What were you trying to do that didn't work?

A customer is using MariaDB + galera.
When the node starts, numerous AVCs are seen when /usr/sbin/ss is being executed from /usr/bin/wsrep_sst_rsync script:

 95 check_pid_and_port()
 96 {
 :
109             if [ $ss_available -ne 0 ]; then
110                 port_info=$($socket_utility $ss_opts -t "( sport = :$port )" 2>/dev/null | \
111                     grep -E '[[:space:]]users:[[:space:]]?(' | \
112                     grep -o -E "([^[:space:]]+[[:space:]]+){4}[^[:space:]]+" || :)
 :

These AVCs show up when ss is used to determine if something is listening on SST port (4444 by default): /usr/sbin/ss -nlpH -t "( sport = :4444 )". This occurs because the script and ss run in mysqld_t context, which is very restricted.

What is the impact of this issue to you?

Lot of annoyance due to AVCs popping up, but ss functionality works anyway.

Please provide the package NVR for which the bug is seen:

mariadb-server-10.11.10-1.module+el9.5.0+22578+dc54e53f

How reproducible is this bug?:

Always on customer system.
Didn't try reproducing myself but can reproduce the AVCs easily as shown below.

Steps to reproduce

1. Create a script that will run ss in mysqld_t context

   # cat > /usr/local/bin/fake_mysqld << EOF
   #!/bin/sh
   ss -nlpH -t "( sport = :4444 )"
   EOF
   
   # chcon -t mysqld_exec_t /usr/local/bin/fake_mysqld
   # chmod +x /usr/local/bin/fake_mysqld
   

2. Execute the script as a systemd transient service

   # systemd-run --uid=mysql /usr/local/bin/fake_mysqld

3. Check for AVCs

   # ausearch -m avc -i -ts recent

Expected results

No AVC

Actual results

Numerous AVCs (258 or more, depending on the number of processes on the system).
(attached)

Additional informations / analysis

ss generates AVCs because its implementation first tries to read /proc/<PID>/fd/ for all processes on the system. These are the "getattr" AVCs.
Then ss tries to create a netlink NETLINK_SOCK_DIAG socket to request the port states from the kernel. This generates a "create" AVC.
Finally ss, because of the above failure, falls back to parsing /proc/net/tcp as last resort.

I see multiple ways to fix this:

1. Allowing mysqld_t to scan all the processes for such ss feature looks overkill and dangerous to me
2. Creating dontaudit rules since ss works in the end, through parsing /proc/net/tcp even though it's not optimal as explained in ss source code

   (dontaudit mysqld_t domain (socket (getattr)))
   (dontaudit mysqld_t domain (process (getattr)))
   (dontaudit mysqld_t mysqld_t (netlink_tcpdiag_socket (create)))

3. Modifying /usr/bin/wsrep_sst_rsync to not use ss internally but rely on a different implementation
4. Creating a new context and rules for /usr/bin/wsrep_sst_rsync so that it executes in a different context than mysqld_t when being spawned