SELinux and MariaDB with Galera Cluster

Authors
03 Mar 2020 2 min read

Installation of MariaDB with Galera Cluster requires several additional SELinux settings. The following description applies to MariaDB installations downloaded from https://downloads.mariadb.org/

Galera Cluster uses the following network ports for network communication by default:

  • 3306/tcp - Standard MySQL/MariaDB port for client connection and SST (State Snapshot Transfers) using mysqldump method.
  • 4567/tcp/udp - Galera replication traffic port. Under normal circumstances, only uses tcp. If you use multicast replication, both tcp and udp are used.
  • 4568/tcp - Galera IST (Incremental State Transfers) port.
  • 4444/tcp - Galera SST (State Snapshot Transfer) port for all methods other than mysqldump.

All these ports should be opened not only in the firewall but also within SELinux for mysqld processes.

The following settings are based on the assumption that you’re using the standard ports listed above for communication and rsync for SST. You’ll need the semanage - SELinux Policy Management tool installed (from policycoreutils-python-utils package).
Let’s see which network ports SELinux allows for mysql daemon:

[root@lab1 ~]# semanage port -l | grep mysqld
mysqld_port_t                  tcp      1186, 3306, 63132-63164

As you can see, there is only 3306/tcp allowed (of those that you’ll need), but also you have to add ports 4567/tcp, 4568/tcp and 4444/tcp.
Let’s try to add missing ports:

[root@lab1 ~]# semanage port -a -t mysqld_port_t -p tcp 4567
ValueError: Port tcp/4567 already defined
[root@lab1 ~]# semanage port -a -t mysqld_port_t -p tcp 4568
[root@lab1 ~]# semanage port -a -t mysqld_port_t -p tcp 4444
ValueError: Port tcp/4444 already defined

Two ports failed because they’re already assigned to another service. Let’s see:

[root@g2 ~]# semanage port -l | egrep 'tcp.*(4444|4567)'
kerberos_port_t                tcp      88, 750, 4444
tram_port_t                    tcp      4567

There are two services attached: kerberos and tram. It’s rather unlikely that you would use the exotic tram protocol. If you are also not using Kerberos, you can transfer the assignment of these two ports. A particular port can only be used by one service at a time, so you have to use -m (modify) flag to change attached service:

semanage port -m -t mysqld_port_t -p tcp 4567
semanage port -m -t mysqld_port_t -p tcp 4444

Ultimately, it all comes down to three commands:

semanage port -m -t mysqld_port_t -p tcp 4567
semanage port -a -t mysqld_port_t -p tcp 4568
semanage port -m -t mysqld_port_t -p tcp 4444

Now you can use Galera Cluster with SELinux enabled.

linux security SELinux MariaDB Galera Cluster