portage/dev-db/mariadb-10.0.29/work/mysql-abi_x86_64.amd64'
[  1%] Generating centos6-mariadb.pp
cd /var/tmp/portage/dev-db/mariadb-10.0.29/work/mysql-abi_x86_64.amd64/support-files/SELinux && /usr/bin/checkmodule -M -m /var/tmp/portage/dev-db/mariadb-10.0.29/work/mysql/support-files/SELinux/centos6-mariadb.te -o /var/tmp/portage/dev-db/mariadb-10.0.29/work/mysql-abi_x86_64.amd64/support-files/SELinux/CMakeFiles/centos6-mariadb-pp.dir/centos6-mariadb.mod
/usr/bin/checkmodule:  Module name mariadb is different than the output base filename centos6-mariadb
/usr/bin/checkmodule:  loading policy configuration from /var/tmp/portage/dev-db/mariadb-10.0.29/work/mysql/support-files/SELinux/centos6-mariadb.te
make[2]: *** [support-files/SELinux/CMakeFiles/centos6-mariadb-pp.dir/build.make:61: support-files/SELinux/centos6-mariadb.pp] Error 1
make[2]: Leaving directory '/var/tmp/portage/dev-db/mariadb-10.0.29/work/mysql-abi_x86_64.amd64'
make[1]: *** [CMakeFiles/Makefile2:4317: support-files/SELinux/CMakeFiles/centos6-mariadb-pp.dir/all] Error 2
Comment 1 Kent F. Davis 2017-02-01 17:36:45 UTC 
Created attachment 462108 [details]
environment
Comment 2 Kent F. Davis 2017-02-01 17:37:36 UTC 
Created attachment 462110 [details]
emerge --info
Comment 3 Brian Evans (RETIRED) gentoo-dev 2017-02-01 18:42:51 UTC 
MariaDB has been fixed in the eclass to remove this policy installation.

If SELinux team wants to add to their policy like https://github.com/MariaDB/server/tree/10.0/support-files/SELinux, that's fine.

The default OpenRC and systemd service files do not call mysqld_safe so this would only block user instantiated calls to it on SELinux.
Comment 4 Sven Vermeulen (RETIRED) gentoo-dev 2017-04-10 18:32:08 UTC 
Thanks for not taking up the SELinux policy offered by upstream during the build. That wouldn't (keep) work(ing) on Gentoo Hardened/SELinux anyway.

To support MariaDB, we need to enable its support through the reference policy (the upstream SELinux policy project we track), which will most likely adapt the existing MySQL policy to accomplish this.

I'm going to mark this bug as fixed (as the bug itself is about the CentOS delivered policy which was attempted to be installed during the build). If you need a MariaDB policy, please open a separate bug. You might want to try to look at the current mysql.fc file and adapt accordingly (which can be done through the "semanage fcontext" command).

Current mysql.fc file: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/tree/policy/modules/contrib/mysql.fc

Info on semanage fcontext: https://wiki.gentoo.org/wiki/SELinux/Tutorials/Controlling_file_contexts_yourself
Comment 5 Jason Zaman gentoo-dev 2017-04-19 17:06:32 UTC 
(In reply to Sven Vermeulen from comment #4)
> To support MariaDB, we need to enable its support through the reference
> policy (the upstream SELinux policy project we track), which will most
> likely adapt the existing MySQL policy to accomplish this.

mariadb already works fine afaict. i dont use it heavily but havent run into any issues at all so far.