maria-discuss team mailing list archive

Thread
Date
SELinux policy for MariaDB/Galera?

To: maria-discuss@xxxxxxxxxxxxxxxxxxx
From: Franz Schwartau <franz@xxxxxxxxxxxxxxx>
Date: Wed, 14 May 2014 11:47:50 +0200
User-agent: Mutt/1.5.23 (2014-03-12)
Hi!

I'm looking for a SELinux policy for MariaDB/Galera. I'd like to use MariaDB/Galera with enforcing targeted SELinux.

I googled a lot. No real solution showed up. The most helpful page was

https://groups.google.com/forum/#!topic/percona-discussion/beyXK3U0ySo/discussion

which solves part of the problem.

Currently I try to allow SST via rsync. /usr/bin/wsrep_sst_rsync executes ps and netstat producing a lot of AVC denials, e. g.

----
time->Wed May 14 10:30:23 2014
type=SYSCALL msg=audit(1400056223.334:70): arch=c000003e syscall=4 success=yes exit=0 a0=17081b0 a1=7f9811231ca0 a2=7f9811231ca0 a3=17081b6 items=0 ppid=1678 pid=1704 auid=4294967295 uid=497 gid=498 euid=497 suid=497 fsuid=497 egid=498 sgid=498 fsgid=498 tty=(none) ses
=4294967295 comm="ps" exe="/bin/ps" subj=system_u:system_r:mysqld_t:s0 key=(null)
type=AVC msg=audit(1400056223.334:70): avc:  denied  { getattr } for  pid=1704 comm="ps" path="/proc/844" dev=proc ino=10578 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=dir
----
time->Wed May 14 10:30:23 2014
type=SYSCALL msg=audit(1400056223.337:75): arch=c000003e syscall=2 success=yes exit=12 a0=7f9811231840 a1=0 a2=0 a3=0 items=0 ppid=1678 pid=1704 auid=4294967295 uid=497 gid=498 euid=497 suid=497 fsuid=497 egid=498 sgid=498 fsgid=498 tty=(none) ses=4294967295 comm="ps" exe="/bin/ps" subj=system_u:system_r:mysqld_t:s0 key=(null)
type=AVC msg=audit(1400056223.337:75): avc:  denied  { open } for  pid=1704 comm="ps" name="stat" dev=proc ino=12305 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:restorecond_t:s0 tclass=file
type=AVC msg=audit(1400056223.337:75): avc:  denied  { read } for  pid=1704 comm="ps" name="stat" dev=proc ino=12305 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:restorecond_t:s0 tclass=file
type=AVC msg=audit(1400056223.337:75): avc:  denied  { search } for  pid=1704 comm="ps" name="1230" dev=proc ino=12150 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:restorecond_t:s0 tclass=dir

audit2allow doesn't help in this case. The target domain isn't "fixed". It depends on the processes running.

"netstat -lnpt" executed by /usr/bin/wsrep_sst_rsync has the problem.

How could I write a SELinux policy to allow access for ps and netstat?

Is there an "official" policy? Even RHEL 7 hasn't support for Galera (but improves the mysql policy for MariaDB a bit).

	Best regards
		Franz