Details
-
Bug
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Fixed
-
10.11.14
-
Can result in unexpected behaviour
-
Under selinux, the galera SST port checking resulted in excessive AVC notices. This has been simplified under selinux.
Description
From https://issues.redhat.com/browse/RHEL-116757
What were you trying to do that didn't work?
A customer is using MariaDB + galera.
When the node starts, numerous AVCs are seen when /usr/sbin/ss is being executed from /usr/bin/wsrep_sst_rsync script:
95 check_pid_and_port()
|
96 {
|
:
|
109 if [ $ss_available -ne 0 ]; then
|
110 port_info=$($socket_utility $ss_opts -t "( sport = :$port )" 2>/dev/null | \
|
111 grep -E '[[:space:]]users:[[:space:]]?(' | \
|
112 grep -o -E "([^[:space:]]+[[:space:]]+){4}[^[:space:]]+" || :)
|
:
|
These AVCs show up when ss is used to determine if something is listening on SST port (4444 by default): /usr/sbin/ss -nlpH -t "( sport = :4444 )". This occurs because the script and ss run in mysqld_t context, which is very restricted.
What is the impact of this issue to you?
Lot of annoyance due to AVCs popping up, but ss functionality works anyway.
Please provide the package NVR for which the bug is seen:
mariadb-server-10.11.10-1.module+el9.5.0+22578+dc54e53f
How reproducible is this bug?:
Always on customer system.
Didn't try reproducing myself but can reproduce the AVCs easily as shown below.
Steps to reproduce
Create a script that will run ss in mysqld_t context
# cat > /usr/local/bin/fake_mysqld << EOF
|
#!/bin/sh
|
ss -nlpH -t "( sport = :4444 )"
|
EOF
|
|
|
# chcon -t mysqld_exec_t /usr/local/bin/fake_mysqld
|
# chmod +x /usr/local/bin/fake_mysqld
|
Execute the script as a systemd transient service
# systemd-run --uid=mysql /usr/local/bin/fake_mysqld
|
Check for AVCs
# ausearch -m avc -i -ts recent
|
Expected results
No AVC
Actual results
Numerous AVCs (258 or more, depending on the number of processes on the system).
(attached)
Attachments
Issue Links
- relates to
-
-
- Closed
-
- links to
