Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
M
mariadb
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Kirill Smelkov
mariadb
Commits
71d1f358
Commit
71d1f358
authored
Jun 23, 2015
by
Nirbhay Choubey
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Update SELinux policy to allow UDP for multicast repl in galera.
parent
32740944
Changes
2
Show whitespace changes
Inline
Side-by-side
Showing
2 changed files
with
30 additions
and
20 deletions
+30
-20
policy/selinux/README
policy/selinux/README
+12
-10
policy/selinux/mariadb-server.te
policy/selinux/mariadb-server.te
+18
-10
No files found.
policy/selinux/README
View file @
71d1f358
Note: The included SELinux policy files can be used for MariaDB Galera cluster.
Note: The included SELinux policy files can be used for MariaDB Galera cluster.
However, since these policies had been tested for a limited set of scenarios,
However, since these policies had been tested for a limited set of scenarios,
it is highly recommended t
o run SELinux in "permissive" mode even with these
it is highly recommended t
hat you run mysqld in "permissive" mode even with
policies installed and report any denials on mariadb.org/jira.
these
policies installed and report any denials on mariadb.org/jira.
How to generate and load the policy module of MariaDB Galera cluster ?
How to generate and load the policy module of MariaDB Galera cluster ?
* Generate the SELinux policy module.
* Generate the SELinux policy module.
# cd <source>/policy/selinux/
# cd <source>/policy/selinux/
# make -f /usr/share/selinux/devel/Makefile mariadb-server.pp
# make -f /usr/share/selinux/devel/Makefile mariadb-server.pp
* Load the generated policy module.
* Load the generated policy module.
# semodule -i /path/to/mariadb-server.pp
# semodule -i /path/to/mariadb-server.pp
* Lastly, run the following command to allow 4568
.
* Lastly, run the following command to allow tcp/4568 and udp/4567
.
# semanage port -a -t mysqld_port_t -p tcp 4568
# semanage port -a -t mysqld_port_t -p tcp 4568
# semanage port -a -t mysqld_port_t -p udp 4567
How to run mysqld in permissve mode ?
# semanage permissive -a mysqld_t
policy/selinux/mariadb-server.te
View file @
71d1f358
...
@@ -5,7 +5,7 @@ module mariadb-server 1.0;
...
@@ -5,7 +5,7 @@ module mariadb-server 1.0;
require {
require {
type user_tmp_t;
type user_tmp_t;
type kerberos
_port_t;
#type kerberos_master
_port_t;
type mysqld_safe_t;
type mysqld_safe_t;
type tmp_t;
type tmp_t;
type tmpfs_t;
type tmpfs_t;
...
@@ -32,7 +32,10 @@ require {
...
@@ -32,7 +32,10 @@ require {
class dir { write search getattr add_name read remove_name open };
class dir { write search getattr add_name read remove_name open };
# MariaDB additions
# MariaDB additions
type kerberos_port_t;
type tram_port_t;
type tram_port_t;
type mysqld_port_t;
class udp_socket name_bind;
class process setpgid;
class process setpgid;
class netlink_tcpdiag_socket { create nlmsg_read };
class netlink_tcpdiag_socket { create nlmsg_read };
}
}
...
@@ -56,8 +59,8 @@ allow mysqld_t tmpfs_t:file { write getattr read create unlink open };
...
@@ -56,8 +59,8 @@ allow mysqld_t tmpfs_t:file { write getattr read create unlink open };
allow mysqld_t fixed_disk_device_t:blk_file { read write open };
allow mysqld_t fixed_disk_device_t:blk_file { read write open };
allow mysqld_t ifconfig_exec_t:file { read execute open execute_no_trans getattr };
allow mysqld_t ifconfig_exec_t:file { read execute open execute_no_trans getattr };
#This rule allows connecting on 4444
#This rule allows connecting on 4444
/4567/4568
allow mysqld_t kerberos
_port_t:tcp_socket { name_bind name_connect };
#allow mysqld_t kerberos_master
_port_t:tcp_socket { name_bind name_connect };
allow mysqld_t mysqld_safe_t:dir { getattr search };
allow mysqld_t mysqld_safe_t:dir { getattr search };
allow mysqld_t mysqld_safe_t:file { read open };
allow mysqld_t mysqld_safe_t:file { read open };
...
@@ -82,8 +85,13 @@ allow mysqld_t bin_t:file { getattr read execute open execute_no_trans ioctl };
...
@@ -82,8 +85,13 @@ allow mysqld_t bin_t:file { getattr read execute open execute_no_trans ioctl };
# MariaDB additions
# MariaDB additions
allow mysqld_t self:process setpgid;
allow mysqld_t self:process setpgid;
# This rule allows port 4567
# This rule allows port tcp/4444
allow mysqld_t kerberos_port_t:tcp_socket { name_bind name_connect };
# This rule allows port tcp/4567 (tram_port_t may not be available on
# older versions)
allow mysqld_t tram_port_t:tcp_socket name_bind;
allow mysqld_t tram_port_t:tcp_socket name_bind;
# This rule allows port udp/4567 (see README)
allow mysqld_t mysqld_port_t:udp_socket name_bind;
# Rules related to XtraBackup
# Rules related to XtraBackup
allow mysqld_t self:netlink_tcpdiag_socket { create nlmsg_read };
allow mysqld_t self:netlink_tcpdiag_socket { create nlmsg_read };
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment