[Maria-discuss] SELinux policy for MariaDB/Galera?

Wed, 14 May 2014 02:48:27 -0700 

Hi!

I'm looking for a SELinux policy for MariaDB/Galera. I'd like to use 
MariaDB/Galera with enforcing targeted SELinux.

I googled a lot. No real solution showed up. The most helpful page was

https://groups.google.com/forum/#!topic/percona-discussion/beyXK3U0ySo/discussion

which solves part of the problem.

Currently I try to allow SST via rsync. /usr/bin/wsrep_sst_rsync executes ps 
and netstat producing a lot of AVC denials, e. g.

----
time->Wed May 14 10:30:23 2014
type=SYSCALL msg=audit(1400056223.334:70): arch=c000003e syscall=4 success=yes 
exit=0 a0=17081b0 a1=7f9811231ca0 a2=7f9811231ca0 a3=17081b6 items=0 ppid=1678 
pid=1704 auid=4294967295 uid=497 gid=498 euid=497 suid=497 fsuid=497 egid=498 
sgid=498 fsgid=498 tty=(none) ses
=4294967295 comm="ps" exe="/bin/ps" subj=system_u:system_r:mysqld_t:s0 
key=(null)
type=AVC msg=audit(1400056223.334:70): avc:  denied  { getattr } for  pid=1704 
comm="ps" path="/proc/844" dev=proc ino=10578 
scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:initrc_t:s0 
tclass=dir
----
time->Wed May 14 10:30:23 2014
type=SYSCALL msg=audit(1400056223.337:75): arch=c000003e syscall=2 success=yes 
exit=12 a0=7f9811231840 a1=0 a2=0 a3=0 items=0 ppid=1678 pid=1704 
auid=4294967295 uid=497 gid=498 euid=497 suid=497 fsuid=497 egid=498 sgid=498 
fsgid=498 tty=(none) ses=4294967295 comm="ps" exe="/bin/ps" 
subj=system_u:system_r:mysqld_t:s0 key=(null)
type=AVC msg=audit(1400056223.337:75): avc:  denied  { open } for  pid=1704 
comm="ps" name="stat" dev=proc ino=12305 scontext=system_u:system_r:mysqld_t:s0 
tcontext=system_u:system_r:restorecond_t:s0 tclass=file
type=AVC msg=audit(1400056223.337:75): avc:  denied  { read } for  pid=1704 
comm="ps" name="stat" dev=proc ino=12305 scontext=system_u:system_r:mysqld_t:s0 
tcontext=system_u:system_r:restorecond_t:s0 tclass=file
type=AVC msg=audit(1400056223.337:75): avc:  denied  { search } for  pid=1704 
comm="ps" name="1230" dev=proc ino=12150 scontext=system_u:system_r:mysqld_t:s0 
tcontext=system_u:system_r:restorecond_t:s0 tclass=dir

audit2allow doesn't help in this case. The target domain isn't "fixed". It 
depends on the processes running.

"netstat -lnpt" executed by /usr/bin/wsrep_sst_rsync has the problem.

How could I write a SELinux policy to allow access for ps and netstat?

Is there an "official" policy? Even RHEL 7 hasn't support for Galera (but 
improves the mysql policy for MariaDB a bit).

        Best regards
                Franz

_______________________________________________
Mailing list: https://launchpad.net/~maria-discuss
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~maria-discuss
More help   : https://help.launchpad.net/ListHelp

Reply via email to