SELINUX - Enforcing Mode

Morpheus documentation states that latest versions does support SELINUX in enforcing mode if users want to use this option. 3 Node HA install documentation had commands to make necessary changes in SELINUX to allow Morpheus traffic. Same documentation appears to be removed now. Please help with required commands to make necessary changes in SELINUX if customer wants to use enforcing mode.

Any help is greatly appreciated !

Hello @suresh.thakur,

Looking at the previous documentation, the only items listed for SELinux are for the Percona XtraDB Cluster, if you are using that as an external mySQL backend. Morpheus itself will create the policies automatically on the application nodes, if SELinux is in enforcing mode. No additional policies should need to be added for Morpheus.

However, Percona’s installation documentation recommends setting SELinux to Permissive. They do have guidance on setting SELinux policies if SELinux is required.

That said, here are the commands that were previously listed in the documentation. However, I’d highly recommend following Percona’s guidance above instead, to ensure the newest policies are added.

[root]# yum install -y policycoreutils-python.x86_64

[root]# semanage port -m -t mysqld_port_t -p tcp 4444
[root]# semanage port -m -t mysqld_port_t -p tcp 4567
[root]# semanage port -a -t mysqld_port_t -p tcp 4568

[root]# vi PXC.te
module PXC 1.0;
require {
        type unconfined_t;
        type mysqld_t;
        type unconfined_service_t;
        type tmp_t;
        type sysctl_net_t;
        type kernel_t;
        type mysqld_safe_t;
        class process { getattr setpgid };
        class unix_stream_socket connectto;
        class system module_request;
        class file { getattr open read write };
        class dir search;

  #============= mysqld_t ==============

 allow mysqld_t kernel_t:system module_request;
 allow mysqld_t self:process { getattr setpgid };
 allow mysqld_t self:unix_stream_socket connectto;
 allow mysqld_t sysctl_net_t:dir search;
 allow mysqld_t sysctl_net_t:file { getattr open read };
 allow mysqld_t tmp_t:file write;

[root]# checkmodule -M -m -o PXC.mod PXC.te
[root]# semodule_package -o PXC.pp -m PXC.mod
[root]# semodule -i PXC.pp

These were the troubleshooting steps:

  1. Verify SELinux is not rejecting any db cluster communication by running the below on all db nodes:

[root@allDbNodes]# grep -i denied /var/log/audit/audit.log | grep mysqld_t

If there are any results, address the source or update the SELinux Policy to resolve.

  1. Update SELinux if necessary

[root@allDbNodes]# rm -f PXC.* [root@allDbNodes]# grep -i denied /var/log/audit/audit.log | grep mysqld_t | audit2allow -M PXC [root@allDbNodes]# semodule -i PXC.pp

  1. To verify all nodes joined the cluster, on any db node login to mysql and run show status like 'wsrep%';

[root@anyDbNode]# mysql -u root -p mysql> show status like 'wsrep%';

  1. Verify wsrep_cluster_size is 3 and wsrep_incoming_addresses lists all 3 node ip addresses.
  2. From all Morpheus app nodes, verify that you can login to all 3 database nodes

[root@allAppNodes] cd /opt/morpheus/embedded/bin/ [root@appNode01]# ./mysql -h -u morpheusDbUser -p
[root@appNode02]# ./mysql -h -u morpheusDbUser -p [root@appNode03]# ./mysql -h -u morpheusDbUser -p

I hope that helps!