mirror of
https://github.com/MariaDB/server.git
synced 2025-01-29 02:05:57 +01:00
MDEV-33301 memlock with systemd still not working
.. even with MDEV-9095 fix CapabilityBounding sets require filesystem setcap attributes for the executable to gain privileges during execution. A side effect of this however is the getauxvec(AT_SECURE) gets set, and the secure_getenv from OpenSSL internals on OPENSSL_CONF environment variable will get ignored (openssl gh issue 21770). According to capabilities(7), Ambient capabilities don't trigger ld.so triggering the secure execution mode. Include SELinux and Apparmor capabilities for ipc_lock
This commit is contained in:
parent
ee2ed1a036
commit
76a27155b4
4 changed files with 6 additions and 3 deletions
|
@ -51,7 +51,7 @@ Group=mysql
|
||||||
# CAP_DAC_OVERRIDE To allow auth_pam_tool (which is SUID root) to read /etc/shadow when it's chmod 0
|
# CAP_DAC_OVERRIDE To allow auth_pam_tool (which is SUID root) to read /etc/shadow when it's chmod 0
|
||||||
# does nothing for non-root, not needed if /etc/shadow is u+r
|
# does nothing for non-root, not needed if /etc/shadow is u+r
|
||||||
# CAP_AUDIT_WRITE auth_pam_tool needs it on Debian for whatever reason
|
# CAP_AUDIT_WRITE auth_pam_tool needs it on Debian for whatever reason
|
||||||
CapabilityBoundingSet=CAP_IPC_LOCK CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
|
AmbientCapabilities=CAP_IPC_LOCK CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
|
||||||
|
|
||||||
# PrivateDevices=true implies NoNewPrivileges=true and
|
# PrivateDevices=true implies NoNewPrivileges=true and
|
||||||
# SUID auth_pam_tool suddenly doesn't do setuid anymore
|
# SUID auth_pam_tool suddenly doesn't do setuid anymore
|
||||||
|
|
|
@ -181,7 +181,7 @@ PrivateNetwork=false
|
||||||
# CAP_DAC_OVERRIDE To allow auth_pam_tool (which is SUID root) to read /etc/shadow when it's chmod 0
|
# CAP_DAC_OVERRIDE To allow auth_pam_tool (which is SUID root) to read /etc/shadow when it's chmod 0
|
||||||
# does nothing for non-root, not needed if /etc/shadow is u+r
|
# does nothing for non-root, not needed if /etc/shadow is u+r
|
||||||
# CAP_AUDIT_WRITE auth_pam_tool needs it on Debian for whatever reason
|
# CAP_AUDIT_WRITE auth_pam_tool needs it on Debian for whatever reason
|
||||||
CapabilityBoundingSet=CAP_IPC_LOCK CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
|
AmbientCapabilities=CAP_IPC_LOCK CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
|
||||||
|
|
||||||
# PrivateDevices=true implies NoNewPrivileges=true and
|
# PrivateDevices=true implies NoNewPrivileges=true and
|
||||||
# SUID auth_pam_tool suddenly doesn't do setuid anymore
|
# SUID auth_pam_tool suddenly doesn't do setuid anymore
|
||||||
|
|
|
@ -14,6 +14,7 @@
|
||||||
|
|
||||||
capability chown,
|
capability chown,
|
||||||
capability dac_override,
|
capability dac_override,
|
||||||
|
capability ipc_lock,
|
||||||
capability setgid,
|
capability setgid,
|
||||||
capability setuid,
|
capability setuid,
|
||||||
capability sys_rawio,
|
capability sys_rawio,
|
||||||
|
|
|
@ -25,7 +25,7 @@ require {
|
||||||
class lnk_file read;
|
class lnk_file read;
|
||||||
class process { getattr signull };
|
class process { getattr signull };
|
||||||
class unix_stream_socket connectto;
|
class unix_stream_socket connectto;
|
||||||
class capability { sys_resource sys_nice };
|
class capability { ipc_lock sys_resource sys_nice };
|
||||||
class tcp_socket { name_bind name_connect };
|
class tcp_socket { name_bind name_connect };
|
||||||
class file { execute setattr read create getattr execute_no_trans write ioctl open append unlink };
|
class file { execute setattr read create getattr execute_no_trans write ioctl open append unlink };
|
||||||
class sock_file { create unlink getattr };
|
class sock_file { create unlink getattr };
|
||||||
|
@ -87,6 +87,8 @@ allow mysqld_t bin_t:file { getattr read execute open execute_no_trans ioctl };
|
||||||
|
|
||||||
# MariaDB additions
|
# MariaDB additions
|
||||||
allow mysqld_t self:process setpgid;
|
allow mysqld_t self:process setpgid;
|
||||||
|
allow mysqld_t self:capability { ipc_lock };
|
||||||
|
|
||||||
# This rule allows port tcp/4444
|
# This rule allows port tcp/4444
|
||||||
allow mysqld_t kerberos_port_t:tcp_socket { name_bind name_connect };
|
allow mysqld_t kerberos_port_t:tcp_socket { name_bind name_connect };
|
||||||
# This rule allows port tcp/4567 (tram_port_t may not be available on
|
# This rule allows port tcp/4567 (tram_port_t may not be available on
|
||||||
|
|
Loading…
Add table
Reference in a new issue