Blame SOURCES/bz1692960-mysql-galera-runuser-su-to-avoid-dac_override.patch

914f09
From db6d12f4b7b10e214526512abe35307270f81c03 Mon Sep 17 00:00:00 2001
914f09
From: Oyvind Albrigtsen <oalbrigt@redhat.com>
914f09
Date: Thu, 8 Aug 2019 14:48:13 +0200
914f09
Subject: [PATCH] mysql/mariadb/galera: use runuser/su to avoid using SELinux
914f09
 DAC_OVERRIDE
914f09
914f09
---
914f09
 heartbeat/galera          | 11 ++++++-----
914f09
 heartbeat/mysql-common.sh | 16 ++++++++++++----
914f09
 2 files changed, 18 insertions(+), 9 deletions(-)
914f09
914f09
diff --git a/heartbeat/galera b/heartbeat/galera
914f09
index 9b9fe5569..056281fb8 100755
914f09
--- a/heartbeat/galera
914f09
+++ b/heartbeat/galera
914f09
@@ -624,8 +624,7 @@ detect_last_commit()
914f09
     local recover_args="--defaults-file=$OCF_RESKEY_config \
914f09
                         --pid-file=$OCF_RESKEY_pid \
914f09
                         --socket=$OCF_RESKEY_socket \
914f09
-                        --datadir=$OCF_RESKEY_datadir \
914f09
-                        --user=$OCF_RESKEY_user"
914f09
+                        --datadir=$OCF_RESKEY_datadir"
914f09
     local recovery_file_regex='s/.*WSREP\:.*position\s*recovery.*--log_error='\''\([^'\'']*\)'\''.*/\1/p'
914f09
     local recovered_position_regex='s/.*WSREP\:\s*[R|r]ecovered\s*position.*\:\(.*\)\s*$/\1/p'
914f09
 
914f09
@@ -654,7 +653,8 @@ detect_last_commit()
914f09
 
914f09
         ocf_log info "now attempting to detect last commit version using 'mysqld_safe --wsrep-recover'"
914f09
 
914f09
-        ${OCF_RESKEY_binary} $recover_args --wsrep-recover --log-error=$tmp 2>/dev/null
914f09
+        $SU - $OCF_RESKEY_user -s /bin/sh -c \
914f09
+        "${OCF_RESKEY_binary} $recover_args --wsrep-recover --log-error=$tmp 2>/dev/null"
914f09
 
914f09
         last_commit="$(cat $tmp | sed -n $recovered_position_regex | tail -1)"
914f09
         if [ -z "$last_commit" ]; then
914f09
@@ -670,8 +670,9 @@ detect_last_commit()
914f09
                     # we can only rollback the transaction, but that's OK
914f09
                     # since the DB will get resynchronized anyway
914f09
                     ocf_log warn "local node <${NODENAME}> was not shutdown properly. Rollback stuck transaction with --tc-heuristic-recover"
914f09
-                    ${OCF_RESKEY_binary} $recover_args --wsrep-recover \
914f09
-                                         --tc-heuristic-recover=rollback --log-error=$tmp 2>/dev/null
914f09
+                    $SU - $OCF_RESKEY_user -s /bin/sh -c \
914f09
+                    "${OCF_RESKEY_binary} $recover_args --wsrep-recover \
914f09
+                                         --tc-heuristic-recover=rollback --log-error=$tmp 2>/dev/null"
914f09
 
914f09
                     last_commit="$(cat $tmp | sed -n $recovered_position_regex | tail -1)"
914f09
                     if [ ! -z "$last_commit" ]; then
914f09
diff --git a/heartbeat/mysql-common.sh b/heartbeat/mysql-common.sh
914f09
index d5ac972cd..65db9bf85 100755
914f09
--- a/heartbeat/mysql-common.sh
914f09
+++ b/heartbeat/mysql-common.sh
914f09
@@ -2,6 +2,13 @@
914f09
 
914f09
 #######################################################################
914f09
 
914f09
+# Use runuser if available for SELinux.
914f09
+if [ -x /sbin/runuser ]; then
914f09
+	SU=runuser
914f09
+else
914f09
+	SU=su
914f09
+fi
914f09
+
914f09
 # Attempt to detect a default binary
914f09
 OCF_RESKEY_binary_default=$(which mysqld_safe 2> /dev/null)
914f09
 if [ "$OCF_RESKEY_binary_default" = "" ]; then
914f09
@@ -207,7 +214,7 @@ mysql_common_prepare_dirs()
914f09
     # already existed, check whether it is writable by the configured
914f09
     # user
914f09
     for dir in $pid_dir $socket_dir; do
914f09
-        if ! su -s /bin/sh - $OCF_RESKEY_user -c "test -w $dir"; then
914f09
+        if ! $SU -s /bin/sh - $OCF_RESKEY_user -c "test -w $dir"; then
914f09
             ocf_exit_reason "Directory $dir is not writable by $OCF_RESKEY_user"
914f09
             exit $OCF_ERR_PERM;
914f09
         fi
914f09
@@ -219,14 +226,15 @@ mysql_common_start()
914f09
     local mysql_extra_params="$1"
914f09
     local pid
914f09
 
914f09
-    ${OCF_RESKEY_binary} --defaults-file=$OCF_RESKEY_config \
914f09
+    $SU - $OCF_RESKEY_user -s /bin/sh -c \
914f09
+    "${OCF_RESKEY_binary} --defaults-file=$OCF_RESKEY_config \
914f09
     --pid-file=$OCF_RESKEY_pid \
914f09
     --socket=$OCF_RESKEY_socket \
914f09
     --datadir=$OCF_RESKEY_datadir \
914f09
     --log-error=$OCF_RESKEY_log \
914f09
-    --user=$OCF_RESKEY_user $OCF_RESKEY_additional_parameters \
914f09
+    $OCF_RESKEY_additional_parameters \
914f09
     $mysql_extra_params >/dev/null 2>&1 &
914f09
-    pid=$!
914f09
+    pid=$!"
914f09
 
914f09
     # Spin waiting for the server to come up.
914f09
     # Let the CRM/LRM time us out if required.