Selinux support

Are there any plans to make crdb selinux aware?
I think it would be nice to run the database without having to disable selinux …

1 Like

Not as of yet, but if we get more requests to do so, we would definitely consider putting it on our roadmap.

Please support SELinux.

Ok, quick follow-up. Apparently, you shouldn’t be having a problem running with Selinux (sorry for the confusion) even without disabling it. Do you mind providing some more detail on your setup?

Debian Buster (10.0 prerelease as of May 27, 2019).
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: default
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 31

cockroach@randall:~$ ls -alZ /opt/cockroach/cockroach-v19.1.1.linux-amd64
total 121552
drwxr-xr-x. 2 cockroach cockroach user_u:object_r:user_home_t:s0 4096 May 27 19:33 .
drwxr-xr-x. 5 cockroach cockroach system_u:object_r:user_home_dir_t:s0 4096 May 27 19:33 …
-rwxr-xr-x. 1 cockroach cockroach user_u:object_r:user_home_t:s0 124419288 May 27 19:09 cockroach
-rwxr-xr-x. 1 cockroach cockroach user_u:object_r:user_home_t:s0 16656 May 27 19:33 hello
-rw-r–r--. 1 cockroach cockroach user_u:object_r:user_home_t:s0 144 May 27 19:33 hello.c

Symptom/result:

cockroach@randall:~$ cockroach-v19.1.1.linux-amd64/cockroach sql
Segmentation fault

type=AVC msg=audit(1559019482.814:813): avc: denied { execmem } for pid=1221 comm=“cockroach” scontext=user_u:user_r:user_t:s0 tcontext=user_u:user_r:user_t:s0 tclass=process permissive=0
Was caused by:
The boolean allow_execmem was set incorrectly.
Description:
Allow unconfined executables to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla")

Allow access by executing:
# setsebool -P allow_execmem 1

This circumvents the immediate problem, but opens a vulnerability that in some environments would be unacceptable.

Thanks for the opportunity to comment.

Tom Dial
tdial@acm.org

Thanks for the report! I’ve filed https://github.com/cockroachdb/cockroach/issues/37885 to track this.

I’ve gotten to the bottom of this and have a fix in https://github.com/cockroachdb/cockroach/pull/37939

1 Like

Thank you for the quick turnaround on what appears to affect a niche environment, judging by SELinux related activity on the forum.

Tom Dial