PKG-38 SElinux blocks PS from writing telemetry if semanage is not pr…

…esent PKG-40 AA profile update (cherry picked from commit b43c182)
percona · Jun 27, 2024 · 353e667 · 353e667
1 parent 3daa680
commit 353e667
Show file tree

Hide file tree

Showing 3 changed files with 31 additions and 42 deletions.
diff --git a/build-ps/debian/extra/apparmor-profile b/build-ps/debian/extra/apparmor-profile
@@ -75,10 +75,6 @@
 # Allow access to openssl config
   /etc/ssl/openssl.cnf r,
 
-# Allow access to PS Telemetry directory
-  /usr/local/percona/telemetry/ps/ rw,
-  /usr/local/percona/telemetry/ps/** rw,
-
   # Site-specific additions and overrides. See local/README for details.
   #include <local/usr.sbin.mysqld>
 }
diff --git a/build-ps/debian/percona-server-server.postinst b/build-ps/debian/percona-server-server.postinst
@@ -42,6 +42,29 @@ check_exit_status() {
         fi
 }
 
+# PKG-40 To check if the apparmor profile has been changed on the user's system
+# If the file has been changed, append telemetry rules to the file
+# If unchanged, install the new apparmor profile
+check_apparmor_files() {
+	if ! diff -q /etc/apparmor.d/usr.sbin.mysqld /etc/apparmor.d/old_apparmor >/dev/null; then
+		sed -i 's:  # Site-specific additions and overrides. See local/README for details.::' /etc/apparmor.d/usr.sbin.mysqld
+                sed -i 's:  #include <local/usr.sbin.mysqld>::' /etc/apparmor.d/usr.sbin.mysqld
+                sed -i '$ s/}//' /etc/apparmor.d/usr.sbin.mysqld
+                echo "# Allow access to PS telemetry directory" >> /etc/apparmor.d/usr.sbin.mysqld
+                echo "  /usr/local/percona/telemetry/ps/ rw," >> /etc/apparmor.d/usr.sbin.mysqld
+                echo "  /usr/local/percona/telemetry/ps/** rw," >> /etc/apparmor.d/usr.sbin.mysqld
+                echo "" >> /etc/apparmor.d/usr.sbin.mysqld
+                echo "  # Site-specific additions and overrides. See local/README for details." >> /etc/apparmor.d/usr.sbin.mysqld
+                echo "  #include <local/usr.sbin.mysqld>" >> /etc/apparmor.d/usr.sbin.mysqld
+                echo "}" >> /etc/apparmor.d/usr.sbin.mysqld
+                sed -r -i ':a; /^\s*$/ {N;ba}; s/( *\n *){2,}/\n/'  /etc/apparmor.d/usr.sbin.mysqld
+                rm -f /etc/apparmor.d/usr.sbin.mysqld.in2
+        else
+                mv -f /etc/apparmor.d/usr.sbin.mysqld.in2 /etc/apparmor.d/usr.sbin.mysqld
+        fi
+}
+
+
 MY_BASEDIR_VERSION=$(my_print_defaults --loose-verbose mysqld server | grep basedir | awk -F'=' '{print $2}')
 TOKUDB=$(dpkg -l | grep -c 'percona-server-tokudb')
 if [ $TOKUDB = 1 ]
@@ -133,22 +156,7 @@ case "$1" in
 		PROFILE_ACTION="Use NEW AppArmor profile"
 		# If the existing AppArmor module/local profile is the proper file, we back it up
 		if [ -f "/etc/apparmor.d/usr.sbin.mysqld" ]; then
-			 if ! diff -q /etc/apparmor.d/usr.sbin.mysqld /etc/apparmor.d/old_apparmor >/dev/null; then
-                                sed -i 's:  # Site-specific additions and overrides. See local/README for details.::' /etc/apparmor.d/usr.sbin.mysqld
-                                sed -i 's:  #include <local/usr.sbin.mysqld>::' /etc/apparmor.d/usr.sbin.mysqld
-                                sed -i '$ s/}//' /etc/apparmor.d/usr.sbin.mysqld
-                                echo "# Allow access to PS telemetry directory" >> /etc/apparmor.d/usr.sbin.mysqld
-                                echo "  /usr/local/percona/telemetry/ps/ rw," >> /etc/apparmor.d/usr.sbin.mysqld
-                                echo "  /usr/local/percona/telemetry/ps/** rw," >> /etc/apparmor.d/usr.sbin.mysqld
-                                echo "" >> /etc/apparmor.d/usr.sbin.mysqld
-                                echo "  # Site-specific additions and overrides. See local/README for details." >> /etc/apparmor.d/usr.sbin.mysqld
-                                echo "  #include <local/usr.sbin.mysqld>" >> /etc/apparmor.d/usr.sbin.mysqld
-                                echo "}" >> /etc/apparmor.d/usr.sbin.mysqld
-				sed -r -i ':a; /^\s*$/ {N;ba}; s/( *\n *){2,}/\n/' /etc/apparmor.d/usr.sbin.mysqld
-                                rm -f /etc/apparmor.d/usr.sbin.mysqld.in2
-                        else
-                                mv -f /etc/apparmor.d/usr.sbin.mysqld.in2 /etc/apparmor.d/usr.sbin.mysqld
-                        fi
+			check_apparmor_files
 		else
 			mv -f /etc/apparmor.d/usr.sbin.mysqld.in2 /etc/apparmor.d/usr.sbin.mysqld 2> /dev/null || true
                 fi
@@ -202,22 +210,7 @@ EOF
 		fi
 		update-alternatives --force --install /etc/mysql/my.cnf my.cnf "/etc/mysql/mysql.cnf" 300
 		if [ -f "/etc/apparmor.d/usr.sbin.mysqld" ]; then
-			if ! diff -q /etc/apparmor.d/usr.sbin.mysqld /etc/apparmor.d/old_apparmor >/dev/null; then
-				sed -i 's:  # Site-specific additions and overrides. See local/README for details.::' /etc/apparmor.d/usr.sbin.mysqld
-				sed -i 's:  #include <local/usr.sbin.mysqld>::' /etc/apparmor.d/usr.sbin.mysqld
-				sed -i '$ s/}//' /etc/apparmor.d/usr.sbin.mysqld
-				echo "# Allow access to PS telemetry directory" >> /etc/apparmor.d/usr.sbin.mysqld
-				echo "  /usr/local/percona/telemetry/ps/ rw," >> /etc/apparmor.d/usr.sbin.mysqld
-				echo "  /usr/local/percona/telemetry/ps/** rw," >> /etc/apparmor.d/usr.sbin.mysqld
-				echo "" >> /etc/apparmor.d/usr.sbin.mysqld
-				echo "  # Site-specific additions and overrides. See local/README for details." >> /etc/apparmor.d/usr.sbin.mysqld
-				echo "  #include <local/usr.sbin.mysqld>" >> /etc/apparmor.d/usr.sbin.mysqld
-				echo "}" >> /etc/apparmor.d/usr.sbin.mysqld
-				sed -r -i ':a; /^\s*$/ {N;ba}; s/( *\n *){2,}/\n/'  /etc/apparmor.d/usr.sbin.mysqld
-				rm -f /etc/apparmor.d/usr.sbin.mysqld.in2
-			else
-				mv -f /etc/apparmor.d/usr.sbin.mysqld.in2 /etc/apparmor.d/usr.sbin.mysqld
-			fi
+			check_apparmor_files
                 fi
 		rm -f /etc/apparmor.d/old_apparmor
 		mv -f /etc/apparmor.d/usr.sbin.mysqld.in2 /etc/apparmor.d/usr.sbin.mysqld 2> /dev/null || true

diff --git a/build-ps/percona-server.spec b/build-ps/percona-server.spec
@@ -800,12 +800,12 @@ fi
 %endif
 %ifarch x86_64
 mkdir -p %{ps_telemetry}
-chown mysql:percona-telemetry /usr/local/percona/telemetry/ps
-chmod 775 /usr/local/percona/telemetry/ps
-chmod g+s /usr/local/percona/telemetry/ps
-chmod u+s /usr/local/percona/telemetry/ps
-/usr/sbin/semanage fcontext -a -e /var/lib/mysql %{ps_telemetry}
-restorecon -RvF %{ps_telemetry}
+chown mysql:percona-telemetry %{ps_telemetry}
+chmod 775 %{ps_telemetry}
+chmod g+s %{ps_telemetry}
+chmod u+s %{ps_telemetry}
+chcon -t mysqld_db_t %{ps_telemetry}
+chcon -u system_u %{ps_telemetry}
 %endif
 if [ -d /etc/percona-server.conf.d ]; then
     CONF_EXISTS=$(grep "percona-server.conf.d" /etc/my.cnf | wc -l)