Recently I was configuring MySQL in a high availability configuration when I encountered problems with getting my keepalived health check script to work.
I have two MySQL servers configured in Master/Master replication with a VIP (keepalived) which floats between the two servers. We only write to one of the masters using the VIP. The goal is to have a fail over of the VIP occur if the primary server becomes unreachable.
I created my health check script and configured Keepalived to use the script to check on Mysql. Below is snippet of code from my keepalived.conf config file. I would test the fail over by shutting down Mysql to force a fail over of the VIP to occur however the fail over was not occurring. When I would run keepalived as root from the console the VIP fail over process would work. I started to suspect a permissions or selinux issue.
vrrp_script check_mysql { script /opt/mysql/check.py interval 2 timeout 3 } track_script { check_mysql }
Introduce audit2allow, this tool reads the audit logs and creates selinux allow policies off of failed audits.
yum install /usr/bin/audit2allow
I grep the audit.log file to find failures. Then wrote down context which was being denied.
grep check.py /var/log/audit/audit.log
After finding all the denied contexts I used audit2allow to create allow polices.
grep keepalived_t /var/log/audit/audit.log | audit2allow -M keepalived_t grep root_t /var/log/audit/audit.log | audit2allow -M root_t grep tmp_t /var/log/audit/audit.log | audit2allow -M tmp_t grep mysqld_port_t /var/log/audit/audit.log | audit2allow -M mysqld_port_t semodule -i keepalived_t.pp semodule -i root_t.pp semodule -i tmp_t.pp semodule -i mysqld_port_t.pp
After creating the allow polices the health checking script would run successfully and a VIP fail over would occur in the event MySQL went down.