Description of problem: In [1] we recently modified the galera resource agent to make it work with latest mariadb 10.1.18+ used by RDO. From this version onwards, information regarding galera state has to be retrieved from a mariadb log file. [1] https://bugzilla.redhat.com/show_bug.cgi?id=1391470 The resource agents no longer cats the output of mariadb into a temporary file for further parsing. Rather, it passes this temporary file directly to mysqld_safe. Unfortunately, current SELinux rules prevent mysqld_safe or mysqld to read/write from/to this file and the galera resource agent fails to retrieve the galera state. mysqld_safe unconditionally touch/chown the temporary log file it's being passed: time->Wed Apr 5 10:18:41 2017 type=SYSCALL msg=audit(1491387521.002:381): arch=c000003e syscall=2 success=yes exit=3 a0=7ffc4b686bbf a1=941 a2=1b6 a3=7ffc4b685600 items=0 ppid=42281 pid=43048 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="touch" exe="/usr/bin/touch" subj=system_u:system_r:mysqld_safe_t:s0 key=(null) type=AVC msg=audit(1491387521.002:381): avc: denied { open } for pid=43048 comm="touch" path="/tmp/tmp.1aKr7oHFdm" dev="vda2" ino=8410499 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:cluster_tmp_t:s0 tclass=file ---- time->Wed Apr 5 10:18:41 2017 type=SYSCALL msg=audit(1491387521.003:382): arch=c000003e syscall=260 success=yes exit=0 a0=ffffffffffffff9c a1=8f24d0 a2=1b a3=ffffffff items=0 ppid=42281 pid=43049 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="chown" exe="/usr/bin/chown" subj=system_u:system_r:mysqld_safe_t:s0 key=(null) type=AVC msg=audit(1491387521.003:382): avc: denied { setattr } for pid=43049 comm="chown" name="tmp.1aKr7oHFdm" dev="vda2" ino=8410499 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:cluster_tmp_t:s0 tclass=file ---- After setting SELinux enforce to 0, mysqld_safe moves forward and mysqld triggers an additional AVC when trying to write to the temporary log file: time->Wed Apr 5 10:18:43 2017 type=SYSCALL msg=audit(1491387523.055:383): arch=c000003e syscall=2 success=yes exit=3 a0=7f7c3e310be0 a1=441 a2=1b6 a3=7fff4fe65521 items=0 ppid=42281 pid=43128 auid=4294967295 uid=27 gid=27 euid=27 suid=27 fsuid=27 egid=27 sgid=27 fsgid=27 tty=(none) ses=4294967295 comm="mysqld" exe="/usr/libexec/mysqld" subj=system_u:system_r:mysqld_t:s0 key=(null) type=AVC msg=audit(1491387523.055:383): avc: denied { open } for pid=43128 comm="mysqld" path="/tmp/tmp.1aKr7oHFdm" dev="vda2" ino=8410499 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:cluster_tmp_t:s0 tclass=file Version-Release number of selected component (if applicable): resource-agents-3.9.5-94.el7.x86_64 How reproducible: Always Steps to Reproduce: 1. create a galera resource in a pacemaker cluster 2. delete /var/lib/mysql/grastate.dat file on all the nodes of the pacemaker cluster 3. enable the galera resource Actual results: resource agent fails to parse output from mariadb, and start of galera cluster fails Expected results: galera cluster should start Additional info:
Although the SELinux settings impacted are probably defined in component openstack-selinux, I filed the bug against RHEL 7.4 because the package which is failing is resource-agent (layered product "OpenStack").
Hi, This should be fixed in openstack-selinux package. I already created Pull Request on github. https://github.com/redhat-openstack/openstack-selinux/pull/9 Thanks, Lukas.
Merged.
Verified on openstack-selinux-0.8.6-2.el7ost.noarch On OSP11 setup: 1. Disable galera resource 2. Deleted the file: /var/lib/mysql/grastate.dat on all controllers 3. Enable the galera resource 4. Check audit log and that galera resource is up.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2017:1245