Not the answer you need?
Register and ask your own question!

ProxySQL 1.4.12 RHEL7 package: Logrotate + SELinux Issue

bitonebitone EntrantCurrent User Role Novice
Hi everyone!

We're using the RHEL 7 ProxySQL package from Percona repository to connect to our XtraDB cluster nodes.

Everything works fine except of the logfile rotating. After doing some research I realized that SELinux denies accessing port 6032 to 'mysql' command line tool.

These lines are used as 'postrotate' command in the logrotate configuration:
. /etc/proxysql-admin.cnf
/usr/bin/printf "%s\n" "[client]" "user=${PROXYSQL_USERNAME}"  "password=${PROXYSQL_PASSWORD}"  "host=${PROXYSQL_HOSTNAME}" "port=${PROXYSQL_PORT}"   | /usr/bin/mysql --defaults-file=/dev/stdin --protocol=tcp -Nse "PROXYSQL FLUSH LOGS"

I wonder why no one else has this issue - I couldn't find any similar report.

IMHO the RHEL package should also install a SELinux module to allow accessing the needed port. Or registering the port with SELInux... I'm not sure which is the preferred way with SELinux - I'm a newbie on this territory.

Best regards

Comments

  • lorraine.pocklingtonlorraine.pocklington Percona Community Manager Legacy User Role Patron
    Hi, thanks for your question. Can I check that you saw this documentation? Low down there's some specific advice for SELinux
    https://www.percona.com/doc/percona-xtradb-cluster/LATEST/install/yum.html

    Also here: https://www.percona.com/doc/percona-xtradb-cluster/LATEST/security/index.html

    In this blog, too, there is some specific advice on ports: https://www.percona.com/blog/2018/06/21/enforcing-selinux-with-percona-xtradb-cluster/

    If none of these help, don't hesitate to say and I'll ask one of the team to look in. Thanks!
  • bitonebitone Entrant Current User Role Novice
    Thanks for your reply!

    The last link tells more or less what I did in the end... I compiled a module of my own to define a port and allow logrotate to access it. But I expected from a RHEL package that it would work right away.

    To enable permissive mode is not really a solution IMHO...

    Here is the content of the module I wrote:
    module logrotate_proxysql 1.0;
    
    require {
            type logrotate_t;
            class tcp_socket name_connect;
            attribute port_type;
    };
    
    type admin_proxysql_port_t, port_type;
    
    allow logrotate_t admin_proxysql_port_t:tcp_socket name_connect;
    

    Thanks.
  • bitonebitone Entrant Current User Role Novice
    What was wrong with my answer that it was not published? Is this some kind of censorship?
  • lorraine.pocklingtonlorraine.pocklington Percona Community Manager Legacy User Role Patron
    Nope there is no censorship on this Forum.

    As a new member, because we get a lot of spam from bots, your answers are moderated initially, and the Forum is moderated generally from Monday to Friday.

    Thanks for sharing how you fixed your code, glad you got it working.
Sign In or Register to comment.

MySQL, InnoDB, MariaDB and MongoDB are trademarks of their respective owners.
Copyright ©2005 - 2020 Percona LLC. All rights reserved.