mirror of
https://github.com/MariaDB/server.git
synced 2025-01-28 17:54:16 +01:00
76a27155b4
.. even with MDEV-9095 fix CapabilityBounding sets require filesystem setcap attributes for the executable to gain privileges during execution. A side effect of this however is the getauxvec(AT_SECURE) gets set, and the secure_getenv from OpenSSL internals on OPENSSL_CONF environment variable will get ignored (openssl gh issue 21770). According to capabilities(7), Ambient capabilities don't trigger ld.so triggering the secure execution mode. Include SELinux and Apparmor capabilities for ipc_lock |
||
|---|---|---|
| .. | ||
| mariadb-server.fc | ||
| mariadb-server.te | ||
| mariadb.te | ||
| README | ||
Note: The included SELinux policy files can be used for MariaDB Galera cluster.
However, since these policies had been tested for a limited set of scenarios,
it is highly recommended that you run mysqld in "permissive" mode even with
these policies installed and report any denials on mariadb.org/jira.
How to generate and load the policy module of MariaDB Galera cluster ?
* Generate the SELinux policy module.
# cd <source>/policy/selinux/
# make -f /usr/share/selinux/devel/Makefile mariadb-server.pp
* Load the generated policy module.
# semodule -i /path/to/mariadb-server.pp
* Lastly, run the following command to allow tcp/4568 and udp/4567.
# semanage port -a -t mysqld_port_t -p tcp 4568
# semanage port -a -t mysqld_port_t -p udp 4567
How to run mysqld in permissve mode ?
# semanage permissive -a mysqld_t