MDEV-37899 galera sst generates numerous selinux AVCs when starting

From downstream bug RHEL-116757, the use of ss to map all the usage of ports to pids and process names under selinux is rather limited by the mysqld_exec_t limitations. The checking of the mapping is a bit excessive in a selinux environment where binding is limited. We replace the use of ss under selinux to raw reading of the /proc/tcp{,} interfaces of the linux that aren't selinux restricted.
2025-12-28 00:01:00 +00:00 · 2025-10-20 18:45:56 +11:00 · 2025-10-20 18:45:56 +11:00 · 5a8cd03f0f
commit 5a8cd03f0f
parent 6ea2e99830
2 changed files with 19 additions and 3 deletions
--- a/scripts/wsrep_sst_common.sh
+++ b/scripts/wsrep_sst_common.sh
@ -1230,6 +1230,13 @@ check_sockets_utils()
    lsof_available=0
    sockstat_available=0
    ss_available=0
+    raw_socket_check=0
+
+    if [ -n "$(commandex selinuxenabled)" ] && selinuxenabled; then
+        raw_socket_check=1
+        wsrep_log_info "/proc/net/tcp{,6} is being used directly to avoid excessive selinux AVC notices"
+        return 0
+    fi

    socket_utility="$(commandex ss)"
    if [ -n "$socket_utility" ]; then
@ -1298,7 +1305,11 @@ check_port()

    local rc=2 # ENOENT

-    if [ $ss_available -ne 0 ]; then
+    if [ $raw_socket_check -ne 0 ]; then
+        for key in $(awk -v p="$port" 'BEGIN { hex_port = sprintf(":%04X", p) } $2 ~ hex_port && $4 == "0A" { print $10 }' /proc/net/tcp /proc/net/tcp6); do
+            return 0
+        done
+    elif [ $ss_available -ne 0 ]; then
        $socket_utility $ss_opts -t "( sport = :$port )" 2>/dev/null | \
            grep -q -E "[[:space:]]users:[[:space:]]?\\(.*\\(\"($utils)[^[:space:]]*\"[^)]*,pid=$pid(,[^)]*)?\\)" && rc=0
    elif [ $sockstat_available -ne 0 ]; then
--- a/scripts/wsrep_sst_rsync.sh
+++ b/scripts/wsrep_sst_rsync.sh
@ -105,7 +105,9 @@ check_pid_and_port()
    local final

    if ! check_port $pid "$port" "$utils"; then
-        if [ $ss_available -ne 0 -o $sockstat_available -ne 0 ]; then
+        if [ $raw_socket_check -ne 0 ]; then
+            return 1
+        elif [ $ss_available -ne 0 -o $sockstat_available -ne 0 ]; then
            if [ $ss_available -ne 0 ]; then
                port_info=$($socket_utility $ss_opts -t "( sport = :$port )" 2>/dev/null | \
                    grep -E '[[:space:]]users:[[:space:]]?\(' | \
@ -163,7 +165,10 @@ check_pid_and_port()
        fi
    fi

-    check_pid "$pid_file" && [ $CHECK_PID -eq $pid ]
+    if [ $raw_socket_check -ne 0 ]; then
+	return 0
+    fi
+    check_pid "$pid_file" && [ "$CHECK_PID" -eq "$pid" ]
 }

 get_binlog