[Linux-cluster] GFS, SELinux denial
Charles_McKinnis at Dell.com
Charles_McKinnis at Dell.com
Tue Aug 28 20:41:37 UTC 2007
The SELinux policy is set to Enabled/Enforcing. I am not sure how to
check the gfs/gfs2 policy. Can I check it from the shell?
Thank you,
Charles
-----Original Message-----
From: linux-cluster-bounces at redhat.com
[mailto:linux-cluster-bounces at redhat.com] On Behalf Of Ryan O'Hara
Sent: Tuesday, August 28, 2007 1:44 PM
To: linux clustering
Subject: Re: [Linux-cluster] GFS, SELinux denial
Charles_McKinnis at Dell.com wrote:
> I am having issues with a server running gfs and an SELinux error.
> When /etc/init.d/gfs start or service gfs start is run, it results in
> a SELinux denial. If mount -a -t gfs is run as root it works fine. The
> scripts also work if setenforce 0 is used. Running setsebool -P
> allow_mount_anyfile=1 does not fix the problem (as seen in sealert),
> although it is set.
What selinux policy are you using? The policy must be such that gfs (or
gfs2) are declared to support/usr selinux xattrs.
> # cat /etc/fstab
> /dev/VolGroup00/LogVol00 / ext3 defaults
> 1 1
> LABEL=/boot /boot ext3 defaults
> 1 2
> devpts /dev/pts devpts gid=5,mode=620
> 0 0
> tmpfs /dev/shm tmpfs defaults
> 0 0
> proc /proc proc defaults
> 0 0
> sysfs /sys sysfs defaults
> 0 0
> /dev/VolGroup00/LogVol01 swap swap defaults
> 0 0
> /dev/hda /media/cdrecorder auto
> pamconsole,fscontext=system_u:object_r:removable_t,exec,noauto,managed
0
> 0
> /dev/winchester/array /opt/winchester gfs
> rw,localflocks,localcaching,oopses_ok 0 0
>
> # /etc/init.d/gfs stop
> Mounting GFS filesystems: /sbin/mount.gfs: error 13 mounting
> /dev/winchester/array on /opt/winchester
>
> # tail /var/log/messages
> Aug 28 11:56:24 ronnie-vidrine kernel: Trying to join cluster
> "lock_nolock", "dm-2"
> Aug 28 11:56:24 ronnie-vidrine kernel: Joined cluster. Now mounting
> FS...
> Aug 28 11:56:24 ronnie-vidrine kernel: GFS: fsid=dm-2.0: jid=0: Trying
> to acquire journal lock...
> Aug 28 11:56:24 ronnie-vidrine kernel: GFS: fsid=dm-2.0: jid=0:
Looking
> at journal...
> Aug 28 11:56:24 ronnie-vidrine kernel: GFS: fsid=dm-2.0: jid=0: Done
Aug
> 28 11:56:24 ronnie-vidrine kernel: GFS: fsid=dm-2.0: jid=1: Trying to
> acquire journal lock...
> Aug 28 11:56:24 ronnie-vidrine kernel: GFS: fsid=dm-2.0: jid=1:
Looking
> at journal...
> Aug 28 11:56:24 ronnie-vidrine kernel: GFS: fsid=dm-2.0: jid=1: Done
Aug
> 28 11:56:24 ronnie-vidrine kernel: SELinux: (dev dm-2, type gfs)
> getxattr errno 13
> Aug 28 11:56:26 ronnie-vidrine setroubleshoot: SELinux prevented
> /sbin/mount.gfs2 from mounting on the file or directory "/" (type
> "unlabeled_t"). For complete SELinux messages. run sealert -l
> c3fabd9a-3aac-4af4-aa26-300e19aab70e
>
> # sealert -l c3fabd9a-3aac-4af4-aa26-300e19aab70e
> Summary
> SELinux prevented /sbin/mount.gfs2 from mounting on the file or
> directory
> "/" (type "unlabeled_t").
>
> Detailed Description
> SELinux prevented /sbin/mount.gfs2 from mounting a filesystem on
the
> file or
> directory "/" of type "unlabeled_t". By default SELinux limits the
> mounting
> of filesystems to only some files or directories (those with types
> that have
> the mountpoint attribute). The type "unlabeled_t" does not have
this
> attribute. You can either relabel the file or directory or set the
> boolean
> "allow_mount_anyfile" to true to allow mounting on any file or
> directory.
>
> Allowing Access
> Changing the "allow_mount_anyfile" boolean to true will allow this
> access:
> "setsebool -P allow_mount_anyfile=1."
>
> The following command will allow this access:
> setsebool -P allow_mount_anyfile=1
>
> Additional Information
>
> Source Context user_u:system_r:mount_t
> Target Context system_u:object_r:unlabeled_t
> Target Objects / [ dir ]
> Affected RPM Packages gfs2-utils-0.1.25-1.el5
> [application]filesystem-2.4.0-1 [target]
> Policy RPM selinux-policy-2.4.6-30.el5
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name plugins.allow_mount_anyfile
> Host Name server.net
> Platform Linux server.net
> 2.6.18-8.el5 #1 SMP Fri Jan 26 14:15:21
> EST 2007
> i686 i686
> Alert Count 14
> Line Numbers
>
> Raw Audit Messages
>
> avc: denied { read } for comm="mount.gfs" dev=dm-2 egid=0 euid=0
> exe="/sbin/mount.gfs2" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="/"
> pid=4802 scontext=user_u:system_r:mount_t:s0 sgid=0
> subj=user_u:system_r:mount_t:s0 suid=0 tclass=dir
> tcontext=system_u:object_r:unlabeled_t:s0 tty=pts1 uid=0
>
> --
> Linux-cluster mailing list
> Linux-cluster at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-cluster
--
Linux-cluster mailing list
Linux-cluster at redhat.com
https://www.redhat.com/mailman/listinfo/linux-cluster
More information about the Linux-cluster
mailing list