Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

SELinux errors when using flush_cache on PXC 5.7

Description

This is the same issue as  which seem to have been fixed only for Percona Server 5.6.

 

On EL7 there are SELinux AVC denials when running Percona XtraDB Cluster 5.7, if the

option is used:

type=AVC msg=audit(1535922999.860:1061): avc: denied { getattr } for pid=6771 comm="sysctl" path="/proc/sys/vm/drop_caches" dev="proc" ino=29892 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:sysctl_vm_t:s0 tclass=file
type=AVC msg=audit(1535922999.860:1062): avc: denied { write } for pid=6771 comm="sysctl" name="drop_caches" dev="proc" ino=29892 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:sysctl_vm_t:s0 tclass=file
 

PXC is from RPM:

 

 

If SELinux is set to permissive mode or disabled, then everything works normally.

 

Contrary to I did not notice `read` operation to the drop_caches inode - only getattr + write was seen.

 

Could please be ported to PXC 5.7?

Environment

None

Smart Checklist

Activity

Julia Vural March 4, 2025 at 9:28 PM

It appears that this issue is no longer being worked on, so we are closing it for housekeeping purposes. If you believe the issue still exists, please open a new ticket after confirming it's present in the latest release.

Ville Ojamo April 25, 2019 at 1:28 PM

I do agree that the SELinux issue is documented and as such this "issue" could be treated as "works as documented" and not be fixed.

 

However - it is fixed in the 5.6 series as per and this in my opinion would hint that the objective is to make it work with "enforcing" mode. After all, SELinux is quite useful and I am sure most of the operators understanding SELinux (in contrast to "what? SELinux? just disable it") would appreciate official support without the need to create their own custom SELinux module.

 

Furthermore, I do believe that the documentation note about "SELinux constrain" is a historical leftover back from the days PS/PXC did not support any SELinux at all. The SELinux support has been, if I recall correctly, been improved steadily over the years - in fact to the point that now there are only a few AVC denials from SELinux on PXC 5.7 and none on PS 5.6. I am quite sure there used to be several AVC denials and I just loaded a custom module to work around it - recently this has not been necessary anymore as PS has had full support for SELinux out of the box (out of the RPM package).

Lalit Choudhary April 25, 2019 at 12:15 PM

As per the prerequisite requirement of PXC
https://www.percona.com/doc/percona-xtradb-cluster/5.7/install/yum.html#yum

The SELinux security module can constrain access to data for Percona XtraDB Cluster. The best solution is to change the mode from enforcing to permissive by running the following command:
setenforce 0
This only changes the mode at runtime. To run SELinux in permissive mode after a reboot, set SELINUX=permissive in the /etc/selinux/config configuration file.

So here having SELINUX as enforcing  can create issue.  Reported issue  not reproduciable when SELINUX policy is permissive mode or disabled.

Lalit Choudhary April 25, 2019 at 12:08 PM

Hi Ville,

Thank you for the report.

Validated as described with PXC 5.7.25

[mysqld_safe]
flush_caches=1

and 
SELinux is Enforcing

Won't Do

Details

Assignee

Reporter

Affects versions

Priority

Smart Checklist

Created April 5, 2019 at 8:35 AM
Updated March 4, 2025 at 9:28 PM
Resolved March 4, 2025 at 9:28 PM