SELinux semodule(s) for `ocf:heartbeat:galera`

[lejeczek]

Hi. As groovy as ClusterLabs are many will agree you guys often neglect SELinux. May I suggest you include/supply module(s) with/for GALERA agent - many will be grateful! & nobody can tell better than the authors/developers what is really needed/critical for SELinux - as opposed to us users compiling custom module.

On CentOS 8 setting resource as:

-> $ pcs resource create mariadb ocf:heartbeat:galera cluster_host_map="c8kubernode1:10.0.1.1;c8kubernode2:10.0.1.2;c8kubernode3:10.0.1.3" wsrep_cluster_address="gcomm://10.0.1.1,10.0.1.2,10.0.1.3" log=/var/log/mariadb/mariadb.log user=mysql group=mysql check_user="pacemaker" check_passwd="#989" additional_parameters="--basedir=/usr" op monitor OCF_CHECK_LEVEL="0" timeout="30s" interval="20s" op monitor role="Master" OCF_CHECK_LEVEL="0" timeout="30s" interval="10s" op monitor role="Slave" OCF_CHECK_LEVEL="0" timeout="30s" interval="30s" promotable promoted-max=3 meta failure-timeout=30s

results in failed resource - I did end up with: -> $ semanage permissive -a mysqld_t which is not good (very! bad!) practice!!! But even that was not enough and further customization was needed.

pcs-0.10.12-7.el8.x86_64 resource-agents-4.9.0-19.el8.x86_64

many thanks, L.

[dciabrin]

We do support SELinux with that agent, but we haven't documented that clearly I think. We do use this resource agent in OpenStack, and SELinux support comes when we install package openstack-selinux [1] from RDO packages [2].

It might be enough to just install openstack-selinux manually in your environment to get what you need, without going through the route of installing openstack repo files.

[1] https://trunk.rdoproject.org/centos8-master/component/common/current-tripleo/ [2] https://trunk.rdoproject.org/centos8-master/