Hi! I'm looking for a SELinux policy for MariaDB/Galera. I'd like to use MariaDB/Galera with enforcing targeted SELinux. I googled a lot. No real solution showed up. The most helpful page was https://groups.google.com/forum/#!topic/percona-discussion/beyXK3U0ySo/discu... which solves part of the problem. Currently I try to allow SST via rsync. /usr/bin/wsrep_sst_rsync executes ps and netstat producing a lot of AVC denials, e. g. ---- time->Wed May 14 10:30:23 2014 type=SYSCALL msg=audit(1400056223.334:70): arch=c000003e syscall=4 success=yes exit=0 a0=17081b0 a1=7f9811231ca0 a2=7f9811231ca0 a3=17081b6 items=0 ppid=1678 pid=1704 auid=4294967295 uid=497 gid=498 euid=497 suid=497 fsuid=497 egid=498 sgid=498 fsgid=498 tty=(none) ses =4294967295 comm="ps" exe="/bin/ps" subj=system_u:system_r:mysqld_t:s0 key=(null) type=AVC msg=audit(1400056223.334:70): avc: denied { getattr } for pid=1704 comm="ps" path="/proc/844" dev=proc ino=10578 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=dir ---- time->Wed May 14 10:30:23 2014 type=SYSCALL msg=audit(1400056223.337:75): arch=c000003e syscall=2 success=yes exit=12 a0=7f9811231840 a1=0 a2=0 a3=0 items=0 ppid=1678 pid=1704 auid=4294967295 uid=497 gid=498 euid=497 suid=497 fsuid=497 egid=498 sgid=498 fsgid=498 tty=(none) ses=4294967295 comm="ps" exe="/bin/ps" subj=system_u:system_r:mysqld_t:s0 key=(null) type=AVC msg=audit(1400056223.337:75): avc: denied { open } for pid=1704 comm="ps" name="stat" dev=proc ino=12305 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:restorecond_t:s0 tclass=file type=AVC msg=audit(1400056223.337:75): avc: denied { read } for pid=1704 comm="ps" name="stat" dev=proc ino=12305 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:restorecond_t:s0 tclass=file type=AVC msg=audit(1400056223.337:75): avc: denied { search } for pid=1704 comm="ps" name="1230" dev=proc ino=12150 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:restorecond_t:s0 tclass=dir audit2allow doesn't help in this case. The target domain isn't "fixed". It depends on the processes running. "netstat -lnpt" executed by /usr/bin/wsrep_sst_rsync has the problem. How could I write a SELinux policy to allow access for ps and netstat? Is there an "official" policy? Even RHEL 7 hasn't support for Galera (but improves the mysql policy for MariaDB a bit). Best regards Franz