Bug 1439182 - AVC due to galera resource agent makes galera bootstrap fail
Summary: AVC due to galera resource agent makes galera bootstrap fail
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-selinux
Version: 5.0 (RHEL 7)
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: 11.0 (Ocata)
Assignee: Lon Hohberger
QA Contact: Udi Shkalim
Depends On:
TreeView+ depends on / blocked
Reported: 2017-04-05 11:48 UTC by Damien Ciabrini
Modified: 2017-05-17 20:18 UTC (History)
13 users (show)

Fixed In Version: openstack-selinux-0.8.5-6.el7ost
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2017-05-17 20:18:10 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2017:1245 0 normal SHIPPED_LIVE Red Hat OpenStack Platform 11.0 Bug Fix and Enhancement Advisory 2017-05-17 23:01:50 UTC

Description Damien Ciabrini 2017-04-05 11:48:24 UTC
Description of problem:

In [1] we recently modified the galera resource agent to make it work
with latest mariadb 10.1.18+ used by RDO. From this version onwards,
information regarding galera state has to be retrieved from a mariadb
log file.

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1391470

The resource agents no longer cats the output of mariadb into a
temporary file for further parsing. Rather, it passes this temporary
file directly to mysqld_safe. Unfortunately, current SELinux rules
prevent mysqld_safe or mysqld to read/write from/to this file and the
galera resource agent fails to retrieve the galera state.

mysqld_safe unconditionally touch/chown the temporary log file it's being

time->Wed Apr  5 10:18:41 2017
type=SYSCALL msg=audit(1491387521.002:381): arch=c000003e syscall=2 success=yes exit=3 a0=7ffc4b686bbf a1=941 a2=1b6 a3=7ffc4b685600 items=0 ppid=42281 pid=43048 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="touch" exe="/usr/bin/touch" subj=system_u:system_r:mysqld_safe_t:s0 key=(null)
type=AVC msg=audit(1491387521.002:381): avc:  denied  { open } for  pid=43048 comm="touch" path="/tmp/tmp.1aKr7oHFdm" dev="vda2" ino=8410499 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:cluster_tmp_t:s0 tclass=file
time->Wed Apr  5 10:18:41 2017
type=SYSCALL msg=audit(1491387521.003:382): arch=c000003e syscall=260 success=yes exit=0 a0=ffffffffffffff9c a1=8f24d0 a2=1b a3=ffffffff items=0 ppid=42281 pid=43049 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="chown" exe="/usr/bin/chown" subj=system_u:system_r:mysqld_safe_t:s0 key=(null)
type=AVC msg=audit(1491387521.003:382): avc:  denied  { setattr } for  pid=43049 comm="chown" name="tmp.1aKr7oHFdm" dev="vda2" ino=8410499 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:cluster_tmp_t:s0 tclass=file

After setting SELinux enforce to 0, mysqld_safe moves forward and
mysqld triggers an additional AVC when trying to write to the
temporary log file:

time->Wed Apr  5 10:18:43 2017
type=SYSCALL msg=audit(1491387523.055:383): arch=c000003e syscall=2 success=yes exit=3 a0=7f7c3e310be0 a1=441 a2=1b6 a3=7fff4fe65521 items=0 ppid=42281 pid=43128 auid=4294967295 uid=27 gid=27 euid=27 suid=27 fsuid=27 egid=27 sgid=27 fsgid=27 tty=(none) ses=4294967295 comm="mysqld" exe="/usr/libexec/mysqld" subj=system_u:system_r:mysqld_t:s0 key=(null)
type=AVC msg=audit(1491387523.055:383): avc:  denied  { open } for  pid=43128 comm="mysqld" path="/tmp/tmp.1aKr7oHFdm" dev="vda2" ino=8410499 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:cluster_tmp_t:s0 tclass=file

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. create a galera resource in a pacemaker cluster
2. delete /var/lib/mysql/grastate.dat file on all the nodes of the pacemaker cluster
3. enable the galera resource

Actual results:
resource agent fails to parse output from mariadb, and start of galera cluster fails

Expected results:
galera cluster should start

Additional info:

Comment 2 Damien Ciabrini 2017-04-05 11:59:05 UTC
Although the SELinux settings impacted are probably defined in component openstack-selinux, I filed the bug against RHEL 7.4 because the package which is failing is resource-agent (layered product "OpenStack").

Comment 3 Lukas Vrabec 2017-04-05 12:18:44 UTC

This should be fixed in openstack-selinux package. 
I already created Pull Request on github. 



Comment 4 Lon Hohberger 2017-04-05 13:34:09 UTC

Comment 6 Udi Shkalim 2017-05-08 09:13:35 UTC
Verified on openstack-selinux-0.8.6-2.el7ost.noarch

On OSP11 setup:
1. Disable galera resource
2. Deleted the file: /var/lib/mysql/grastate.dat on all controllers
3. Enable the galera resource
4. Check audit log and that galera resource is up.

Comment 7 errata-xmlrpc 2017-05-17 20:18:10 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.