1117233 – MariaDB 10 Galera cluster startup blocked by SELinux

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1117233 - MariaDB 10 Galera cluster startup blocked by SELinux

Summary: MariaDB 10 Galera cluster startup blocked by SELinux

Keywords:
Status:	CLOSED NEXTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	6.5
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-07-08 11:06 UTC by Patrick Laimbock
Modified:	2014-09-17 08:31 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-09-17 08:31:31 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Patrick Laimbock 2014-07-08 11:06:21 UTC

Description of problem:
The startup of a MariaDB 10 Galera cluster is blocked by SELinux.

Version-Release number of selected component (if applicable):
galera-25.3.5-1.rhel6.x86_64
MariaDB-compat-10.0.12-1.el6.x86_64
MariaDB-client-10.0.12-1.el6.x86_64
MariaDB-Galera-server-10.0.12-1.el6.x86_64selinux-policy-targeted-3.7.19-231.el6_5.3.noarch
selinux-policy-3.7.19-231.el6_5.3.noarch

How reproducible:
On 3 nodes install MariaDB-Galera-server, configure a cluster, shutdown cluster, startup primary node of the cluster when SELinux is in enforcing mode with # service mysql start --wsrep-new-cluster. The mysql service will not start because SELinux prevents it.

Steps to Reproduce:
1. install MariaDB-Galera-server (the 10 version)
2. configure cluster (3 nodes), shutdown cluster
3. try to start the mysql service on the primary node of the cluster with SElinux in enforcing mode

Actual results:
SELinux prevents the mysql service on the primary cluster node from starting up.

Expected results:
The mysql service on the node starts up successfully.

Additional info:
The AVCs are:
type=AVC msg=audit(1404815982.942:96): avc:  denied  { write } for  pid=3915 comm="mysqld" path="[eventfd]" dev=anon_inodefs ino=3798 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:anon_inodefs_t:s0 tclass=file
type=AVC msg=audit(1404815982.954:97): avc:  denied  { name_bind } for  pid=3915 comm="mysqld" src=4567 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1404815982.954:98): avc:  denied  { name_connect } for  pid=3915 comm="mysqld" dest=4567 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket

[root@db1-1 ~]# grep 1404815982 /var/log/audit/audit.log | audit2allow -M mariadb10-galera && cat mariadb10-galera.te

******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i mariadb10-galera.pp


module mariadb10-galera 1.0;

require {
	type anon_inodefs_t;
	type port_t;
	type mysqld_t;
	class tcp_socket { name_bind name_connect };
	class file write;
}

#============= mysqld_t ==============
allow mysqld_t anon_inodefs_t:file write;


The secondary and tertiary nodes also do not startup with # service mysql start 
with SELinux = enforcing. The following list of AVCs is generated with SELinux in permissive mode on node 2. The bulk of the AVCs were generated when node 2 synced via rsync with node 1 during the SST phase (SST=State Snapshot Transfer):

type=AVC msg=audit(1404816597.848:89): avc:  denied  { write } for  pid=3822 comm="mysqld" path="[eventfd]" dev=anon_inodefs ino=3798 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:anon_inodefs_t:s0 tclass=file
type=AVC msg=audit(1404816597.858:90): avc:  denied  { write } for  pid=3822 comm="mysqld" path="[eventfd]" dev=anon_inodefs ino=3798 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:anon_inodefs_t:s0 tclass=file
type=AVC msg=audit(1404816597.860:91): avc:  denied  { name_bind } for  pid=3822 comm="mysqld" src=4567 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1404816673.233:93): avc:  denied  { write } for  pid=4296 comm="mysqld" path="[eventfd]" dev=anon_inodefs ino=3798 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:anon_inodefs_t:s0 tclass=file
type=AVC msg=audit(1404816673.245:94): avc:  denied  { name_bind } for  pid=4296 comm="mysqld" src=4567 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1404816673.246:95): avc:  denied  { name_connect } for  pid=4296 comm="mysqld" dest=4567 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1404816676.295:96): avc:  denied  { getattr } for  pid=4322 comm="which" path="/usr/bin/rsync" dev=vda3 ino=659568 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:rsync_exec_t:s0 tclass=file
type=AVC msg=audit(1404816676.318:97): avc:  denied  { execute } for  pid=4344 comm="wsrep_sst_rsync" name="rsync" dev=vda3 ino=659568 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:rsync_exec_t:s0 tclass=file
type=AVC msg=audit(1404816676.318:98): avc:  denied  { read } for  pid=4344 comm="wsrep_sst_rsync" name="rsync" dev=vda3 ino=659568 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:rsync_exec_t:s0 tclass=file
type=AVC msg=audit(1404816676.318:99): avc:  denied  { open } for  pid=4344 comm="wsrep_sst_rsync" name="rsync" dev=vda3 ino=659568 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:rsync_exec_t:s0 tclass=file
type=AVC msg=audit(1404816676.318:99): avc:  denied  { execute_no_trans } for  pid=4344 comm="wsrep_sst_rsync" path="/usr/bin/rsync" dev=vda3 ino=659568 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:rsync_exec_t:s0 tclass=file
type=AVC msg=audit(1404816676.342:100): avc:  denied  { name_bind } for  pid=4344 comm="rsync" src=4444 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:kerberos_master_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1404816676.361:101): avc:  denied  { search } for  pid=4347 comm="lsof" name="1" dev=proc ino=8304 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dir
type=AVC msg=audit(1404816676.361:101): avc:  denied  { read } for  pid=4347 comm="lsof" name="stat" dev=proc ino=8389 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file
type=AVC msg=audit(1404816676.361:101): avc:  denied  { open } for  pid=4347 comm="lsof" name="stat" dev=proc ino=8389 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file
type=AVC msg=audit(1404816676.363:102): avc:  denied  { getattr } for  pid=4347 comm="lsof" path="/proc/1/stat" dev=proc ino=8389 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file
type=AVC msg=audit(1404816676.364:103): avc:  denied  { getattr } for  pid=4347 comm="lsof" path="/proc/1" dev=proc ino=8304 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dir
type=AVC msg=audit(1404816676.364:104): avc:  denied  { search } for  pid=4347 comm="lsof" name="2" dev=proc ino=8305 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=dir
type=AVC msg=audit(1404816676.364:104): avc:  denied  { read } for  pid=4347 comm="lsof" name="stat" dev=proc ino=8392 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=file
type=AVC msg=audit(1404816676.364:104): avc:  denied  { open } for  pid=4347 comm="lsof" name="stat" dev=proc ino=8392 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=file
type=AVC msg=audit(1404816676.364:105): avc:  denied  { getattr } for  pid=4347 comm="lsof" path="/proc/2/stat" dev=proc ino=8392 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=file
type=AVC msg=audit(1404816676.364:106): avc:  denied  { getattr } for  pid=4347 comm="lsof" path="/proc/2" dev=proc ino=8305 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=dir
type=AVC msg=audit(1404816676.367:107): avc:  denied  { search } for  pid=4347 comm="lsof" name="365" dev=proc ino=8781 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=dir
type=AVC msg=audit(1404816676.367:107): avc:  denied  { read } for  pid=4347 comm="lsof" name="stat" dev=proc ino=10318 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=file
type=AVC msg=audit(1404816676.367:107): avc:  denied  { open } for  pid=4347 comm="lsof" name="stat" dev=proc ino=10318 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=file
type=AVC msg=audit(1404816676.368:108): avc:  denied  { getattr } for  pid=4347 comm="lsof" path="/proc/365/stat" dev=proc ino=10318 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=file
type=AVC msg=audit(1404816676.369:109): avc:  denied  { getattr } for  pid=4347 comm="lsof" path="/proc/365" dev=proc ino=8781 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=dir
type=AVC msg=audit(1404816676.369:110): avc:  denied  { search } for  pid=4347 comm="lsof" name="878" dev=proc ino=10539 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:dhcpc_t:s0 tclass=dir
type=AVC msg=audit(1404816676.369:110): avc:  denied  { read } for  pid=4347 comm="lsof" name="stat" dev=proc ino=10542 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:dhcpc_t:s0 tclass=file
type=AVC msg=audit(1404816676.369:110): avc:  denied  { open } for  pid=4347 comm="lsof" name="stat" dev=proc ino=10542 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:dhcpc_t:s0 tclass=file
type=AVC msg=audit(1404816676.369:111): avc:  denied  { getattr } for  pid=4347 comm="lsof" path="/proc/878/stat" dev=proc ino=10542 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:dhcpc_t:s0 tclass=file
type=AVC msg=audit(1404816676.369:112): avc:  denied  { getattr } for  pid=4347 comm="lsof" path="/proc/878" dev=proc ino=10539 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:dhcpc_t:s0 tclass=dir
type=AVC msg=audit(1404816676.369:113): avc:  denied  { search } for  pid=4347 comm="lsof" name="933" dev=proc ino=10470 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:auditd_t:s0 tclass=dir
type=AVC msg=audit(1404816676.369:113): avc:  denied  { read } for  pid=4347 comm="lsof" name="stat" dev=proc ino=10545 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:auditd_t:s0 tclass=file
type=AVC msg=audit(1404816676.369:113): avc:  denied  { open } for  pid=4347 comm="lsof" name="stat" dev=proc ino=10545 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:auditd_t:s0 tclass=file
type=AVC msg=audit(1404816676.369:114): avc:  denied  { getattr } for  pid=4347 comm="lsof" path="/proc/933/stat" dev=proc ino=10545 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:auditd_t:s0 tclass=file
type=AVC msg=audit(1404816676.369:115): avc:  denied  { getattr } for  pid=4347 comm="lsof" path="/proc/933" dev=proc ino=10470 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:auditd_t:s0 tclass=dir
type=AVC msg=audit(1404816676.369:116): avc:  denied  { search } for  pid=4347 comm="lsof" name="949" dev=proc ino=10540 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=dir
type=AVC msg=audit(1404816676.369:116): avc:  denied  { read } for  pid=4347 comm="lsof" name="stat" dev=proc ino=10548 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=file
type=AVC msg=audit(1404816676.369:116): avc:  denied  { open } for  pid=4347 comm="lsof" name="stat" dev=proc ino=10548 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=file
type=AVC msg=audit(1404816676.369:117): avc:  denied  { getattr } for  pid=4347 comm="lsof" path="/proc/949/stat" dev=proc ino=10548 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=file
type=AVC msg=audit(1404816676.370:118): avc:  denied  { getattr } for  pid=4347 comm="lsof" path="/proc/949" dev=proc ino=10540 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=dir
type=AVC msg=audit(1404816676.370:119): avc:  denied  { search } for  pid=4347 comm="lsof" name="967" dev=proc ino=10586 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:rpcbind_t:s0 tclass=dir
type=AVC msg=audit(1404816676.370:119): avc:  denied  { read } for  pid=4347 comm="lsof" name="stat" dev=proc ino=10588 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:rpcbind_t:s0 tclass=file
type=AVC msg=audit(1404816676.370:119): avc:  denied  { open } for  pid=4347 comm="lsof" name="stat" dev=proc ino=10588 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:rpcbind_t:s0 tclass=file
type=AVC msg=audit(1404816676.370:120): avc:  denied  { getattr } for  pid=4347 comm="lsof" path="/proc/967/stat" dev=proc ino=10588 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:rpcbind_t:s0 tclass=file
type=AVC msg=audit(1404816676.370:121): avc:  denied  { getattr } for  pid=4347 comm="lsof" path="/proc/967" dev=proc ino=10586 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:rpcbind_t:s0 tclass=dir
type=AVC msg=audit(1404816676.370:122): avc:  denied  { search } for  pid=4347 comm="lsof" name="985" dev=proc ino=10652 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:rpcd_t:s0 tclass=dir
type=AVC msg=audit(1404816676.370:122): avc:  denied  { read } for  pid=4347 comm="lsof" name="stat" dev=proc ino=10719 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:rpcd_t:s0 tclass=file
type=AVC msg=audit(1404816676.370:122): avc:  denied  { open } for  pid=4347 comm="lsof" name="stat" dev=proc ino=10719 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:rpcd_t:s0 tclass=file
type=AVC msg=audit(1404816676.370:123): avc:  denied  { getattr } for  pid=4347 comm="lsof" path="/proc/985/stat" dev=proc ino=10719 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:rpcd_t:s0 tclass=file
type=AVC msg=audit(1404816676.370:124): avc:  denied  { getattr } for  pid=4347 comm="lsof" path="/proc/985" dev=proc ino=10652 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:rpcd_t:s0 tclass=dir
type=AVC msg=audit(1404816676.370:125): avc:  denied  { search } for  pid=4347 comm="lsof" name="1020" dev=proc ino=13237 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:apmd_t:s0 tclass=dir
type=AVC msg=audit(1404816676.370:125): avc:  denied  { read } for  pid=4347 comm="lsof" name="stat" dev=proc ino=13340 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:apmd_t:s0 tclass=file
type=AVC msg=audit(1404816676.370:125): avc:  denied  { open } for  pid=4347 comm="lsof" name="stat" dev=proc ino=13340 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:apmd_t:s0 tclass=file
type=AVC msg=audit(1404816676.370:126): avc:  denied  { getattr } for  pid=4347 comm="lsof" path="/proc/1020/stat" dev=proc ino=13340 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:apmd_t:s0 tclass=file
type=AVC msg=audit(1404816676.370:127): avc:  denied  { getattr } for  pid=4347 comm="lsof" path="/proc/1020" dev=proc ino=13237 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:apmd_t:s0 tclass=dir
type=AVC msg=audit(1404816676.371:128): avc:  denied  { search } for  pid=4347 comm="lsof" name="1037" dev=proc ino=10853 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=dir
type=AVC msg=audit(1404816676.371:128): avc:  denied  { read } for  pid=4347 comm="lsof" name="stat" dev=proc ino=13343 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=file
type=AVC msg=audit(1404816676.371:128): avc:  denied  { open } for  pid=4347 comm="lsof" name="stat" dev=proc ino=13343 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=file
type=AVC msg=audit(1404816676.371:129): avc:  denied  { getattr } for  pid=4347 comm="lsof" path="/proc/1037/stat" dev=proc ino=13343 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=file
type=AVC msg=audit(1404816676.371:130): avc:  denied  { getattr } for  pid=4347 comm="lsof" path="/proc/1037" dev=proc ino=10853 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=dir
type=AVC msg=audit(1404816676.371:131): avc:  denied  { search } for  pid=4347 comm="lsof" name="1045" dev=proc ino=13238 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:inetd_t:s0-s0:c0.c1023 tclass=dir
type=AVC msg=audit(1404816676.371:131): avc:  denied  { read } for  pid=4347 comm="lsof" name="stat" dev=proc ino=13346 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:inetd_t:s0-s0:c0.c1023 tclass=file
type=AVC msg=audit(1404816676.371:131): avc:  denied  { open } for  pid=4347 comm="lsof" name="stat" dev=proc ino=13346 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:inetd_t:s0-s0:c0.c1023 tclass=file
type=AVC msg=audit(1404816676.372:132): avc:  denied  { getattr } for  pid=4347 comm="lsof" path="/proc/1045/stat" dev=proc ino=13346 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:inetd_t:s0-s0:c0.c1023 tclass=file
type=AVC msg=audit(1404816676.372:133): avc:  denied  { getattr } for  pid=4347 comm="lsof" path="/proc/1045" dev=proc ino=13238 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:inetd_t:s0-s0:c0.c1023 tclass=dir
type=AVC msg=audit(1404816676.372:134): avc:  denied  { search } for  pid=4347 comm="lsof" name="1818" dev=proc ino=11731 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dir
type=AVC msg=audit(1404816676.372:134): avc:  denied  { read } for  pid=4347 comm="lsof" name="stat" dev=proc ino=13355 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=file
type=AVC msg=audit(1404816676.372:134): avc:  denied  { open } for  pid=4347 comm="lsof" name="stat" dev=proc ino=13355 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=file
type=AVC msg=audit(1404816676.373:135): avc:  denied  { getattr } for  pid=4347 comm="lsof" path="/proc/1818/stat" dev=proc ino=13355 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=file
type=AVC msg=audit(1404816676.373:136): avc:  denied  { getattr } for  pid=4347 comm="lsof" path="/proc/1818" dev=proc ino=11731 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dir
type=AVC msg=audit(1404816676.373:137): avc:  denied  { search } for  pid=4347 comm="lsof" name="3287" dev=proc ino=15078 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:sendmail_t:s0 tclass=dir
type=AVC msg=audit(1404816676.373:137): avc:  denied  { read } for  pid=4347 comm="lsof" name="stat" dev=proc ino=15099 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:sendmail_t:s0 tclass=file
type=AVC msg=audit(1404816676.373:137): avc:  denied  { open } for  pid=4347 comm="lsof" name="stat" dev=proc ino=15099 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:sendmail_t:s0 tclass=file
type=AVC msg=audit(1404816676.373:138): avc:  denied  { getattr } for  pid=4347 comm="lsof" path="/proc/3287/stat" dev=proc ino=15099 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:sendmail_t:s0 tclass=file
type=AVC msg=audit(1404816676.374:139): avc:  denied  { getattr } for  pid=4347 comm="lsof" path="/proc/3287" dev=proc ino=15078 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:sendmail_t:s0 tclass=dir
type=AVC msg=audit(1404816676.374:140): avc:  denied  { search } for  pid=4347 comm="lsof" name="3305" dev=proc ino=13545 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=dir
type=AVC msg=audit(1404816676.374:140): avc:  denied  { read } for  pid=4347 comm="lsof" name="stat" dev=proc ino=15105 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=file
type=AVC msg=audit(1404816676.374:140): avc:  denied  { open } for  pid=4347 comm="lsof" name="stat" dev=proc ino=15105 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=file
type=AVC msg=audit(1404816676.374:141): avc:  denied  { getattr } for  pid=4347 comm="lsof" path="/proc/3305/stat" dev=proc ino=15105 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=file
type=AVC msg=audit(1404816676.374:142): avc:  denied  { getattr } for  pid=4347 comm="lsof" path="/proc/3305" dev=proc ino=13545 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=dir
type=AVC msg=audit(1404816676.374:143): avc:  denied  { search } for  pid=4347 comm="lsof" name="3319" dev=proc ino=13751 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:puppet_t:s0 tclass=dir
type=AVC msg=audit(1404816676.374:143): avc:  denied  { read } for  pid=4347 comm="lsof" name="stat" dev=proc ino=15108 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:puppet_t:s0 tclass=file
type=AVC msg=audit(1404816676.374:143): avc:  denied  { open } for  pid=4347 comm="lsof" name="stat" dev=proc ino=15108 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:puppet_t:s0 tclass=file
type=AVC msg=audit(1404816676.375:144): avc:  denied  { getattr } for  pid=4347 comm="lsof" path="/proc/3319/stat" dev=proc ino=15108 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:puppet_t:s0 tclass=file
type=AVC msg=audit(1404816676.375:145): avc:  denied  { getattr } for  pid=4347 comm="lsof" path="/proc/3319" dev=proc ino=13751 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:puppet_t:s0 tclass=dir
type=AVC msg=audit(1404816676.375:146): avc:  denied  { search } for  pid=4347 comm="lsof" name="3333" dev=proc ino=15080 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:getty_t:s0 tclass=dir
type=AVC msg=audit(1404816676.375:146): avc:  denied  { read } for  pid=4347 comm="lsof" name="stat" dev=proc ino=15111 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:getty_t:s0 tclass=file
type=AVC msg=audit(1404816676.375:146): avc:  denied  { open } for  pid=4347 comm="lsof" name="stat" dev=proc ino=15111 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:getty_t:s0 tclass=file
type=AVC msg=audit(1404816676.375:147): avc:  denied  { getattr } for  pid=4347 comm="lsof" path="/proc/3333/stat" dev=proc ino=15111 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:getty_t:s0 tclass=file
type=AVC msg=audit(1404816676.375:148): avc:  denied  { getattr } for  pid=4347 comm="lsof" path="/proc/3333" dev=proc ino=15080 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:getty_t:s0 tclass=dir
type=AVC msg=audit(1404816676.376:149): avc:  denied  { search } for  pid=4347 comm="lsof" name="4114" dev=proc ino=15905 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=dir
type=AVC msg=audit(1404816676.376:149): avc:  denied  { read } for  pid=4347 comm="lsof" name="stat" dev=proc ino=16028 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=file
type=AVC msg=audit(1404816676.376:149): avc:  denied  { open } for  pid=4347 comm="lsof" name="stat" dev=proc ino=16028 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=file
type=AVC msg=audit(1404816676.377:150): avc:  denied  { getattr } for  pid=4347 comm="lsof" path="/proc/4114/stat" dev=proc ino=16028 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=file
type=AVC msg=audit(1404816676.377:151): avc:  denied  { getattr } for  pid=4347 comm="lsof" path="/proc/4114" dev=proc ino=15905 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=dir
type=AVC msg=audit(1404816676.377:152): avc:  denied  { search } for  pid=4347 comm="lsof" name="4120" dev=proc ino=15906 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=unconfined_u:system_r:mysqld_safe_t:s0 tclass=dir
type=AVC msg=audit(1404816676.377:152): avc:  denied  { read } for  pid=4347 comm="lsof" name="stat" dev=proc ino=16030 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=unconfined_u:system_r:mysqld_safe_t:s0 tclass=file
type=AVC msg=audit(1404816676.377:152): avc:  denied  { open } for  pid=4347 comm="lsof" name="stat" dev=proc ino=16030 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=unconfined_u:system_r:mysqld_safe_t:s0 tclass=file
type=AVC msg=audit(1404816676.377:153): avc:  denied  { getattr } for  pid=4347 comm="lsof" path="/proc/4120/stat" dev=proc ino=16030 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=unconfined_u:system_r:mysqld_safe_t:s0 tclass=file
type=AVC msg=audit(1404816676.377:154): avc:  denied  { getattr } for  pid=4347 comm="lsof" path="/proc/4120" dev=proc ino=15906 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=unconfined_u:system_r:mysqld_safe_t:s0 tclass=dir
type=AVC msg=audit(1404816676.377:155): avc:  denied  { getattr } for  pid=4347 comm="lsof" path="[eventpoll]" dev=anon_inodefs ino=3798 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:anon_inodefs_t:s0 tclass=file
type=AVC msg=audit(1404816676.377:156): avc:  denied  { read } for  pid=4347 comm="lsof" name="raw" dev=proc ino=4026532002 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
type=AVC msg=audit(1404816676.377:156): avc:  denied  { open } for  pid=4347 comm="lsof" name="raw" dev=proc ino=4026532002 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
type=AVC msg=audit(1404816676.378:157): avc:  denied  { getattr } for  pid=4347 comm="lsof" path="/var/run/rpcbind.sock" dev=vda3 ino=920149 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:rpcbind_var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1404816676.378:158): avc:  denied  { getattr } for  pid=4347 comm="lsof" path="/var/run/acpid.socket" dev=vda3 ino=920153 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:apmd_var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1404816676.378:159): avc:  denied  { getattr } for  pid=4347 comm="lsof" path="/proc/4347/net/sockstat6" dev=proc ino=4026532251 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
type=AVC msg=audit(1404816676.399:160): avc:  denied  { name_bind } for  pid=4306 comm="mysqld" src=4568 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1404816677.424:161): avc:  denied  { read } for  pid=4367 comm="ps" name="stat" dev=proc ino=10548 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=file
type=AVC msg=audit(1404816677.424:161): avc:  denied  { open } for  pid=4367 comm="ps" name="stat" dev=proc ino=10548 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=file
type=AVC msg=audit(1404816684.758:162): avc:  denied  { name_connect } for  pid=4306 comm="mysqld" dest=4568 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket

Which translates to:

[root@db2-1 ~]# egrep '1404816597|1404816673|1404816676|1404816677|1404816684'  /var/log/audit/audit.log | audit2allow -M galera && cat galera.te
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i galera.pp


module galera 1.0;

require {
	type unconfined_t;
	type rpcbind_t;
	type init_t;
	type auditd_t;
	type puppet_t;
	type syslogd_t;
	type apmd_var_run_t;
	type initrc_t;
	type port_t;
	type rpcbind_var_run_t;
	type dhcpc_t;
	type proc_net_t;
	type kernel_t;
	type rsync_exec_t;
	type apmd_t;
	type udev_t;
	type sendmail_t;
	type mysqld_t;
	type inetd_t;
	type kerberos_master_port_t;
	type mysqld_safe_t;
	type sshd_t;
	type crond_t;
	type getty_t;
	type anon_inodefs_t;
	type rpcd_t;
	class sock_file getattr;
	class tcp_socket { name_bind name_connect };
	class dir { search getattr };
	class file { write getattr read open execute execute_no_trans };
}

#============= mysqld_t ==============
allow mysqld_t anon_inodefs_t:file { write getattr };
allow mysqld_t apmd_t:dir { search getattr };
allow mysqld_t apmd_t:file { read getattr open };
allow mysqld_t apmd_var_run_t:sock_file getattr;
allow mysqld_t auditd_t:dir { search getattr };
allow mysqld_t auditd_t:file { read getattr open };
allow mysqld_t crond_t:dir { search getattr };
allow mysqld_t crond_t:file { read getattr open };
allow mysqld_t dhcpc_t:dir { search getattr };
allow mysqld_t dhcpc_t:file { read getattr open };
allow mysqld_t getty_t:dir { search getattr };
allow mysqld_t getty_t:file { read getattr open };
allow mysqld_t inetd_t:dir { search getattr };
allow mysqld_t inetd_t:file { read getattr open };
allow mysqld_t init_t:dir { search getattr };
allow mysqld_t init_t:file { read getattr open };
allow mysqld_t initrc_t:dir { search getattr };
allow mysqld_t initrc_t:file { read getattr open };
allow mysqld_t kerberos_master_port_t:tcp_socket name_bind;
allow mysqld_t kernel_t:dir { search getattr };
allow mysqld_t kernel_t:file { read getattr open };
allow mysqld_t mysqld_safe_t:dir { search getattr };
allow mysqld_t mysqld_safe_t:file { read getattr open };

#!!!! This avc can be allowed using the boolean 'allow_ypbind'
allow mysqld_t port_t:tcp_socket { name_bind name_connect };
allow mysqld_t proc_net_t:file { read getattr open };
allow mysqld_t puppet_t:dir { search getattr };
allow mysqld_t puppet_t:file { read getattr open };
allow mysqld_t rpcbind_t:dir { search getattr };
allow mysqld_t rpcbind_t:file { read getattr open };
allow mysqld_t rpcbind_var_run_t:sock_file getattr;
allow mysqld_t rpcd_t:dir { search getattr };
allow mysqld_t rpcd_t:file { read getattr open };
allow mysqld_t rsync_exec_t:file { read getattr open execute execute_no_trans };
allow mysqld_t sendmail_t:dir { search getattr };
allow mysqld_t sendmail_t:file { read getattr open };
allow mysqld_t sshd_t:dir { search getattr };
allow mysqld_t sshd_t:file { read getattr open };
allow mysqld_t syslogd_t:dir { search getattr };
allow mysqld_t syslogd_t:file { read getattr open };
allow mysqld_t udev_t:dir { search getattr };
allow mysqld_t udev_t:file { read getattr open };
allow mysqld_t unconfined_t:dir { search getattr };
allow mysqld_t unconfined_t:file { read getattr open };

Comment 2 Miroslav Grepl 2014-09-17 08:31:31 UTC

commit 90c0fa7abc17ab8e45d2d0e170225b03fe140b75
Author: Miroslav Grepl <mgrepl>
Date:   Wed Sep 17 10:30:58 2014 +0200

    Allow mysqld to read all domain state.

Note You need to log in before you can comment on or make changes to this bug.