Uploaded image for project: 'Percona XtraBackup'
  1. Percona XtraBackup
  2. PXB-2444

Xbcloud fails to upload backup with enforcing selinux mode

    XMLWordPrintable

Details

    • Bug
    • Status: Done
    • High
    • Resolution: Fixed
    • 8.0.23-16 (Q1 2021)
    • 8.0.25-17 (Q2 2021)
    • None
    • None
    • Yes

    Description

      Prerequisites: CentOS8 setup created using vagrant
      Installed Mysql8.0.23 and PXB8.0.23-16 packages. Create some data in the mysql server.
      Install the selinux package

      sudo yum install -y policycoreutils-python-utils

      Download xtrabackup.fc and xtrabackup.te file from github: https://github.com/percona/percona-xtrabackup/tree/8.0/packaging/percona/selinx
      Compile the policy module:

      make -f /usr/share/selinux/devel/Makefile xtrabackup.pp

      Install the module:

      sudo semodule -i xtrabackup.pp

      Tag the PXB binaries with the proper SELinux tags, such as xtrabackup_exec_t

      sudo restorecon -v /usr/bin/*

      Check xtrabackup state:

      ls -Z /usr/bin | grep xtrabackup
system_u:object_r:xtrabackup_exec_t:s0 xbcloud
system_u:object_r:xtrabackup_exec_t:s0 xbcrypt
system_u:object_r:xtrabackup_exec_t:s0 xbstream
system_u:object_r:xtrabackup_exec_t:s0 xtrabackup

      Set selinux in enforcing mode

      sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: permissive
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 31

      Take backup and upload it to aws

      sudo xtrabackup --user=root --password='Secret' --backup --target-dir=$HOME/dbbackup_PS8 --stream=xbstream 2>full_backup_$(date +"%d_%m_%Y")_log | xbcloud put --storage=s3 --s3-endpoint='https://endpointurl' --s3-access-key='abc' --s3-secret-key='abc' --s3-bucket='abc' --parallel=10 --verbose full_backup_$(date +"%d_%m_%Y") 2>upload_full_backup_$(date +"%d_%m_%Y")_log

      Xbcloud fails to upload the backup and displays error:

      error: http request failed: Couldn't resolve host name
210318 07:57:26 xbcloud: Probe failed. Please check your credentials and endpoint settings.

      Audit logs:

      ----
time->Thu Mar 18 07:52:48 2021
type=PROCTITLE msg=audit(1616053968.856:3442): proctitle=7862636C6F756400707574002D2D73746F726167653D7333002D2D73332D656E64706F696E743D68747470733A2F2F73332E616D617A6F6E6177732E636F6D002D2D73332D6163636573732D6B65793D414B4941525850334F41524244534E5756553552002D2D73332D7365637265742D6B65793D4552745758324B66634255
type=SYSCALL msg=audit(1616053968.856:3442): arch=c000003e syscall=41 success=no exit=-13 a0=a a1=2 a2=0 a3=12 items=0 ppid=20105 pid=21409 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts0 ses=18 comm="xbcloud" exe="/usr/bin/xbcloud" subj=unconfined_u:unconfined_r:xtrabackup_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1616053968.856:3442): avc: denied { create } for pid=21409 comm="xbcloud" scontext=unconfined_u:unconfined_r:xtrabackup_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:xtrabackup_t:s0-s0:c0.c1023 tclass=udp_socket permissive=0
----
time->Thu Mar 18 07:52:48 2021
type=PROCTITLE msg=audit(1616053968.856:3443): proctitle=7862636C6F756400707574002D2D73746F726167653D7333002D2D73332D656E64706F696E743D68747470733A2F2F73332E616D617A6F6E6177732E636F6D002D2D73332D6163636573732D6B65793D414B4941525850334F41524244534E5756553552002D2D73332D7365637265742D6B65793D4552745758324B66634255
type=SYSCALL msg=audit(1616053968.856:3443): arch=c000003e syscall=41 success=no exit=-13 a0=1 a1=80002 a2=0 a3=1 items=0 ppid=20105 pid=21409 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts0 ses=18 comm="xbcloud" exe="/usr/bin/xbcloud" subj=unconfined_u:unconfined_r:xtrabackup_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1616053968.856:3443): avc: denied { create } for pid=21409 comm="xbcloud" scontext=unconfined_u:unconfined_r:xtrabackup_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:xtrabackup_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0
----
time->Thu Mar 18 07:52:48 2021
type=PROCTITLE msg=audit(1616053968.856:3444): proctitle=7862636C6F756400707574002D2D73746F726167653D7333002D2D73332D656E64706F696E743D68747470733A2F2F73332E616D617A6F6E6177732E636F6D002D2D73332D6163636573732D6B65793D0000000000000000000000000000000000000000002D2D73332D7365637265742D6B65793D
type=SYSCALL msg=audit(1616053968.856:3444): arch=c000003e syscall=4 success=no exit=-13 a0=7f11c6e5b43a a1=7f11c3d5a390 a2=7f11c3d5a390 a3=7f11bc0008d0 items=0 ppid=20105 pid=21409 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts0 ses=18 comm="xbcloud" exe="/usr/bin/xbcloud" subj=unconfined_u:unconfined_r:xtrabackup_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1616053968.856:3444): avc: denied { getattr } for pid=21409 comm="xbcloud" path="/etc/resolv.conf" dev="dm-0" ino=67542935 scontext=unconfined_u:unconfined_r:xtrabackup_t:s0-s0:c0.c1023 tcontext=system_u:object_r:net_conf_t:s0 tclass=file permissive=0
----
time->Thu Mar 18 07:52:48 2021
type=PROCTITLE msg=audit(1616053968.856:3445): proctitle=7862636C6F756400707574002D2D73746F726167653D7333002D2D73332D656E64706F696E743D68747470733A2F2F73332E616D617A6F6E6177732E636F6D002D2D73332D6163636573732D6B65793D0000000000000000000000000000000000000000002D2D73332D7365637265742D6B65793D
type=SYSCALL msg=audit(1616053968.856:3445): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7f11c6e5b43a a2=80000 a3=0 items=0 ppid=20105 pid=21409 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts0 ses=18 comm="xbcloud" exe="/usr/bin/xbcloud" subj=unconfined_u:unconfined_r:xtrabackup_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1616053968.856:3445): avc: denied { read } for pid=21409 comm="xbcloud" name="resolv.conf" dev="dm-0" ino=67542935 scontext=unconfined_u:unconfined_r:xtrabackup_t:s0-s0:c0.c1023 tcontext=system_u:object_r:net_conf_t:s0 tclass=file permissive=0
----
time->Thu Mar 18 07:52:48 2021
type=PROCTITLE msg=audit(1616053968.856:3446): proctitle=7862636C6F756400707574002D2D73746F726167653D7333002D2D73332D656E64706F696E743D68747470733A2F2F73332E616D617A6F6E6177732E636F6D002D2D73332D6163636573732D6B65793D0000000000000000000000000000000000000000002D2D73332D7365637265742D6B65793D
type=SYSCALL msg=audit(1616053968.856:3446): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7f11c3350d94 a2=80000 a3=0 items=0 ppid=20105 pid=21409 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts0 ses=18 comm="xbcloud" exe="/usr/bin/xbcloud" subj=unconfined_u:unconfined_r:xtrabackup_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1616053968.856:3446): avc: denied { read } for pid=21409 comm="xbcloud" name="hosts" dev="dm-0" ino=67635269 scontext=unconfined_u:unconfined_r:xtrabackup_t:s0-s0:c0.c1023 tcontext=system_u:object_r:net_conf_t:s0 tclass=file permissive=0
----
time->Thu Mar 18 07:52:48 2021
type=PROCTITLE msg=audit(1616053968.867:3447): proctitle=7862636C6F756400707574002D2D73746F726167653D7333002D2D73332D656E64706F696E743D68747470733A2F2F73332E616D617A6F6E6177732E636F6D002D2D73332D6163636573732D6B65793D0000000000000000000000000000000000000000002D2D73332D7365637265742D6B65793D
type=SYSCALL msg=audit(1616053968.867:3447): arch=c000003e syscall=41 success=no exit=-13 a0=2 a1=80802 a2=0 a3=7f11bc0008d0 items=0 ppid=20105 pid=21409 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts0 ses=18 comm="xbcloud" exe="/usr/bin/xbcloud" subj=unconfined_u:unconfined_r:xtrabackup_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1616053968.867:3447): avc: denied { create } for pid=21409 comm="xbcloud" scontext=unconfined_u:unconfined_r:xtrabackup_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:xtrabackup_t:s0-s0:c0.c1023 tclass=udp_socket permissive=0
----
time->Thu Mar 18 07:52:48 2021
type=PROCTITLE msg=audit(1616053968.873:3451): proctitle=7862636C6F756400707574002D2D73746F726167653D7333002D2D73332D656E64706F696E743D68747470733A2F2F73332E616D617A6F6E6177732E636F6D002D2D73332D6163636573732D6B65793D0000000000000000000000000000000000000000002D2D73332D7365637265742D6B65793D
type=SYSCALL msg=audit(1616053968.873:3451): arch=c000003e syscall=4 success=no exit=-13 a0=7f11c6e5b43a a1=7f11c3d5a390 a2=7f11c3d5a390 a3=1 items=0 ppid=20105 pid=21409 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts0 ses=18 comm="xbcloud" exe="/usr/bin/xbcloud" subj=unconfined_u:unconfined_r:xtrabackup_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1616053968.873:3451): avc: denied { getattr } for pid=21409 comm="xbcloud" path="/etc/resolv.conf" dev="dm-0" ino=67542935 scontext=unconfined_u:unconfined_r:xtrabackup_t:s0-s0:c0.c1023 tcontext=system_u:object_r:net_conf_t:s0 tclass=file permissive=0
----
time->Thu Mar 18 07:52:48 2021
type=PROCTITLE msg=audit(1616053968.873:3452): proctitle=7862636C6F756400707574002D2D73746F726167653D7333002D2D73332D656E64706F696E743D68747470733A2F2F73332E616D617A6F6E6177732E636F6D002D2D73332D6163636573732D6B65793D0000000000000000000000000000000000000000002D2D73332D7365637265742D6B65793D
type=SYSCALL msg=audit(1616053968.873:3452): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7f11c3350d94 a2=80000 a3=0 items=0 ppid=20105 pid=21409 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts0 ses=18 comm="xbcloud" exe="/usr/bin/xbcloud" subj=unconfined_u:unconfined_r:xtrabackup_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1616053968.873:3452): avc: denied { read } for pid=21409 comm="xbcloud" name="hosts" dev="dm-0" ino=67635269 scontext=unconfined_u:unconfined_r:xtrabackup_t:s0-s0:c0.c1023 tcontext=system_u:object_r:net_conf_t:s0 tclass=file permissive=0
----
time->Thu Mar 18 07:52:48 2021
type=PROCTITLE msg=audit(1616053968.873:3453): proctitle=7862636C6F756400707574002D2D73746F726167653D7333002D2D73332D656E64706F696E743D68747470733A2F2F73332E616D617A6F6E6177732E636F6D002D2D73332D6163636573732D6B65793D0000000000000000000000000000000000000000002D2D73332D7365637265742D6B65793D
type=SYSCALL msg=audit(1616053968.873:3453): arch=c000003e syscall=41 success=no exit=-13 a0=2 a1=80802 a2=0 a3=0 items=0 ppid=20105 pid=21409 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts0 ses=18 comm="xbcloud" exe="/usr/bin/xbcloud" subj=unconfined_u:unconfined_r:xtrabackup_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1616053968.873:3453): avc: denied { create } for pid=21409 comm="xbcloud" scontext=unconfined_u:unconfined_r:xtrabackup_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:xtrabackup_t:s0-s0:c0.c1023 tclass=udp_socket permissive=0
----
time->Thu Mar 18 07:52:48 2021
type=PROCTITLE msg=audit(1616053968.879:3455): proctitle=7862636C6F756400707574002D2D73746F726167653D7333002D2D73332D656E64706F696E743D68747470733A2F2F73332E616D617A6F6E6177732E636F6D002D2D73332D6163636573732D6B65793D0000000000000000000000000000000000000000002D2D73332D7365637265742D6B65793D
type=SYSCALL msg=audit(1616053968.879:3455): arch=c000003e syscall=4 success=no exit=-13 a0=7f11c6e5b43a a1=7f11c3d5a390 a2=7f11c3d5a390 a3=1 items=0 ppid=20105 pid=21409 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts0 ses=18 comm="xbcloud" exe="/usr/bin/xbcloud" subj=unconfined_u:unconfined_r:xtrabackup_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1616053968.879:3455): avc: denied { getattr } for pid=21409 comm="xbcloud" path="/etc/resolv.conf" dev="dm-0" ino=67542935 scontext=unconfined_u:unconfined_r:xtrabackup_t:s0-s0:c0.c1023 tcontext=system_u:object_r:net_conf_t:s0 tclass=file permissive=0
----
time->Thu Mar 18 07:52:48 2021
type=PROCTITLE msg=audit(1616053968.879:3456): proctitle=7862636C6F756400707574002D2D73746F726167653D7333002D2D73332D656E64706F696E743D68747470733A2F2F73332E616D617A6F6E6177732E636F6D002D2D73332D6163636573732D6B65793D0000000000000000000000000000000000000000002D2D73332D7365637265742D6B65793D
type=SYSCALL msg=audit(1616053968.879:3456): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7f11c3350d94 a2=80000 a3=0 items=0 ppid=20105 pid=21409 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts0 ses=18 comm="xbcloud" exe="/usr/bin/xbcloud" subj=unconfined_u:unconfined_r:xtrabackup_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1616053968.879:3456): avc: denied { read } for pid=21409 comm="xbcloud" name="hosts" dev="dm-0" ino=67635269 scontext=unconfined_u:unconfined_r:xtrabackup_t:s0-s0:c0.c1023 tcontext=system_u:object_r:net_conf_t:s0 tclass=file permissive=0
----
time->Thu Mar 18 07:52:48 2021
type=PROCTITLE msg=audit(1616053968.879:3457): proctitle=7862636C6F756400707574002D2D73746F726167653D7333002D2D73332D656E64706F696E743D68747470733A2F2F73332E616D617A6F6E6177732E636F6D002D2D73332D6163636573732D6B65793D0000000000000000000000000000000000000000002D2D73332D7365637265742D6B65793D
type=SYSCALL msg=audit(1616053968.879:3457): arch=c000003e syscall=41 success=no exit=-13 a0=2 a1=80802 a2=0 a3=0 items=0 ppid=20105 pid=21409 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts0 ses=18 comm="xbcloud" exe="/usr/bin/xbcloud" subj=unconfined_u:unconfined_r:xtrabackup_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1616053968.879:3457): avc: denied { create } for pid=21409 comm="xbcloud" scontext=unconfined_u:unconfined_r:xtrabackup_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:xtrabackup_t:s0-s0:c0.c1023 tclass=udp_socket permissive=0
----
time->Thu Mar 18 07:52:48 2021
type=PROCTITLE msg=audit(1616053968.883:3464): proctitle=7862636C6F756400707574002D2D73746F726167653D7333002D2D73332D656E64706F696E743D68747470733A2F2F73332E616D617A6F6E6177732E636F6D002D2D73332D6163636573732D6B65793D0000000000000000000000000000000000000000002D2D73332D7365637265742D6B65793D
type=SYSCALL msg=audit(1616053968.883:3464): arch=c000003e syscall=4 success=no exit=-13 a0=7f11c6e5b43a a1=7f11c3d5a390 a2=7f11c3d5a390 a3=1 items=0 ppid=20105 pid=21409 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts0 ses=18 comm="xbcloud" exe="/usr/bin/xbcloud" subj=unconfined_u:unconfined_r:xtrabackup_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1616053968.883:3464): avc: denied { getattr } for pid=21409 comm="xbcloud" path="/etc/resolv.conf" dev="dm-0" ino=67542935 scontext=unconfined_u:unconfined_r:xtrabackup_t:s0-s0:c0.c1023 tcontext=system_u:object_r:net_conf_t:s0 tclass=file permissive=0
----
time->Thu Mar 18 07:52:48 2021
type=PROCTITLE msg=audit(1616053968.883:3465): proctitle=7862636C6F756400707574002D2D73746F726167653D7333002D2D73332D656E64706F696E743D68747470733A2F2F73332E616D617A6F6E6177732E636F6D002D2D73332D6163636573732D6B65793D0000000000000000000000000000000000000000002D2D73332D7365637265742D6B65793D
type=SYSCALL msg=audit(1616053968.883:3465): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7f11c3350d94 a2=80000 a3=0 items=0 ppid=20105 pid=21409 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts0 ses=18 comm="xbcloud" exe="/usr/bin/xbcloud" subj=unconfined_u:unconfined_r:xtrabackup_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1616053968.883:3465): avc: denied { read } for pid=21409 comm="xbcloud" name="hosts" dev="dm-0" ino=67635269 scontext=unconfined_u:unconfined_r:xtrabackup_t:s0-s0:c0.c1023 tcontext=system_u:object_r:net_conf_t:s0 tclass=file permissive=0
----
time->Thu Mar 18 07:52:48 2021
type=PROCTITLE msg=audit(1616053968.883:3466): proctitle=7862636C6F756400707574002D2D73746F726167653D7333002D2D73332D656E64706F696E743D68747470733A2F2F73332E616D617A6F6E6177732E636F6D002D2D73332D6163636573732D6B65793D0000000000000000000000000000000000000000002D2D73332D7365637265742D6B65793D
type=SYSCALL msg=audit(1616053968.883:3466): arch=c000003e syscall=41 success=no exit=-13 a0=2 a1=80802 a2=0 a3=0 items=0 ppid=20105 pid=21409 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts0 ses=18 comm="xbcloud" exe="/usr/bin/xbcloud" subj=unconfined_u:unconfined_r:xtrabackup_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1616053968.883:3466): avc: denied { create } for pid=21409 comm="xbcloud" scontext=unconfined_u:unconfined_r:xtrabackup_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:xtrabackup_t:s0-s0:c0.c1023 tclass=udp_socket permissive=0

      Xbcloud needs access to a number of resources such as hosts, sockets, /etc/resolv.conf, etc which are restricted by selinux.

      Attachments

        1. audit_log_cloud
          248 kB
        2. audit_log_cloud1
          16 kB
        3. audit_log_swift
          44 kB
        4. audit_log_swift1
          44 kB

        Activity

          People

            kamil.holubicki Kamil Holubicki
            manish.chawla Manish Chawla
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Time Spent - 1 week, 1 hour, 3 minutes Remaining Estimate - 2 hours, 30 minutes
                2h 30m
                Logged:
                Time Spent - 1 week, 1 hour, 3 minutes Remaining Estimate - 2 hours, 30 minutes
                1w 1h 3m

                Smart Checklist