Created attachment 1036890 [details] SELinux denials Description of problem: SELinux denials prevent galera state snapshot transfer (sst) from running at startup on non-primary nodes. Consequently, new nodes cannot join a cluster. There are several sst mechanisms which presumably all need to be handled differently. The default is rsync, which appears to temporarily start an rsync daemon listening on port 4444 (normally related to kerberos, apparently). The rsync daemon shuts down after the initial sync, as incremental transfer takes over. I have attached a list of SELinux denials, and can confirm that a module created from audit2allow run against these allows the sst to succeed. Note that we seem to have been here before, or at least somewhere very similar: bug 1145619. Version-Release number of selected component (if applicable): selinux-policy-targeted-3.13.1-126.fc22.noarch
If you want to test this, you can follow the instructions here: http://blog.heisenbug.com/2015/06/configure-simple-galera-cluster-on.html
Ok maybe we want to think about a new boolean. Something like ## <desc> ## <p> ## Allow mysqld to do galera state snapshot transfer (sst). ## </p> ## </desc> gen_tunable(mysql_can_sst, false) which could cover also another methods if it is needed. Matthew, what do you think?
Well, there's more than 1 type of sst: http://galeracluster.com/documentation-webpages/sst.html The one I was using, because it's the default, is rsync. I suspect other methods might have other issues. Might be best called mysql_can_rsync.
(In reply to Matthew Booth from comment #3) > Well, there's more than 1 type of sst: > > http://galeracluster.com/documentation-webpages/sst.html > > The one I was using, because it's the default, is rsync. I suspect other > methods might have other issues. Might be best called mysql_can_rsync. Yes, it makes sense. I see more bugs like this one. Vit, something what we have for postgresql_can_rsync boolean.
Matthew, we have some fixes. Could you try to run it in permissive to see if we can get more AVCs? Thank you.
Here is a scratch build that should fix the issue: https://fedorapeople.org/~lvrabec/128.17.fc22.1/ If you encounter any more AVC's, please record them in permissive mode and share here. Thank you.
This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune with any questions
Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days