1439182 – AVC due to galera resource agent makes galera bootstrap fail

Bug 1439182 - AVC due to galera resource agent makes galera bootstrap fail

Summary: AVC due to galera resource agent makes galera bootstrap fail

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-selinux
Sub Component:
Version:	5.0 (RHEL 7)
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	11.0 (Ocata)
Assignee:	Lon Hohberger
QA Contact:	Udi Shkalim
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-04-05 11:48 UTC by Damien Ciabrini
Modified:	2017-05-17 20:18 UTC (History)
CC List:	13 users (show)
Fixed In Version:	openstack-selinux-0.8.5-6.el7ost
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-05-17 20:18:10 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHEA-2017:1245	0	normal	SHIPPED_LIVE	Red Hat OpenStack Platform 11.0 Bug Fix and Enhancement Advisory	2017-05-17 23:01:50 UTC

Description Damien Ciabrini 2017-04-05 11:48:24 UTC

Description of problem:

In [1] we recently modified the galera resource agent to make it work
with latest mariadb 10.1.18+ used by RDO. From this version onwards,
information regarding galera state has to be retrieved from a mariadb
log file.

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1391470

The resource agents no longer cats the output of mariadb into a
temporary file for further parsing. Rather, it passes this temporary
file directly to mysqld_safe. Unfortunately, current SELinux rules
prevent mysqld_safe or mysqld to read/write from/to this file and the
galera resource agent fails to retrieve the galera state.

mysqld_safe unconditionally touch/chown the temporary log file it's being
passed:

time->Wed Apr  5 10:18:41 2017
type=SYSCALL msg=audit(1491387521.002:381): arch=c000003e syscall=2 success=yes exit=3 a0=7ffc4b686bbf a1=941 a2=1b6 a3=7ffc4b685600 items=0 ppid=42281 pid=43048 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="touch" exe="/usr/bin/touch" subj=system_u:system_r:mysqld_safe_t:s0 key=(null)
type=AVC msg=audit(1491387521.002:381): avc:  denied  { open } for  pid=43048 comm="touch" path="/tmp/tmp.1aKr7oHFdm" dev="vda2" ino=8410499 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:cluster_tmp_t:s0 tclass=file
----
time->Wed Apr  5 10:18:41 2017
type=SYSCALL msg=audit(1491387521.003:382): arch=c000003e syscall=260 success=yes exit=0 a0=ffffffffffffff9c a1=8f24d0 a2=1b a3=ffffffff items=0 ppid=42281 pid=43049 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="chown" exe="/usr/bin/chown" subj=system_u:system_r:mysqld_safe_t:s0 key=(null)
type=AVC msg=audit(1491387521.003:382): avc:  denied  { setattr } for  pid=43049 comm="chown" name="tmp.1aKr7oHFdm" dev="vda2" ino=8410499 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:cluster_tmp_t:s0 tclass=file
----

After setting SELinux enforce to 0, mysqld_safe moves forward and
mysqld triggers an additional AVC when trying to write to the
temporary log file:

time->Wed Apr  5 10:18:43 2017
type=SYSCALL msg=audit(1491387523.055:383): arch=c000003e syscall=2 success=yes exit=3 a0=7f7c3e310be0 a1=441 a2=1b6 a3=7fff4fe65521 items=0 ppid=42281 pid=43128 auid=4294967295 uid=27 gid=27 euid=27 suid=27 fsuid=27 egid=27 sgid=27 fsgid=27 tty=(none) ses=4294967295 comm="mysqld" exe="/usr/libexec/mysqld" subj=system_u:system_r:mysqld_t:s0 key=(null)
type=AVC msg=audit(1491387523.055:383): avc:  denied  { open } for  pid=43128 comm="mysqld" path="/tmp/tmp.1aKr7oHFdm" dev="vda2" ino=8410499 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:cluster_tmp_t:s0 tclass=file


Version-Release number of selected component (if applicable):
resource-agents-3.9.5-94.el7.x86_64

How reproducible:
Always


Steps to Reproduce:
1. create a galera resource in a pacemaker cluster
2. delete /var/lib/mysql/grastate.dat file on all the nodes of the pacemaker cluster
3. enable the galera resource

Actual results:
resource agent fails to parse output from mariadb, and start of galera cluster fails

Expected results:
galera cluster should start


Additional info:

Comment 2 Damien Ciabrini 2017-04-05 11:59:05 UTC

Although the SELinux settings impacted are probably defined in component openstack-selinux, I filed the bug against RHEL 7.4 because the package which is failing is resource-agent (layered product "OpenStack").

Comment 3 Lukas Vrabec 2017-04-05 12:18:44 UTC

Hi, 

This should be fixed in openstack-selinux package. 
I already created Pull Request on github. 

https://github.com/redhat-openstack/openstack-selinux/pull/9

Thanks,
Lukas.

Comment 4 Lon Hohberger 2017-04-05 13:34:09 UTC

Merged.

Comment 6 Udi Shkalim 2017-05-08 09:13:35 UTC

Verified on openstack-selinux-0.8.6-2.el7ost.noarch

On OSP11 setup:
1. Disable galera resource
2. Deleted the file: /var/lib/mysql/grastate.dat on all controllers
3. Enable the galera resource
4. Check audit log and that galera resource is up.

Comment 7 errata-xmlrpc 2017-05-17 20:18:10 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:1245

Note You need to log in before you can comment on or make changes to this bug.