1081544 – Enable SELINUX capability to Galera/MariaDB

Bug 1081544 - Enable SELINUX capability to Galera/MariaDB

Summary: Enable SELINUX capability to Galera/MariaDB

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-selinux
Sub Component:
Version:	5.0 (RHEL 7)
Hardware:	Unspecified
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	5.0 (RHEL 7)
Assignee:	Ryan Hallisey
QA Contact:	tkammer
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-03-27 14:36 UTC by Balaji
Modified:	2016-04-27 04:32 UTC (History)
CC List:	9 users (show)
Fixed In Version:	openstack-selinux-0.5.7-1.el7ost
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-07-08 15:12:47 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
AVC Denied messages for MariaDB-Galera (97.30 KB, text/plain) 2014-03-27 14:36 UTC, Balaji	no flags	Details
New AVCs for galera (5.96 KB, text/plain) 2014-06-27 15:30 UTC, Ryan O'Hara	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHEA-2014:0845	0	normal	SHIPPED_LIVE	Red Hat Enterprise Linux OpenStack Platform Enhancement - Runtime Components	2014-07-08 19:11:27 UTC

Description Balaji 2014-03-27 14:36:50 UTC

Created attachment 879514 [details]
AVC Denied messages for MariaDB-Galera

Description of problem:
Attempting to start MariaDB server fails with the following avc messages:

Please see attached avc denied messages.


Version-Release number of selected component (if applicable):
5.5.35-MariaDB

How reproducible:
Install MariaDB/Galera on nodes. Currently the package sets Selinux to permissive mode before it is initiated.

Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 5 Ryan O'Hara 2014-04-09 14:53:09 UTC

Here are AVCs captured when attempting to start mariadb-galera on F20, selinux enforcing.

----
type=SYSCALL msg=audit(04/09/2014 09:47:46.454:686) : arch=x86_64 syscall=stat success=no exit=-13(Permission denied) a0=0x11d6360 a1=0x7fff88508e00 a2=0x7fff88508e00 a3=0x7fff88508d90 items=0 ppid=14709 pid=14710 auid=unset uid=mysql gid=mysql euid=mysql suid=mysql fsuid=mysql egid=mysql sgid=mysql fsgid=mysql ses=unset tty=(none) comm=sh exe=/usr/bin/bash subj=system_u:system_r:mysqld_t:s0 key=(null) 
type=AVC msg=audit(04/09/2014 09:47:46.454:686) : avc:  denied  { getattr } for  pid=14710 comm=sh path=/usr/sbin/ip dev="vda3" ino=135305 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file 
----
type=SYSCALL msg=audit(04/09/2014 09:47:46.470:687) : arch=x86_64 syscall=bind success=no exit=-13(Permission denied) a0=0xb a1=0x7fff24148000 a2=0x10 a3=0x7fff24148000 items=0 ppid=14187 pid=14707 auid=unset uid=mysql gid=mysql euid=mysql suid=mysql fsuid=mysql egid=mysql sgid=mysql fsgid=mysql ses=unset tty=(none) comm=mysqld exe=/usr/libexec/mysqld subj=system_u:system_r:mysqld_t:s0 key=(null) 
type=AVC msg=audit(04/09/2014 09:47:46.470:687) : avc:  denied  { name_bind } for  pid=14707 comm=mysqld src=4567 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:tram_port_t:s0 tclass=tcp_socket 
----
type=SYSCALL msg=audit(04/09/2014 09:47:52.217:690) : arch=x86_64 syscall=bind success=no exit=-13(Permission denied) a0=0xb a1=0x7fffd8ef6940 a2=0x10 a3=0x7fffd8ef6940 items=0 ppid=14789 pid=15544 auid=unset uid=mysql gid=mysql euid=mysql suid=mysql fsuid=mysql egid=mysql sgid=mysql fsgid=mysql ses=unset tty=(none) comm=mysqld exe=/usr/libexec/mysqld subj=system_u:system_r:mysqld_t:s0 key=(null) 
type=AVC msg=audit(04/09/2014 09:47:52.217:690) : avc:  denied  { name_bind } for  pid=15544 comm=mysqld src=4567 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:tram_port_t:s0 tclass=tcp_socket 
----
type=SYSCALL msg=audit(04/09/2014 09:47:52.205:689) : arch=x86_64 syscall=stat success=no exit=-13(Permission denied) a0=0xf11360 a1=0x7fff9929ad60 a2=0x7fff9929ad60 a3=0x7fff9929acf0 items=0 ppid=15546 pid=15547 auid=unset uid=mysql gid=mysql euid=mysql suid=mysql fsuid=mysql egid=mysql sgid=mysql fsgid=mysql ses=unset tty=(none) comm=sh exe=/usr/bin/bash subj=system_u:system_r:mysqld_t:s0 key=(null) 
type=AVC msg=audit(04/09/2014 09:47:52.205:689) : avc:  denied  { getattr } for  pid=15547 comm=sh path=/usr/sbin/ip dev="vda3" ino=135305 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file

Comment 7 Miroslav Grepl 2014-04-10 09:23:15 UTC

type=AVC msg=audit(04/09/2014 09:47:46.470:687) : avc:  denied  { name_bind } for  pid=14707 comm=mysqld src=4567 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:tram_port_t:s0 tclass=tcp_socket 

did you change it to use tcp/4567 port?

Comment 8 Ryan O'Hara 2014-04-10 14:23:46 UTC

(In reply to Miroslav Grepl from comment #7)
> type=AVC msg=audit(04/09/2014 09:47:46.470:687) : avc:  denied  { name_bind
> } for  pid=14707 comm=mysqld src=4567 scontext=system_u:system_r:mysqld_t:s0
> tcontext=system_u:object_r:tram_port_t:s0 tclass=tcp_socket 
> 
> did you change it to use tcp/4567 port?

No. Port 4567 is used for replication.

Comment 9 Ryan O'Hara 2014-05-02 13:35:38 UTC

This is still in needinfo for some reason. Reassigning this to 'openstack-selinux'. Has any progress been made here? Any additional information needed?

Comment 11 Miroslav Grepl 2014-05-05 08:53:42 UTC

Added to RHEL6.6.


commit 1a1853a2c091229f0fee5050d91cf012293e1a48
Author: Miroslav Grepl <mgrepl>
Date:   Mon May 5 10:53:16 2014 +0200

    Allow mysql to execute ifconfig if Red Hat OpenStack

commit 3b027eeb7d868b7f5e6f789a87356bbff6c98684
Author: Miroslav Grepl <mgrepl>
Date:   Mon May 5 10:51:46 2014 +0200

    Allow mysqld to use tram port for replication

Comment 12 Ryan Hallisey 2014-06-04 15:01:02 UTC

This also needs to be added to RHEl 7.

It can be shipped in selinux policy.

Comment 13 Ryan Hallisey 2014-06-04 18:19:21 UTC

I checked the policy and the fixes are in RHEl 7.

Test with: selinux-policy-3.12.1-153.el7_0.10

Comment 15 Ryan O'Hara 2014-06-19 22:08:47 UTC

Note that the only way to test this is to use a true galera cluster. Using galera in "standalone" mode, where wsrep_cluster_address is "dummy://" or wsrep_provider is "none" will mostly likly not cause any AVCs, even without this update. This is how it is installed via packstack.

Comment 19 Ryan O'Hara 2014-06-27 15:29:40 UTC

Ran into a few more AVCs with galera. Setting back to ASSIGNED.

Comment 20 Ryan O'Hara 2014-06-27 15:30:57 UTC

Created attachment 912856 [details]
New AVCs for galera

Comment 24 Ryan O'Hara 2014-06-28 15:27:39 UTC

Here is the output from 'ausearch -m avc':

time->Sat Jun 28 08:56:53 2014
type=SYSCALL msg=audit(1403963813.182:2685): arch=c000003e syscall=42 success=no exit=-115 a0=17 a1=7fb263ffcfe0 a2=10 a3=0 items=0 ppid=10777 pid=11615 auid=4294967295 uid=27 gid=27 euid=27 suid=27 fsuid=27 egid=27 sgid=27 fsgid=27 tty=(none) ses=4294967295 comm="mysqld" exe="/usr/libexec/mysqld" subj=system_u:system_r:mysqld_t:s0 key=(null)
type=AVC msg=audit(1403963813.182:2685): avc:  denied  { name_connect } for  pid=11615 comm="mysqld" dest=4567 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:tram_port_t:s0 tclass=tcp_socket

Comment 25 Miroslav Grepl 2014-06-30 09:29:22 UTC

I see on my Fedora

#============= mysqld_t ==============

#!!!! This avc is allowed in the current policy
allow mysqld_t tram_port_t:tcp_socket name_connect;

Comment 26 Ryan Hallisey 2014-06-30 14:19:37 UTC

Adding to new build.
corenet_tcp_bind_tram_port(mysqld_t)
corenet_tcp_connect_tram_port(mysqld_t)

Comment 27 Ryan Hallisey 2014-06-30 19:23:58 UTC

Also for the future, whenever you're testing or retesting do so in permissive. Then, search for 'AVC' in the log and if any avc's exist, attach the entire /var/log/audit/audit.log to the bz.  Testing in enforcing will catch the denial, but will break on only the first one when there can be more denials that come up later.

Comment 28 Ryan O'Hara 2014-07-03 00:55:22 UTC

(In reply to Ryan Hallisey from comment #27)
> Also for the future, whenever you're testing or retesting do so in
> permissive. Then, search for 'AVC' in the log and if any avc's exist, attach
> the entire /var/log/audit/audit.log to the bz.  Testing in enforcing will
> catch the denial, but will break on only the first one when there can be
> more denials that come up later.

It was in permissive. I was flipping between permissive and enforcing in my testing. I'm well aware that permissive preferred for testing.

Thanks.

Comment 30 errata-xmlrpc 2014-07-08 15:12:47 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHEA-2014-0845.html

Note You need to log in before you can comment on or make changes to this bug.