MDEV-11676 Starting service with mysqld_safe_helper fails in SELINUX "enforcing" mode

compile, and install selinux policy for mysqld_safe_helper on centos6. the policy was created as described in https://mariadb.com/kb/en/mariadb/what-to-do-if-mariadb-doesnt-start/#other-selinux-changes
2017-01-10 18:31:03 +01:00 · 2017-01-10 18:31:03 +01:00 · c1a23cd4e5
commit c1a23cd4e5
parent 6ad3dd6054
7 changed files with 52 additions and 2 deletions
--- a/.gitignore
+++ b/.gitignore
@ -221,6 +221,7 @@ support-files/mysql.spec
 support-files/mysqld_multi.server
 support-files/wsrep.cnf
 support-files/wsrep_notify
+support-files/SELinux/centos6-mariadb.pp
 tags
 tests/async_queries
 tests/bug25714
--- a/support-files/CMakeLists.txt
+++ b/support-files/CMakeLists.txt
@ -67,7 +67,7 @@ IF(UNIX)
  ENDFOREACH()
  IF(INSTALL_SUPPORTFILESDIR)
    INSTALL(FILES magic DESTINATION ${inst_location} COMPONENT SupportFiles)
-    INSTALL(DIRECTORY RHEL4-SElinux/ DESTINATION ${inst_location}/SELinux/RHEL4 COMPONENT SupportFiles)
+    ADD_SUBDIRECTORY(SELinux)
  ENDIF()

  INSTALL(FILES mysql.m4 DESTINATION ${INSTALL_SHAREDIR}/aclocal COMPONENT Development)
--- a/support-files/SELinux/CMakeLists.txt
+++ b/support-files/SELinux/CMakeLists.txt
@ -0,0 +1,35 @@
+# Copyright (c) 2017, MariaDB
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301 USA
+
+FIND_PROGRAM(CHECKMODULE checkmodule)
+FIND_PROGRAM(SEMODULE_PACKAGE semodule_package)
+MARK_AS_ADVANCED(CHECKMODULE SEMODULE_PACKAGE)
+
+SET(params DESTINATION ${INSTALL_SUPPORTFILESDIR}/SELinux COMPONENT SupportFiles)
+
+IF(CHECKMODULE AND SEMODULE_PACKAGE)
+  FOREACH(pol centos6-mariadb)
+    SET(src ${CMAKE_CURRENT_SOURCE_DIR}/${pol}.te)
+    SET(mod ${CMAKE_CURRENT_BINARY_DIR}${CMAKE_FILES_DIRECTORY}/${pol}-pp.dir/${pol}.mod)
+    SET(out ${CMAKE_CURRENT_BINARY_DIR}/${pol}.pp)
+    ADD_CUSTOM_COMMAND(OUTPUT ${out}
+      COMMAND ${CHECKMODULE} -M -m ${src} -o ${mod}
+      COMMAND ${SEMODULE_PACKAGE} -m ${mod} -o ${out}
+      DEPENDS ${src})
+    ADD_CUSTOM_TARGET(${pol}-pp ALL DEPENDS ${out})
+    INSTALL(FILES ${out} ${params})
+  ENDFOREACH()
+ENDIF()
+INSTALL(FILES centos6-mariadb.te rhel4-mysql.fc rhel4-mysql.te ${params})
--- a/support-files/SELinux/centos6-mariadb.te
+++ b/support-files/SELinux/centos6-mariadb.te
@ -0,0 +1,9 @@
+module mariadb 1.0;
+
+require {
+        type mysqld_safe_t;
+        class capability { setuid setgid };
+}
+
+#============= mysqld_safe_t ==============
+allow mysqld_safe_t self:capability { setuid setgid };
--- a/support-files/SELinux/rhel4-mysql.fc
+++ b/support-files/SELinux/rhel4-mysql.fc
--- a/support-files/SELinux/rhel4-mysql.te
+++ b/support-files/SELinux/rhel4-mysql.te
--- a/support-files/rpm/server-postin.sh
+++ b/support-files/rpm/server-postin.sh
@ -79,7 +79,12 @@ if [ -f /etc/redhat-release ] ; then
     echo '       make load'
     echo
     echo
-  fi
+   fi
+   if grep 'CentOS release 6' /etc/redhat-release >/dev/null 2>&1; then
+     if [ -x /usr/sbin/semodule ] ; then
+       /usr/sbin/semodule -i /usr/share/mysql/SELinux/centos6-mariadb.pp
+     fi
+   fi
 fi

 if [ -x sbin/restorecon ] ; then