SELinux Access Rules

I used rejections logged by auditd to create a “Type Enforcement” targeted policy so that an XtraDB Cluster node can be started completely from scratch. It does assume that correct context is already set for /etc/mysql/ and /var/lib/mysql/. I have not yet checked if it works well enough for day to day maintenance and backup utilities, but it does let mysqld start and complete the xtrabackup method of doing the initial sync. The only AVC violations logged are those done at the end of the xtrabackup process on the JOINER node when some script is apparently trying to run a ‘ps’ command and access to /proc/$PID is blocked to the mysqld entity. No AVC violations are logged on the DONOR node. Startup into a sync’d cluster also results in no AVC violations being logged.

I have not tried rsync or mysqldump sst methods, some adjustments or additions to the access rules might likely be required for those methods.

There is one manual command required. It adds the default gcomm port to the standard ports mysqld is allowed to bind to:
semanage port -a -t mysqld_port_t -p tcp 4567

I didn’t try to figure out how to add the above port definition to the auto-generated type enforcement rules. In reality, that command would be better used to create a new port named mysqld_galera_t or similar, but I didn’t study long enough to figure out how to do so. If you do make that change, then that change would also have to be reflected in the access rules.

Attachments:

  1. mysqldxtradb.te - The type enforcement rules which specifically allow things that mysqld needs to be able to execute/access.
  2. mysqldxtradb.pp - The compiled module to be inserted with ‘semodule -i /path/to/mysqlxtradb.pp’

If anybody requests, I can also post the logged AVC lines which I used to generate this type enforcement access list (using audit2allow). I do not claim this to be the best module rules because it opens up access to many generic/powerful commands and directories by the mysqld daemon that it was prevented from doing with just the stock mysqld selinux module. Adjustments/enhancements are welcome and encouraged, though an accompanying explanation of the adjustment/enhancement is also strongly encouraged.

To Percona, if this works for you, feel free to use any or all of this in your rpms (i.e. make a Percona-XtraDB-Cluster-server-selinux package which loads the correct items).