Uploaded image for project: 'Percona XtraDB Cluster'
  1. Percona XtraDB Cluster
  2. PXC-2164

sst script doesn't work well with SELinux

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Pending Release
    • Priority: High
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 5.6.41, 5.7.23
    • Component/s: None
    • Security Level: Public Bug
    • Labels:
      None

      Description

      The way the current SST script is written, it is nearly impossible to enable SELinux because the "ss" command in the wait_for_listen function looks at all the running processes. In SELinux audit log, you have tons of:

      type=AVC msg=audit(1527792830.991:138): avc: denied { getattr } for pid=3683 comm="ss" scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=process

      type=SYSCALL msg=audit(1527792830.991:138): arch=c000003e syscall=0 success=yes exit=31 a0=5 a1=17de070 a2=fff a3=63 items=0 ppid=3680 pid=3683 auid=4294967295 uid=997 gid=995 euid=997 suid=997 fsuid=997 egid=995 sgid=995 fsgid=995 tty=(none) ses=4294967295 comm="ss" exe="/usr/sbin/ss" subj=system_u:system_r:mysqld_t:s0 key=(null)

      The attached script respects the "limits" set by SELinux and do no provoke any denied access, allowing a secure configuration of xtraDB cluster. It works but needs improvements.  For example, it currently only looks at process listening on 0.0.0.0 on ipv4.  Support for the sst incoming address and ipv6 are needed.

        Attachments

          Activity

            People

            • Assignee:
              kenn.takara Kenn Takara
              Reporter:
              yves@percona.com Yves Trudeau
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 2 days, 2 hours
                2d 2h