MDEV-37899 galera sst generates numerous selinux AVCs when starting

grooverdan · grooverdan · commit 5a8cd03f0f3a · 2025-10-21T20:25:06.000+11:00
From downstream bug RHEL-116757, the use of ss to map all the
usage of ports to pids and process names under selinux is rather
limited by the mysqld_exec_t limitations.

The checking of the mapping is a bit excessive in a selinux
environment where binding is limited.

We replace the use of ss under selinux to raw reading of the
/proc/tcp{,} interfaces of the linux that aren't selinux restricted.
diff --git a/scripts/wsrep_sst_common.sh b/scripts/wsrep_sst_common.sh
@@ -1230,6 +1230,13 @@ check_sockets_utils()
     lsof_available=0
     sockstat_available=0
     ss_available=0
+    raw_socket_check=0
+
+    if [ -n "$(commandex selinuxenabled)" ] && selinuxenabled; then
+        raw_socket_check=1
+        wsrep_log_info "/proc/net/tcp{,6} is being used directly to avoid excessive selinux AVC notices"
+        return 0
+    fi
 
     socket_utility="$(commandex ss)"
     if [ -n "$socket_utility" ]; then
@@ -1298,7 +1305,11 @@ check_port()
 
     local rc=2 # ENOENT
 
-    if [ $ss_available -ne 0 ]; then
+    if [ $raw_socket_check -ne 0 ]; then
+        for key in $(awk -v p="$port" 'BEGIN { hex_port = sprintf(":%04X", p) } $2 ~ hex_port && $4 == "0A" { print $10 }' /proc/net/tcp /proc/net/tcp6); do
+            return 0
+        done
+    elif [ $ss_available -ne 0 ]; then
         $socket_utility $ss_opts -t "( sport = :$port )" 2>/dev/null | \
             grep -q -E "[[:space:]]users:[[:space:]]?\\(.*\\(\"($utils)[^[:space:]]*\"[^)]*,pid=$pid(,[^)]*)?\\)" && rc=0
     elif [ $sockstat_available -ne 0 ]; then
diff --git a/scripts/wsrep_sst_rsync.sh b/scripts/wsrep_sst_rsync.sh
@@ -105,7 +105,9 @@ check_pid_and_port()
     local final
 
     if ! check_port $pid "$port" "$utils"; then
-        if [ $ss_available -ne 0 -o $sockstat_available -ne 0 ]; then
+        if [ $raw_socket_check -ne 0 ]; then
+            return 1
+        elif [ $ss_available -ne 0 -o $sockstat_available -ne 0 ]; then
             if [ $ss_available -ne 0 ]; then
                 port_info=$($socket_utility $ss_opts -t "( sport = :$port )" 2>/dev/null | \
                     grep -E '[[:space:]]users:[[:space:]]?\(' | \
@@ -163,7 +165,10 @@ check_pid_and_port()
         fi
     fi
 
-    check_pid "$pid_file" && [ $CHECK_PID -eq $pid ]
+    if [ $raw_socket_check -ne 0 ]; then
+	return 0
+    fi
+    check_pid "$pid_file" && [ "$CHECK_PID" -eq "$pid" ]
 }
 
 get_binlog
