You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airavata.apache.org by ma...@apache.org on 2017/04/28 15:22:43 UTC
[02/50] [abbrv] airavata git commit: Temporary fix for mysql-selinux
issue
Temporary fix for mysql-selinux issue
Tmp fix for this issue: https://jira.mariadb.org/browse/MDEV-12231
Adds selinux policy module to allow mysql to set uid/gid. Also
checks for .pp file which should be incuded in future releases
of MariaDB.
Project: http://git-wip-us.apache.org/repos/asf/airavata/repo
Commit: http://git-wip-us.apache.org/repos/asf/airavata/commit/defbad39
Tree: http://git-wip-us.apache.org/repos/asf/airavata/tree/defbad39
Diff: http://git-wip-us.apache.org/repos/asf/airavata/diff/defbad39
Branch: refs/heads/develop
Commit: defbad3986acd769a3356bbf4448407a8f61aaa1
Parents: 83ea630
Author: jecoulte <je...@iu.edu>
Authored: Mon Apr 3 17:52:16 2017 -0400
Committer: Marcus Christie <ma...@apache.org>
Committed: Tue Apr 4 09:41:47 2017 -0400
----------------------------------------------------------------------
.../ansible/roles/database/files/mysql-tmp.te | 9 ++++
dev-tools/ansible/roles/database/tasks/main.yml | 48 +++++++++++++++++++-
2 files changed, 56 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/airavata/blob/defbad39/dev-tools/ansible/roles/database/files/mysql-tmp.te
----------------------------------------------------------------------
diff --git a/dev-tools/ansible/roles/database/files/mysql-tmp.te b/dev-tools/ansible/roles/database/files/mysql-tmp.te
new file mode 100644
index 0000000..2303b0c
--- /dev/null
+++ b/dev-tools/ansible/roles/database/files/mysql-tmp.te
@@ -0,0 +1,9 @@
+module mysql-tmp 1.0;
+
+require {
+ type mysqld_safe_t;
+ class capability { setgid setuid };
+}
+
+#============= mysqld_safe_t ==============
+allow mysqld_safe_t self:capability { setgid setuid };
http://git-wip-us.apache.org/repos/asf/airavata/blob/defbad39/dev-tools/ansible/roles/database/tasks/main.yml
----------------------------------------------------------------------
diff --git a/dev-tools/ansible/roles/database/tasks/main.yml b/dev-tools/ansible/roles/database/tasks/main.yml
index 0f76c08..c09ced4 100644
--- a/dev-tools/ansible/roles/database/tasks/main.yml
+++ b/dev-tools/ansible/roles/database/tasks/main.yml
@@ -54,9 +54,55 @@
yum: name="{{ item }}" state=latest update_cache=yes
with_items: "{{ mysql_packages }}"
become_user: root
+#" for vim
+
+- name: check if mysql has been updated
+ stat: path=/usr/share/mysql/SELinux/mariadb.pp
+ register: mysql_selinux_update
+
+- debug:
+ var: mysql_selinux_update
+
+- name: double check policycoreutils installed
+ yum: name=policycoreutils-python state=installed
+ when: mysql_selinux_update.stat.exists == False
+
+- name: Copy SELinux type enforcement file
+ copy: src=mysql-tmp.te dest=/tmp/
+ when: mysql_selinux_update.stat.exists == False
+
+- name: Compile SELinux module file
+ command: checkmodule -M -m -o /tmp/mysql-tmp.mod /tmp/mysql-tmp.te
+ when: mysql_selinux_update.stat.exists == False
+
+- name: Build SELinux policy package
+ command: semodule_package -o /tmp/mysql-tmp.pp -m /tmp/mysql-tmp.mod
+ when: mysql_selinux_update.stat.exists == False
+
+#- name: check if mysql has been updated
+# stat: path=/tmp/mysql-tmp.pp
+# register: mysql_pp
+#
+#- debug:
+# var: mysql_pp
+
+- name: unLoad SELinux policy package
+ command: semodule -r mysql-tmp
+ when: mysql_selinux_update.stat.exists == False
+ become_user: root
+ ignore_errors: True
+
+- name: Load SELinux policy package
+ command: semodule -i /tmp/mysql-tmp.pp
+ when: mysql_selinux_update.stat.exists == False
+ become_user: root
+
+- name: Remove temporary files
+ file: path=/tmp/mysql-tmp.* state=absent
+ when: mysql_selinux_update.stat.exists == False
# TODO: SELinux issue for 10.0.29 MariaDB, need to allow setgid/setuid.
-# See https://www.rootusers.com/how-to-fix-mariadb-10-0-29-selinux-update-failure/
+## See https://www.rootusers.com/how-to-fix-mariadb-10-0-29-selinux-update-failure/
# and https://jira.mariadb.org/browse/MDEV-11789
# For now I'm not adding to Ansible script since this bug should be fixed in next MariaDB release
- name: start mariadb