Bug 1229794 - SELinux prevents mariadb-galera-server from starting on non-primary nodes [NEEDINFO]
Summary: SELinux prevents mariadb-galera-server from starting on non-primary nodes
Status: CLOSED EOL
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 22
Hardware: Unspecified
OS: Unspecified
high
medium
Target Milestone: ---
Assignee: Vit Mojzis
QA Contact: Ben Levenson
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-06-09 15:54 UTC by Matthew Booth
Modified: 2016-07-19 20:23 UTC (History)
4 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2016-07-19 20:23:45 UTC
mgrepl: needinfo? (mbooth)


Attachments (Terms of Use)
SELinux denials (1.73 KB, text/plain)
2015-06-09 15:54 UTC, Matthew Booth
no flags Details

Description Matthew Booth 2015-06-09 15:54:38 UTC
Created attachment 1036890 [details]
SELinux denials

Description of problem:
SELinux denials prevent galera state snapshot transfer (sst) from running at startup on non-primary nodes. Consequently, new nodes cannot join a cluster. There are several sst mechanisms which presumably all need to be handled differently. The default is rsync, which appears to temporarily start an rsync daemon listening on port 4444 (normally related to kerberos, apparently). The rsync daemon shuts down after the initial sync, as incremental transfer takes over.

I have attached a list of SELinux denials, and can confirm that a module created from audit2allow run against these allows the sst to succeed.

Note that we seem to have been here before, or at least somewhere very similar: bug 1145619.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.13.1-126.fc22.noarch

Comment 1 Matthew Booth 2015-06-11 14:50:44 UTC
If you want to test this, you can follow the instructions here: http://blog.heisenbug.com/2015/06/configure-simple-galera-cluster-on.html

Comment 2 Miroslav Grepl 2015-06-17 15:52:40 UTC
Ok maybe we want to think about a new boolean. Something like

## <desc>
## <p>
## Allow mysqld to do galera state snapshot transfer (sst).
## </p>
## </desc>
gen_tunable(mysql_can_sst, false)


which could cover also another methods if it is needed.

Matthew,
what do you think?

Comment 3 Matthew Booth 2015-09-14 13:06:28 UTC
Well, there's more than 1 type of sst:

http://galeracluster.com/documentation-webpages/sst.html

The one I was using, because it's the default, is rsync. I suspect other methods might have other issues. Might be best called mysql_can_rsync.

Comment 4 Miroslav Grepl 2015-09-21 08:32:12 UTC
(In reply to Matthew Booth from comment #3)
> Well, there's more than 1 type of sst:
> 
> http://galeracluster.com/documentation-webpages/sst.html
> 
> The one I was using, because it's the default, is rsync. I suspect other
> methods might have other issues. Might be best called mysql_can_rsync.

Yes, it makes sense. I see more bugs like this one. 

Vit,
something what we have for postgresql_can_rsync boolean.

Comment 5 Miroslav Grepl 2015-10-09 06:47:38 UTC
Matthew,
we have some fixes.

Could you try to run it in permissive to see if we can get more AVCs?

Thank you.

Comment 6 Vit Mojzis 2015-10-15 08:00:46 UTC
Here is a scratch build that should fix the issue: https://fedorapeople.org/~lvrabec/128.17.fc22.1/
If you encounter any more AVC's, please record them in permissive mode and share here.

Thank you.

Comment 7 Mike McCune 2016-03-28 23:44:20 UTC
This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune@redhat.com with any questions

Comment 8 Fedora End Of Life 2016-07-19 20:23:45 UTC
Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.


Note You need to log in before you can comment on or make changes to this bug.