Configuring SELinux for Galera cluster

Setting up a MariaDB Galera cluster can easily become tedious if its being setup on a Linux system with SELinux enabled.

140805 16:16:20 [Note] WSREP: gcomm: connecting to group 'my_wsrep_cluster', peer ''
140805 16:16:20 [ERROR] WSREP: Permission denied
140805 16:16:20 [ERROR] WSREP: failed to open gcomm backend connection: 13: error while trying to listen 'tcp://0.0.0.0:4567?socket.non_blocking=1', asio error 'Permission denied': 13 (Permission denied)
         at gcomm/src/asio_tcp.cpp:listen():814
140805 16:16:20 [ERROR] WSREP: gcs/src/gcs_core.c:gcs_core_open():202: Failed to open backend connection: -13 (Permission denied)
140805 16:16:20 [ERROR] WSREP: gcs/src/gcs.c:gcs_open():1291: Failed to open channel 'my_wsrep_cluster' at 'gcomm://': -13 (Permission denied)
140805 16:16:20 [ERROR] WSREP: gcs connect failed: Permission denied
140805 16:16:20 [ERROR] WSREP: wsrep::connect() failed: 7
140805 16:16:20 [ERROR] Aborting

In a test environment one can disable/enable SELinux for mysqld using the following commands (Thanks to Daniel Black for the tip!) :

$ sudo semanage permissive -a mysqld_t
$ sudo semanage permissive -d mysqld_t

Disabling SELinux for mysql works, but its certainly not the best solution. So, I tried to configure SELinux for a 2-node MariaDB Galera cluster on CentOS by using some tools provided to manage SELinux policies. The basic idea is to let the MariaDB Galera nodes run under permissive mode in order to get all possible operations (which SELinux would have otherwise denied) logged into the audit log and then create a policy module using allow2audit tool after carefully analyzing the “denials”. The resulting module can then be installed before enabling (enforcing) SELinux for mysqld again.

Prepare the hosts
* Install MariaDB Galera server packages ($ sudo yum install MariaDB-Galera-server)
* Setup MariaDB configuration options ($sudo vi /etc/my.cnf.d/server.cnf)
* Install SELinux policy management tools ($ sudo yum install policycoreutils-python)
* Firewall settings (see resources below)

Generate the policy module
* Disable SELinux for mysqld on both the hosts. With SELinux in permissive mode, it logs all the denial operations as warnings instead of enforcing them.

$ sudo semanage permissive -a mysqld_t
  • Once mysqld on both the hosts are in permissive mode, our goal is to trigger all sorts of events that can happen on a node in a MariaDB Galera cluster (the more extensive, the better!) like, starting the node as donor/joiner with different snapshot state transfer (SST) methods and incremental state transfer (IST). The idea is to let all possible denials get logged into the audit log, which we later use to generate the policy module.
  • Carefully analyze (sealert Messages) all the “denials” logged in the audit log (/var/log/audit/audit.log). If the denials are expected, create a local policy module using allow2audit.
  $ sudo grep mysql audit.log | audit2allow -M mariadb-galera
  • Install the policy module.
  $ sudo semodule -i mariadb-galera.pp
  • Put mysqld back to enforcing mode.
$ sudo semanage permissive -d mysqld_t

Resources

2 thoughts on “Configuring SELinux for Galera cluster”

  1. disabling/enabling selinux for just mysql can be done with:

    semanage permissive -a mysqld_t / semanage permissive -d mysqld_t

    Probably should start by labelling ports based on http://galeracluster.com/documentation-webpages/firewallsettings.html

    semanage port -a -t mysqld_port_t -p tcp 4567
    semanage port -a -t mysqld_port_t -p udp 4567
    semanage port -a -t mysqld_port_t -p tcp 4568
    semanage port -a -t mysqld_port_t -p tcp 4444

    In addition the SST mechanism that need testing the range of arguments to wsrep_notify_cmd need to be tested (though these are largely covered by the SST).

    Providing a text policy including the inbuilt SST mechanisms would be a good addition to the blog.

    Maybe should get these into https://github.com/TresysTechnology/refpolicy-contrib – at least under a galera tunable

    I’d also suggest adding https://blogs.oracle.com/jsmyth/entry/selinux_and_mysql to the list of references.

Leave a Reply

Your email address will not be published. Required fields are marked *