Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 607928

Summary: dev-db/mariadb-10.0.29 and problems with centos6 selinux policy
Product: Gentoo Linux Reporter: Kent F. Davis <kent.f.davis>
Component: SELinuxAssignee: SE Linux Bugs <selinux>
Status: RESOLVED FIXED    
Severity: normal CC: mysql-bugs
Priority: Normal    
Version: unspecified   
Hardware: AMD64   
OS: Linux   
See Also: https://jira.mariadb.org/browse/MDEV-11676
Whiteboard:
Package list:
Runtime testing required: ---
Attachments: build.log
environment
emerge --info

Description Kent F. Davis 2017-02-01 17:36:10 UTC 
Created attachment 462106 [details]
build.log

dev-db/mariadb will not upgrade from 10.0.28 to 10.0.29 on x64 hardened/linux/amd64/selinux profile.

[  1%] Built target comp_sql
make -f support-files/SELinux/CMakeFiles/centos6-mariadb-pp.dir/build.make support-files/SELinux/CMakeFiles/centos6-mariadb-pp.dir/depend
make[2]: Entering directory '/var/tmp/portage/dev-db/mariadb-10.0.29/work/mysql-abi_x86_64.amd64'
cd /var/tmp/portage/dev-db/mariadb-10.0.29/work/mysql-abi_x86_64.amd64 && /usr/bin/cmake -E cmake_depends "Unix Makefiles" /var/tmp/portage/dev-db/mariadb-10.0.29/work/mysql /var/tmp/portage/dev-db/mariadb-10.0.29/work/mysql/support-files/SELinux /var/tmp/portage/dev-db/mariadb-10.0.29/work/mysql-abi_x86_64.amd64 /var/tmp/portage/dev-db/mariadb-10.0.29/work/mysql-abi_x86_64.amd64/support-files/SELinux /var/tmp/portage/dev-db/mariadb-10.0.29/work/mysql-abi_x86_64.amd64/support-files/SELinux/CMakeFiles/centos6-mariadb-pp.dir/DependInfo.cmake
Dependee "/var/tmp/portage/dev-db/mariadb-10.0.29/work/mysql-abi_x86_64.amd64/support-files/SELinux/CMakeFiles/centos6-mariadb-pp.dir/DependInfo.cmake" is newer than depender "/var/tmp/portage/dev-db/mariadb-10.0.29/work/mysql-abi_x86_64.amd64/support-files/SELinux/CMakeFiles/centos6-mariadb-pp.dir/depend.internal".
Dependee "/var/tmp/portage/dev-db/mariadb-10.0.29/work/mysql-abi_x86_64.amd64/support-files/SELinux/CMakeFiles/CMakeDirectoryInformation.cmake" is newer than depender "/var/tmp/portage/dev-db/mariadb-10.0.29/work/mysql-abi_x86_64.amd64/support-files/SELinux/CMakeFiles/centos6-mariadb-pp.dir/depend.internal".
Scanning dependencies of target centos6-mariadb-pp
make[2]: Leaving directory '/var/tmp/portage/dev-db/mariadb-10.0.29/work/mysql-abi_x86_64.amd64'
make -f support-files/SELinux/CMakeFiles/centos6-mariadb-pp.dir/build.make support-files/SELinux/CMakeFiles/centos6-mariadb-pp.dir/build
make[2]: Entering directory '/var/tmp/portage/dev-db/mariadb-10.0.29/work/mysql-abi_x86_64.amd64'
[  1%] Generating centos6-mariadb.pp
cd /var/tmp/portage/dev-db/mariadb-10.0.29/work/mysql-abi_x86_64.amd64/support-files/SELinux && /usr/bin/checkmodule -M -m /var/tmp/portage/dev-db/mariadb-10.0.29/work/mysql/support-files/SELinux/centos6-mariadb.te -o /var/tmp/portage/dev-db/mariadb-10.0.29/work/mysql-abi_x86_64.amd64/support-files/SELinux/CMakeFiles/centos6-mariadb-pp.dir/centos6-mariadb.mod
/usr/bin/checkmodule:  Module name mariadb is different than the output base filename centos6-mariadb
/usr/bin/checkmodule:  loading policy configuration from /var/tmp/portage/dev-db/mariadb-10.0.29/work/mysql/support-files/SELinux/centos6-mariadb.te
make[2]: *** [support-files/SELinux/CMakeFiles/centos6-mariadb-pp.dir/build.make:61: support-files/SELinux/centos6-mariadb.pp] Error 1
make[2]: Leaving directory '/var/tmp/portage/dev-db/mariadb-10.0.29/work/mysql-abi_x86_64.amd64'
make[1]: *** [CMakeFiles/Makefile2:4317: support-files/SELinux/CMakeFiles/centos6-mariadb-pp.dir/all] Error 2
Comment 1 Kent F. Davis 2017-02-01 17:36:45 UTC 
Created attachment 462108 [details]
environment
Comment 2 Kent F. Davis 2017-02-01 17:37:36 UTC 
Created attachment 462110 [details]
emerge --info
Comment 3 Brian Evans (RETIRED) gentoo-dev 2017-02-01 18:42:51 UTC 
MariaDB has been fixed in the eclass to remove this policy installation.

If SELinux team wants to add to their policy like https://github.com/MariaDB/server/tree/10.0/support-files/SELinux, that's fine.

The default OpenRC and systemd service files do not call mysqld_safe so this would only block user instantiated calls to it on SELinux.
Comment 4 Sven Vermeulen (RETIRED) gentoo-dev 2017-04-10 18:32:08 UTC 
Thanks for not taking up the SELinux policy offered by upstream during the build. That wouldn't (keep) work(ing) on Gentoo Hardened/SELinux anyway.

To support MariaDB, we need to enable its support through the reference policy (the upstream SELinux policy project we track), which will most likely adapt the existing MySQL policy to accomplish this.

I'm going to mark this bug as fixed (as the bug itself is about the CentOS delivered policy which was attempted to be installed during the build). If you need a MariaDB policy, please open a separate bug. You might want to try to look at the current mysql.fc file and adapt accordingly (which can be done through the "semanage fcontext" command).

Current mysql.fc file: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/tree/policy/modules/contrib/mysql.fc

Info on semanage fcontext: https://wiki.gentoo.org/wiki/SELinux/Tutorials/Controlling_file_contexts_yourself
Comment 5 Jason Zaman gentoo-dev 2017-04-19 17:06:32 UTC 
(In reply to Sven Vermeulen from comment #4)
> To support MariaDB, we need to enable its support through the reference
> policy (the upstream SELinux policy project we track), which will most
> likely adapt the existing MySQL policy to accomplish this.

mariadb already works fine afaict. i dont use it heavily but havent run into any issues at all so far.