Created attachment 879514 [details] AVC Denied messages for MariaDB-Galera Description of problem: Attempting to start MariaDB server fails with the following avc messages: Please see attached avc denied messages. Version-Release number of selected component (if applicable): 5.5.35-MariaDB How reproducible: Install MariaDB/Galera on nodes. Currently the package sets Selinux to permissive mode before it is initiated. Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Here are AVCs captured when attempting to start mariadb-galera on F20, selinux enforcing. ---- type=SYSCALL msg=audit(04/09/2014 09:47:46.454:686) : arch=x86_64 syscall=stat success=no exit=-13(Permission denied) a0=0x11d6360 a1=0x7fff88508e00 a2=0x7fff88508e00 a3=0x7fff88508d90 items=0 ppid=14709 pid=14710 auid=unset uid=mysql gid=mysql euid=mysql suid=mysql fsuid=mysql egid=mysql sgid=mysql fsgid=mysql ses=unset tty=(none) comm=sh exe=/usr/bin/bash subj=system_u:system_r:mysqld_t:s0 key=(null) type=AVC msg=audit(04/09/2014 09:47:46.454:686) : avc: denied { getattr } for pid=14710 comm=sh path=/usr/sbin/ip dev="vda3" ino=135305 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file ---- type=SYSCALL msg=audit(04/09/2014 09:47:46.470:687) : arch=x86_64 syscall=bind success=no exit=-13(Permission denied) a0=0xb a1=0x7fff24148000 a2=0x10 a3=0x7fff24148000 items=0 ppid=14187 pid=14707 auid=unset uid=mysql gid=mysql euid=mysql suid=mysql fsuid=mysql egid=mysql sgid=mysql fsgid=mysql ses=unset tty=(none) comm=mysqld exe=/usr/libexec/mysqld subj=system_u:system_r:mysqld_t:s0 key=(null) type=AVC msg=audit(04/09/2014 09:47:46.470:687) : avc: denied { name_bind } for pid=14707 comm=mysqld src=4567 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:tram_port_t:s0 tclass=tcp_socket ---- type=SYSCALL msg=audit(04/09/2014 09:47:52.217:690) : arch=x86_64 syscall=bind success=no exit=-13(Permission denied) a0=0xb a1=0x7fffd8ef6940 a2=0x10 a3=0x7fffd8ef6940 items=0 ppid=14789 pid=15544 auid=unset uid=mysql gid=mysql euid=mysql suid=mysql fsuid=mysql egid=mysql sgid=mysql fsgid=mysql ses=unset tty=(none) comm=mysqld exe=/usr/libexec/mysqld subj=system_u:system_r:mysqld_t:s0 key=(null) type=AVC msg=audit(04/09/2014 09:47:52.217:690) : avc: denied { name_bind } for pid=15544 comm=mysqld src=4567 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:tram_port_t:s0 tclass=tcp_socket ---- type=SYSCALL msg=audit(04/09/2014 09:47:52.205:689) : arch=x86_64 syscall=stat success=no exit=-13(Permission denied) a0=0xf11360 a1=0x7fff9929ad60 a2=0x7fff9929ad60 a3=0x7fff9929acf0 items=0 ppid=15546 pid=15547 auid=unset uid=mysql gid=mysql euid=mysql suid=mysql fsuid=mysql egid=mysql sgid=mysql fsgid=mysql ses=unset tty=(none) comm=sh exe=/usr/bin/bash subj=system_u:system_r:mysqld_t:s0 key=(null) type=AVC msg=audit(04/09/2014 09:47:52.205:689) : avc: denied { getattr } for pid=15547 comm=sh path=/usr/sbin/ip dev="vda3" ino=135305 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file
type=AVC msg=audit(04/09/2014 09:47:46.470:687) : avc: denied { name_bind } for pid=14707 comm=mysqld src=4567 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:tram_port_t:s0 tclass=tcp_socket did you change it to use tcp/4567 port?
(In reply to Miroslav Grepl from comment #7) > type=AVC msg=audit(04/09/2014 09:47:46.470:687) : avc: denied { name_bind > } for pid=14707 comm=mysqld src=4567 scontext=system_u:system_r:mysqld_t:s0 > tcontext=system_u:object_r:tram_port_t:s0 tclass=tcp_socket > > did you change it to use tcp/4567 port? No. Port 4567 is used for replication.
This is still in needinfo for some reason. Reassigning this to 'openstack-selinux'. Has any progress been made here? Any additional information needed?
Added to RHEL6.6. commit 1a1853a2c091229f0fee5050d91cf012293e1a48 Author: Miroslav Grepl <mgrepl> Date: Mon May 5 10:53:16 2014 +0200 Allow mysql to execute ifconfig if Red Hat OpenStack commit 3b027eeb7d868b7f5e6f789a87356bbff6c98684 Author: Miroslav Grepl <mgrepl> Date: Mon May 5 10:51:46 2014 +0200 Allow mysqld to use tram port for replication
This also needs to be added to RHEl 7. It can be shipped in selinux policy.
I checked the policy and the fixes are in RHEl 7. Test with: selinux-policy-3.12.1-153.el7_0.10
Note that the only way to test this is to use a true galera cluster. Using galera in "standalone" mode, where wsrep_cluster_address is "dummy://" or wsrep_provider is "none" will mostly likly not cause any AVCs, even without this update. This is how it is installed via packstack.
Ran into a few more AVCs with galera. Setting back to ASSIGNED.
Created attachment 912856 [details] New AVCs for galera
Here is the output from 'ausearch -m avc': time->Sat Jun 28 08:56:53 2014 type=SYSCALL msg=audit(1403963813.182:2685): arch=c000003e syscall=42 success=no exit=-115 a0=17 a1=7fb263ffcfe0 a2=10 a3=0 items=0 ppid=10777 pid=11615 auid=4294967295 uid=27 gid=27 euid=27 suid=27 fsuid=27 egid=27 sgid=27 fsgid=27 tty=(none) ses=4294967295 comm="mysqld" exe="/usr/libexec/mysqld" subj=system_u:system_r:mysqld_t:s0 key=(null) type=AVC msg=audit(1403963813.182:2685): avc: denied { name_connect } for pid=11615 comm="mysqld" dest=4567 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:tram_port_t:s0 tclass=tcp_socket
I see on my Fedora #============= mysqld_t ============== #!!!! This avc is allowed in the current policy allow mysqld_t tram_port_t:tcp_socket name_connect;
Adding to new build. corenet_tcp_bind_tram_port(mysqld_t) corenet_tcp_connect_tram_port(mysqld_t)
Also for the future, whenever you're testing or retesting do so in permissive. Then, search for 'AVC' in the log and if any avc's exist, attach the entire /var/log/audit/audit.log to the bz. Testing in enforcing will catch the denial, but will break on only the first one when there can be more denials that come up later.
(In reply to Ryan Hallisey from comment #27) > Also for the future, whenever you're testing or retesting do so in > permissive. Then, search for 'AVC' in the log and if any avc's exist, attach > the entire /var/log/audit/audit.log to the bz. Testing in enforcing will > catch the denial, but will break on only the first one when there can be > more denials that come up later. It was in permissive. I was flipping between permissive and enforcing in my testing. I'm well aware that permissive preferred for testing. Thanks.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHEA-2014-0845.html