Skip to content
logo
Percona XtraBackup
Work with SELinux
Initializing search
    percona/pxb-docs
    percona/pxb-docs
    • Home
      • About Percona XtraBackup
      • How Percona XtraBackup works
      • Understand version numbers
      • Install Percona XtraBackup 8.0
      • Use an APT repo to install Percona XtraBackup
      • Use a YUM repo to install Percona XtraBackup
      • Use DEB or RPM downloaded packages to install Percona XtraBackup
      • Install Percona XtraBackup from a Binary Tarball
      • Compile and install Percona XtraBackup from source code
      • What’s in the packages
      • Uninstall Percona XtraBackup
      • Run Percona XtraBackup in a Docker container
      • Implementation details
      • Connection and privileges needed
      • Configure xtrabackup
      • Server version and backup version comparison
      • xtrabackup exit codes
      • The backup cycle - full backups
      • Incremental backup
      • Compressed backup
      • Partial backups
      • Percona XtraBackup user manual
      • Throttling backups
      • Encrypted InnoDB tablespace backups
      • Encrypt backups
      • LRU dump backup
      • Point-in-time recovery
      • Smart memory estimation
      • Work with binary logs
      • Improved log statements
      • Work with SELinux
        • Confine XtraBackup
        • Install SELinux tools
        • Create a policy
      • Work with AppArmor
      • Enable the server to communicate via TCP/IP
      • Install and configure an SSH server
      • Analyze table statistics
      • FLUSH TABLES WITH READ LOCK option
      • lock-ddl-per-table option improvements
      • Take an incremental backup using page tracking
      • The xbcloud binary
      • Use the xbcloud binary with Swift
      • Use xbcloud Binary with Amazon S3
      • Use the xbcloud binary with MinIO
      • Use the xbcloud with Google Cloud Storage
      • Exponential backoff
      • Use the xbcloud binary with Microsoft Azure Cloud Storage
      • How-tos and recipes
      • Release notes index
      • Percona XtraBackup 8.0.30-23 (2022-11-14)
      • Percona XtraBackup 8.0.29-22 (2022-07-19)
      • Percona XtraBackup 8.0.28-21 (2022-05-25)
      • Percona XtraBackup 8.0.28-20
      • Percona XtraBackup 8.0.27-19
      • Percona XtraBackup 8.0.26-18.0
      • Percona XtraBackup 8.0.25-17.0
      • Percona XtraBackup 8.0.23-16.0
      • Percona XtraBackup 8.0.22-15.0
      • Percona XtraBackup 8.0.14
      • Percona XtraBackup 8.0.13
      • Percona XtraBackup 8.0.12
      • Percona XtraBackup 8.0.11
      • Percona XtraBackup 8.0.10
      • Percona XtraBackup 8.0.9
      • Percona XtraBackup 8.0.8
      • Percona XtraBackup 8.0.7
      • Percona XtraBackup 8.0.6
      • Percona XtraBackup 8.0.5
      • Percona XtraBackup 8.0.4
      • Percona XtraBackup 8.0-3-rc1
      • Error Message: Found tables with row versions due to INSTANT ADD/DROP columns
      • The xtrabackup option reference
      • The xbcrypt binary
      • The xbstream binary
      • Frequently asked questions
      • Glossary
      • Index of files created by Percona XtraBackup
      • Trademark policy
      • Copyright and licensing information
      • Version checking

    • Confine XtraBackup
    • Install SELinux tools
    • Create a policy

    Work with SELinux¶

    Percona XtraBackup is installed as an unconfined process running in an undefined domain. SELinux allows unconfined processes almost all access and the processes only use Discretionary Access Control (DAC) rules.

    You find the current state of the Percona XtraBackup file with the following command:

    $ ls -Z /usr/bin | grep xtrabackup
    
    Expected output
    -rwxr-xr-x. root root   system_u:object_r:bin_t:s0       xtrabackup
    

    The SELinux context is the following:

    • user (root)

    • role (object_r)

    • type (bin_t)

    • level (s0)

    The unconfined domain supports the network-facing services, which are protected by SELinux. These domains are not exposed. In this configuration, SELinux protects against remote intrusions but local intrusions, which require local access, are not confined.

    Percona XtraBackup works locally. The service is not network-facing and cannot be exploited externally. The service interacts only with the local user, who provides the parameters. Percona XtraBackup requires access to the target-dir location.

    Confine XtraBackup¶

    You can modify your security configuration to confine Percona XtraBackup. The first question is where to store the backup files. The service requires read and write access to the selected location.

    You can use either of the following methods:

    • Allow Percona XtraBackup to write to any location. The user provides any path to the target-dir parameter.

    • Allow Percona XtraBackup to write to a specific location, such as /backups or the user’s home directory.

    The first option opens the entire system to read and write. Select the second option to harden your security.

    Install SELinux tools¶

    To work with policies, you must install the SELinux tools. To find which package provides the semanage command and install the package. The following is an example on CentOS 7.

    $ yum provides *bin/semanage
    
    The result should list the packages.

    Expected output
    ...
    policycoreutils-python-2.5-34.el7.x86_64 : SELinux policy core python utilities
    ...
    

    To install missing packages, run the following:

    $ sudo yum install -y policycoreutils-python
    

    The following is an example on CentOS 8:

    $ yum provides *bin/semanage
    
    The result should list the missing packages.

    Expected output
    ...
    policycoreutils-python-utils-2.8-16.1.el8.noarch : SELinux policy core python utilities
    

    Run the following to install the missing packages:

    $ sudo yum install -y policycoreutils-python-utils
    

    Create a policy¶

    Use a modular approach to create an SELinux policy. Create a policy module to manage XtraBackup. You must create a .te file for type enforcement, and an optional .fc file for the file contexts.

    Use $ ps -efZ | grep xtrabackup to verify the service is not confined by SELinux.

    Create the xtrabackup.fc file and add content. This file defines the security contexts.

    /usr/bin/xtrabackup    -- gen_context(system_u:object_r:xtrabackup_exec_t,s0)
    /usr/bin/xbcrypt    -- gen_context(system_u:object_r:xtrabackup_exec_t,s0)
    /usr/bin/xbstream    -- gen_context(system_u:object_r:xtrabackup_exec_t,s0)
    /usr/bin/xbcloud    -- gen_context(system_u:object_r:xtrabackup_exec_t,s0)
    /backups(/.*)?       system_u:object_r:xtrabackup_data_t:s0
    

    Note

    If you are using the /backups directory you must have the last line. If you are storing the backups in the user’s home directory, you can omit this line.

    Download the xtrabackup.te file from the following location:

    https://github.com/percona/percona-xtrabackup/tree/8.0/packaging/percona/selinx

    Note

    In the file, the sections in bold should be modified for your system. The fc file can also be downloaded from the same location.

    Compile the policy module:

    $ make -f /usr/share/selinux/devel/Makefile xtrabackup.pp
    

    Install the module:

    $ semodule -i xtrabackup.pp
    

    Tag the PXB binaries with the proper SELinux tags, such as xtrabackup_exec_t.

    $ restorecon -v /usr/bin/*
    

    If you store your backups at /backups, restore the tag in that location:

    $ restorecon -v /backups
    

    Note

    Remember to add the standard Linux DAC permissions for this directory.

    Perform the backup in the standard way.

    Contact us

    For free technical help, visit the Percona Community Forum.

    To report bugs or submit feature requests, open a JIRA ticket.

    For paid support and managed or consulting services , contact Percona Sales.


    Last update: 2022-12-06
    Back to top
    Previous Improved log statements
    Next Work with AppArmor
    Percona LLC and/or its affiliates, © 2023
    Made with Material for MkDocs