From db6d12f4b7b10e214526512abe35307270f81c03 Mon Sep 17 00:00:00 2001 From: Oyvind Albrigtsen Date: Thu, 8 Aug 2019 14:48:13 +0200 Subject: [PATCH] mysql/mariadb/galera: use runuser/su to avoid using SELinux DAC_OVERRIDE --- heartbeat/galera | 11 ++++++----- heartbeat/mysql-common.sh | 16 ++++++++++++---- 2 files changed, 18 insertions(+), 9 deletions(-) diff --git a/heartbeat/galera b/heartbeat/galera index 9b9fe5569..056281fb8 100755 --- a/heartbeat/galera +++ b/heartbeat/galera @@ -624,8 +624,7 @@ detect_last_commit() local recover_args="--defaults-file=$OCF_RESKEY_config \ --pid-file=$OCF_RESKEY_pid \ --socket=$OCF_RESKEY_socket \ - --datadir=$OCF_RESKEY_datadir \ - --user=$OCF_RESKEY_user" + --datadir=$OCF_RESKEY_datadir" local recovery_file_regex='s/.*WSREP\:.*position\s*recovery.*--log_error='\''\([^'\'']*\)'\''.*/\1/p' local recovered_position_regex='s/.*WSREP\:\s*[R|r]ecovered\s*position.*\:\(.*\)\s*$/\1/p' @@ -654,7 +653,8 @@ detect_last_commit() ocf_log info "now attempting to detect last commit version using 'mysqld_safe --wsrep-recover'" - ${OCF_RESKEY_binary} $recover_args --wsrep-recover --log-error=$tmp 2>/dev/null + $SU - $OCF_RESKEY_user -s /bin/sh -c \ + "${OCF_RESKEY_binary} $recover_args --wsrep-recover --log-error=$tmp 2>/dev/null" last_commit="$(cat $tmp | sed -n $recovered_position_regex | tail -1)" if [ -z "$last_commit" ]; then @@ -670,8 +670,9 @@ detect_last_commit() # we can only rollback the transaction, but that's OK # since the DB will get resynchronized anyway ocf_log warn "local node <${NODENAME}> was not shutdown properly. Rollback stuck transaction with --tc-heuristic-recover" - ${OCF_RESKEY_binary} $recover_args --wsrep-recover \ - --tc-heuristic-recover=rollback --log-error=$tmp 2>/dev/null + $SU - $OCF_RESKEY_user -s /bin/sh -c \ + "${OCF_RESKEY_binary} $recover_args --wsrep-recover \ + --tc-heuristic-recover=rollback --log-error=$tmp 2>/dev/null" last_commit="$(cat $tmp | sed -n $recovered_position_regex | tail -1)" if [ ! -z "$last_commit" ]; then diff --git a/heartbeat/mysql-common.sh b/heartbeat/mysql-common.sh index d5ac972cd..65db9bf85 100755 --- a/heartbeat/mysql-common.sh +++ b/heartbeat/mysql-common.sh @@ -2,6 +2,13 @@ ####################################################################### +# Use runuser if available for SELinux. +if [ -x /sbin/runuser ]; then + SU=runuser +else + SU=su +fi + # Attempt to detect a default binary OCF_RESKEY_binary_default=$(which mysqld_safe 2> /dev/null) if [ "$OCF_RESKEY_binary_default" = "" ]; then @@ -207,7 +214,7 @@ mysql_common_prepare_dirs() # already existed, check whether it is writable by the configured # user for dir in $pid_dir $socket_dir; do - if ! su -s /bin/sh - $OCF_RESKEY_user -c "test -w $dir"; then + if ! $SU -s /bin/sh - $OCF_RESKEY_user -c "test -w $dir"; then ocf_exit_reason "Directory $dir is not writable by $OCF_RESKEY_user" exit $OCF_ERR_PERM; fi @@ -219,14 +226,15 @@ mysql_common_start() local mysql_extra_params="$1" local pid - ${OCF_RESKEY_binary} --defaults-file=$OCF_RESKEY_config \ + $SU - $OCF_RESKEY_user -s /bin/sh -c \ + "${OCF_RESKEY_binary} --defaults-file=$OCF_RESKEY_config \ --pid-file=$OCF_RESKEY_pid \ --socket=$OCF_RESKEY_socket \ --datadir=$OCF_RESKEY_datadir \ --log-error=$OCF_RESKEY_log \ - --user=$OCF_RESKEY_user $OCF_RESKEY_additional_parameters \ + $OCF_RESKEY_additional_parameters \ $mysql_extra_params >/dev/null 2>&1 & - pid=$! + pid=$!" # Spin waiting for the server to come up. # Let the CRM/LRM time us out if required.