Created attachment 940405 [details] mariadb service startup denials Description of problem: when starting the mariadb service on a non primary node of a mariadb/galera cluster, selinux prevents wsrep/rsync from syncing up correctly with primary node so backup node will fail to start list of denials (captured in permissive mode) is attached Version-Release number of selected component (if applicable): selinux-policy-targeted-3.12.1-183.fc20.noarch selinux-policy-3.12.1-183.fc20.noarch mariadb-galera-common-5.5.38-1.fc20.x86_64 mariadb-galera-server-5.5.38-1.fc20.x86_64 mariadb-libs-5.5.39-1.fc20.x86_64 mariadb-5.5.39-1.fc20.x86_64 How reproducible: configure a mariadb/galera cluster with wsrep/rsync, start the primary node, make a non primary node to join the cluster Actual results: mariadb service fails to start on the non primary node
I think you need openstack-selinux installed.
(In reply to Ryan O'Hara from comment #1) > I think you need openstack-selinux installed. Nevermind. I was reminded that there is no openstack-selinux package for Fedora. Sounds like we need to port the galera policy bits to base policy in Fedora. Comments?
Created attachment 940626 [details] mariadb_service_startup_policy_fixes Ryan, using audit2allow I generated the required policy changes. These are all or in part provided by openstack-selinux I suppose but I decided to attach the .te file here anyway so we can do compare or merge as needed.
allow mysqld_t kerberos_port_t:tcp_socket name_bind; allow mysqld_t rsync_exec_t:file { read getattr open execute execute_no_trans }; The rest of the rules are already in policy.
Ryan, that means in the policy provided by openstack-selinux ? How do we get access to that from Fedora?
openstack-selinux is not in Fedora. When the the changes are added to selinux-policy it will be fixed in Fedora.
(In reply to Ryan Hallisey from comment #7) > openstack-selinux is not in Fedora. When the the changes are added to > selinux-policy it will be fixed in Fedora. Do we have an ETA? I believe this is blocking RDO deployments on Fedora.
I don't know. When openstack-selinux policy is merged into selinux-policy you should see it in Fedora.
commit 972bca1cf1254738134d1195025b57a7c26a8d44 Author: Dan Walsh <dwalsh> Date: Mon Jul 14 13:40:59 2014 -0400 Mysql can execute scripts when run in a cluster to see if someone is listening on a socket, basically runs lsof. Cluster team found it needed these access to make it work
selinux-policy-3.12.1-189.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-189.fc20
Package selinux-policy-3.12.1-189.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-189.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-12350/selinux-policy-3.12.1-189.fc20 then log in and leave karma (feedback).
selinux-policy-3.12.1-189.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.