Commit 71d1f358 authored by Nirbhay Choubey's avatar Nirbhay Choubey

Update SELinux policy to allow UDP for multicast repl in galera.

parent 32740944
Note: The included SELinux policy files can be used for MariaDB Galera cluster.
However, since these policies had been tested for a limited set of scenarios,
it is highly recommended to run SELinux in "permissive" mode even with these
policies installed and report any denials on mariadb.org/jira.
it is highly recommended that you run mysqld in "permissive" mode even with
these policies installed and report any denials on mariadb.org/jira.
How to generate and load the policy module of MariaDB Galera cluster ?
* Generate the SELinux policy module.
* Generate the SELinux policy module.
# cd <source>/policy/selinux/
# make -f /usr/share/selinux/devel/Makefile mariadb-server.pp
* Load the generated policy module.
* Load the generated policy module.
# semodule -i /path/to/mariadb-server.pp
* Lastly, run the following command to allow 4568.
* Lastly, run the following command to allow tcp/4568 and udp/4567.
# semanage port -a -t mysqld_port_t -p tcp 4568
# semanage port -a -t mysqld_port_t -p udp 4567
How to run mysqld in permissve mode ?
# semanage permissive -a mysqld_t
......@@ -5,7 +5,7 @@ module mariadb-server 1.0;
require {
type user_tmp_t;
type kerberos_port_t;
#type kerberos_master_port_t;
type mysqld_safe_t;
type tmp_t;
type tmpfs_t;
......@@ -32,7 +32,10 @@ require {
class dir { write search getattr add_name read remove_name open };
# MariaDB additions
type kerberos_port_t;
type tram_port_t;
type mysqld_port_t;
class udp_socket name_bind;
class process setpgid;
class netlink_tcpdiag_socket { create nlmsg_read };
}
......@@ -56,8 +59,8 @@ allow mysqld_t tmpfs_t:file { write getattr read create unlink open };
allow mysqld_t fixed_disk_device_t:blk_file { read write open };
allow mysqld_t ifconfig_exec_t:file { read execute open execute_no_trans getattr };
#This rule allows connecting on 4444
allow mysqld_t kerberos_port_t:tcp_socket { name_bind name_connect };
#This rule allows connecting on 4444/4567/4568
#allow mysqld_t kerberos_master_port_t:tcp_socket { name_bind name_connect };
allow mysqld_t mysqld_safe_t:dir { getattr search };
allow mysqld_t mysqld_safe_t:file { read open };
......@@ -82,8 +85,13 @@ allow mysqld_t bin_t:file { getattr read execute open execute_no_trans ioctl };
# MariaDB additions
allow mysqld_t self:process setpgid;
# This rule allows port 4567
# This rule allows port tcp/4444
allow mysqld_t kerberos_port_t:tcp_socket { name_bind name_connect };
# This rule allows port tcp/4567 (tram_port_t may not be available on
# older versions)
allow mysqld_t tram_port_t:tcp_socket name_bind;
# This rule allows port udp/4567 (see README)
allow mysqld_t mysqld_port_t:udp_socket name_bind;
# Rules related to XtraBackup
allow mysqld_t self:netlink_tcpdiag_socket { create nlmsg_read };
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment