[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[Linux-cluster] GFS, SELinux denial



I am having issues with a server running gfs and an SELinux error. When
/etc/init.d/gfs start or service gfs start is run, it results in a
SELinux denial. If mount -a -t gfs is run as root it works fine. The
scripts also work if setenforce 0 is used. Running setsebool -P
allow_mount_anyfile=1 does not fix the problem (as seen in sealert),
although it is set.

Thank you,
Charles McKinnis

# cat /etc/fstab
/dev/VolGroup00/LogVol00 /                       ext3    defaults
1 1
LABEL=/boot             /boot                   ext3    defaults
1 2
devpts                  /dev/pts                devpts  gid=5,mode=620
0 0
tmpfs                   /dev/shm                tmpfs   defaults
0 0
proc                    /proc                   proc    defaults
0 0
sysfs                   /sys                    sysfs   defaults
0 0
/dev/VolGroup00/LogVol01 swap                    swap    defaults
0 0
/dev/hda                /media/cdrecorder       auto
pamconsole,fscontext=system_u:object_r:removable_t,exec,noauto,managed 0
0
/dev/winchester/array	/opt/winchester		gfs
rw,localflocks,localcaching,oopses_ok 	0 0

# /etc/init.d/gfs stop
Mounting GFS filesystems:  /sbin/mount.gfs: error 13 mounting
/dev/winchester/array on /opt/winchester

# tail /var/log/messages
Aug 28 11:56:24 ronnie-vidrine kernel: Trying to join cluster
"lock_nolock", "dm-2"
Aug 28 11:56:24 ronnie-vidrine kernel: Joined cluster. Now mounting
FS...
Aug 28 11:56:24 ronnie-vidrine kernel: GFS: fsid=dm-2.0: jid=0: Trying
to acquire journal lock...
Aug 28 11:56:24 ronnie-vidrine kernel: GFS: fsid=dm-2.0: jid=0: Looking
at journal...
Aug 28 11:56:24 ronnie-vidrine kernel: GFS: fsid=dm-2.0: jid=0: Done Aug
28 11:56:24 ronnie-vidrine kernel: GFS: fsid=dm-2.0: jid=1: Trying to
acquire journal lock...
Aug 28 11:56:24 ronnie-vidrine kernel: GFS: fsid=dm-2.0: jid=1: Looking
at journal...
Aug 28 11:56:24 ronnie-vidrine kernel: GFS: fsid=dm-2.0: jid=1: Done Aug
28 11:56:24 ronnie-vidrine kernel: SELinux: (dev dm-2, type gfs)
getxattr errno 13
Aug 28 11:56:26 ronnie-vidrine setroubleshoot:      SELinux prevented
/sbin/mount.gfs2 from mounting on the file or directory     "/" (type
"unlabeled_t").      For complete SELinux messages. run sealert -l
c3fabd9a-3aac-4af4-aa26-300e19aab70e

# sealert -l c3fabd9a-3aac-4af4-aa26-300e19aab70e
Summary
    SELinux prevented /sbin/mount.gfs2 from mounting on the file or
directory
    "/" (type "unlabeled_t").

Detailed Description
    SELinux prevented /sbin/mount.gfs2 from mounting a filesystem on the
file or
    directory "/" of type "unlabeled_t". By default SELinux limits the
mounting
    of filesystems to only some files or directories (those with types
that have
    the mountpoint attribute). The type "unlabeled_t" does not have this
    attribute. You can either relabel the file or directory or set the
boolean
    "allow_mount_anyfile" to true to allow mounting on any file or
directory.

Allowing Access
    Changing the "allow_mount_anyfile" boolean to true will allow this
access:
    "setsebool -P allow_mount_anyfile=1."

    The following command will allow this access:
    setsebool -P allow_mount_anyfile=1

Additional Information        

Source Context                user_u:system_r:mount_t
Target Context                system_u:object_r:unlabeled_t
Target Objects                / [ dir ]
Affected RPM Packages         gfs2-utils-0.1.25-1.el5
                              [application]filesystem-2.4.0-1 [target]
Policy RPM                    selinux-policy-2.4.6-30.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.allow_mount_anyfile
Host Name                     server.net
Platform                      Linux server.net
                              2.6.18-8.el5 #1 SMP Fri Jan 26 14:15:21
EST 2007
                              i686 i686
Alert Count                   14
Line Numbers                  

Raw Audit Messages            

avc: denied { read } for comm="mount.gfs" dev=dm-2 egid=0 euid=0
exe="/sbin/mount.gfs2" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="/"
pid=4802 scontext=user_u:system_r:mount_t:s0 sgid=0
subj=user_u:system_r:mount_t:s0 suid=0 tclass=dir
tcontext=system_u:object_r:unlabeled_t:s0 tty=pts1 uid=0


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]