1110973 – Openstack services should be allowed connectto to unix_stream_socket, /run/mysqld/mysqld.sock

Bug 1110973 - Openstack services should be allowed connectto to unix_stream_socket, /run/mysqld/mysqld.sock

Summary: Openstack services should be allowed connectto to unix_stream_socket, /run/my...

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	20
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-06-19 01:30 UTC by Richard Su
Modified:	2014-08-13 16:18 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2014-08-13 16:18:23 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
audit.log (123.57 KB, text/x-log) 2014-06-19 01:30 UTC, Richard Su	no flags	Details
View All

Description Richard Su 2014-06-19 01:30:04 UTC

Created attachment 910202 [details]
audit.log

Description of problem:
Openstack services fail to connect to mysql server. SELinux denies them access to /run/mysqld/mysqld.sock. The services are configured with localhost in their mysql connection url.

Version-Release number of selected component (if applicable):
selinux-policy-3.12.1-167.fc20.noarch
selinux-policy-targeted-3.12.1-167.fc20.noarch

How reproducible:
Always

Steps to Reproduce:
1. Deploy tripleo undercloud with selinux wip patch, https://review.openstack.org/#/c/99242/

Actual results:
Services denied socket connection.

Expected results:
Services granted socket connection.

Additional info:
type=AVC msg=audit(1403138987.859:199): avc:  denied  { connectto } for  pid=4438 comm="neutron-server" path="/run/mysqld/mysqld.sock" scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1403138987.989:205): avc:  denied  { connectto } for  pid=4438 comm="neutron-server" path="/run/mysqld/mysqld.sock" scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1403138990.382:285): avc:  denied  { execute } for  pid=4612 comm="neutron-openvsw" name="udevadm" dev="sda3" ino=11411 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:udev_exec_t:s0 tclass=file
type=AVC msg=audit(1403138997.090:306): avc:  denied  { connectto } for  pid=4757 comm="nova-scheduler" path="/run/mysqld/mysqld.sock" scontext=system_u:system_r:nova_scheduler_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1403138997.094:307): avc:  denied  { connectto } for  pid=4767 comm="nova-consoleaut" path="/run/mysqld/mysqld.sock" scontext=system_u:system_r:nova_console_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1403138997.447:308): avc:  denied  { connectto } for  pid=4749 comm="nova-cert" path="/run/mysqld/mysqld.sock" scontext=system_u:system_r:nova_cert_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1403139004.944:331): avc:  denied  { connectto } for  pid=4079 comm="keystone-all" path="/run/mysqld/mysqld.sock" scontext=system_u:system_r:keystone_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket


[root@undercloud-undercloud-gfwkj4gjrhd3 bin]# ls -Z /run/mysqld/mysqld.sock 
srwxrwxrwx. mysql mysql system_u:object_r:mysqld_var_run_t:s0 /run/mysqld/mysqld.sock


[root@undercloud-undercloud-gfwkj4gjrhd3 audit]# ps -efZ | grep init
system_u:system_r:init_t:s0     root         1     0  0 00:45 ?        00:00:02 /usr/lib/systemd/systemd --switched-root --system --deserialize 24
system_u:system_r:init_t:s0     root       707     1  0 00:46 ?        00:00:04 /opt/stack/venvs/os-collect-config/bin/python /usr/local/bin/os-collect-config
system_u:system_r:initrc_t:s0   root      2254     1  0 00:48 ?        00:00:00 /bin/sh /usr/local/mysql/bin/mysqld_safe --datadir=/mnt/state/var/lib/mysql/ --pid-file=/var/run/mysqld/mysqld.pid --wsrep-new-cluster
system_u:system_r:initrc_t:s0   mysql     2899  2254  0 00:48 ?        00:00:04 /usr/local/mysql/bin/mysqld --basedir=/usr/local/mysql --datadir=/mnt/state/var/lib/mysql/ --plugin-dir=/usr/local/mysql/lib/mysql/plugin --user=mysql --wsrep-new-cluster --log-error=/mnt/state/var/log/mysql/error.log --open-files-limit=65535 --pid-file=/var/run/mysqld/mysqld.pid --socket=/var/run/mysqld/mysqld.sock --wsrep_start_position=00000000-0000-0000-0000-000000000000:-1
system_u:system_r:init_t:s0     ceilome+  3869     1  0 00:49 ?        00:00:01 /opt/stack/venvs/ceilometer/bin/python /opt/stack/venvs/ceilometer/bin/ceilometer-agent-central --config-dir /etc/ceilometer
system_u:system_r:init_t:s0     ceilome+  3909     1  0 00:49 ?        00:00:17 /opt/stack/venvs/ceilometer/bin/python /opt/stack/venvs/ceilometer/bin/ceilometer-agent-notification --config-dir /etc/ceilometer
system_u:system_r:init_t:s0     ceilome+  3933  3909  0 00:49 ?        00:00:00 /opt/stack/venvs/ceilometer/bin/python /opt/stack/venvs/ceilometer/bin/ceilometer-agent-notification --config-dir /etc/ceilometer
system_u:system_r:init_t:s0     ceilome+  3968     1  0 00:49 ?        00:00:03 /opt/stack/venvs/ceilometer/bin/python /opt/stack/venvs/ceilometer/bin/ceilometer-api --config-dir /etc/ceilometer
system_u:system_r:init_t:s0     ceilome+  4008     1  0 00:49 ?        00:00:17 /opt/stack/venvs/ceilometer/bin/python /opt/stack/venvs/ceilometer/bin/ceilometer-collector --config-dir /etc/ceilometer
system_u:system_r:init_t:s0     ceilome+  4089  4008  0 00:49 ?        00:00:00 /opt/stack/venvs/ceilometer/bin/python /opt/stack/venvs/ceilometer/bin/ceilometer-collector --config-dir /etc/ceilometer
system_u:system_r:init_t:s0     heat      4239     1  0 00:49 ?        00:00:00 /opt/stack/venvs/heat/bin/python /opt/stack/venvs/heat/bin/heat-api
system_u:system_r:init_t:s0     heat      4248     1  0 00:49 ?        00:00:00 /opt/stack/venvs/heat/bin/python /opt/stack/venvs/heat/bin/heat-api-cfn
system_u:system_r:init_t:s0     heat      4256     1  0 00:49 ?        00:00:00 /opt/stack/venvs/heat/bin/python /opt/stack/venvs/heat/bin/heat-api-cloudwatch
system_u:system_r:init_t:s0     heat      4323     1  0 00:49 ?        00:00:01 /opt/stack/venvs/heat/bin/python /opt/stack/venvs/heat/bin/heat-engine
system_u:system_r:init_t:s0     nova      4732     1  0 00:49 ?        00:00:05 /opt/stack/venvs/nova/bin/python /opt/stack/venvs/nova/bin/nova-conductor --config-dir /etc/nova
system_u:system_r:init_t:s0     nova      4861     1  0 00:49 ?        00:00:02 /opt/stack/venvs/nova/bin/python /opt/stack/venvs/nova/bin/nova-baremetal-deploy-helper --config-dir /etc/nova
system_u:system_r:init_t:s0     nova      4975     1  0 00:49 ?        00:00:00 /opt/stack/venvs/nova/bin/python /opt/stack/venvs/nova/bin/nova-novncproxy --config-dir /etc/nova
system_u:system_r:init_t:s0     root      5242     1  0 01:01 ?        00:00:00 /usr/lib/systemd/systemd --user
system_u:system_r:init_t:s0     root      5245  5242  0 01:01 ?        00:00:00 (sd-pam)
system_u:system_r:init_t:s0     heat-ad+  5443     1  0 01:16 ?        00:00:00 /usr/lib/systemd/systemd --user
system_u:system_r:init_t:s0     heat-ad+  5449  5443  0 01:16 ?        00:00:00 (sd-pam)
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 5543 5472  0 01:19 pts/0 00:00:00 grep --color=auto init

Comment 1 Miroslav Grepl 2014-06-25 08:28:26 UTC

Ok the problem is how you start mysqld.

/bin/sh /usr/local/mysql/bin/mysqld_safe --datadir=/mnt/state/var/lib/mysql/ --pid-file=/var/run/mysqld/mysqld.pid --wsrep-new-cluster
system_u:system_r:initrc_t:s0   mysql     2899  2254  0 00:48 ?   

You need to add labeling for 

/usr/local/mysql/bin/mysqld_safe

# chcon -t mysqld_safe_exec_t /usr/local/mysql/bin/mysqld_safe

and re-test it.

Comment 2 Richard Su 2014-08-13 16:18:23 UTC

Closed by using mariadb rpm upstream.

Note You need to log in before you can comment on or make changes to this bug.