Uploaded image for project: 'Percona XtraDB Cluster'
  1. Percona XtraDB Cluster
  2. PXC-2164

sst script doesn't work well with SELinux

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Done
    • Priority: High
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 5.6.41-28.28, 5.7.23-31.31
    • Component/s: None
    • Labels:
      None

      Description

      The way the current SST script is written, it is nearly impossible to enable SELinux because the "ss" command in the wait_for_listen function looks at all the running processes. In SELinux audit log, you have tons of:

      type=AVC msg=audit(1527792830.991:138): avc: denied { getattr } for pid=3683 comm="ss" scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=process

      type=SYSCALL msg=audit(1527792830.991:138): arch=c000003e syscall=0 success=yes exit=31 a0=5 a1=17de070 a2=fff a3=63 items=0 ppid=3680 pid=3683 auid=4294967295 uid=997 gid=995 euid=997 suid=997 fsuid=997 egid=995 sgid=995 fsgid=995 tty=(none) ses=4294967295 comm="ss" exe="/usr/sbin/ss" subj=system_u:system_r:mysqld_t:s0 key=(null)

      The attached script respects the "limits" set by SELinux and do no provoke any denied access, allowing a secure configuration of xtraDB cluster. It works but needs improvements.  For example, it currently only looks at process listening on 0.0.0.0 on ipv4.  Support for the sst incoming address and ipv6 are needed.

        Smart Checklist

          Attachments

            Activity

              People

              • Assignee:
                kenn.takara Kenn Takara
                Reporter:
                yves@percona.com Yves Trudeau
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 2 days, 2 hours
                  2d 2h