[Linux-cluster] GFS, SELinux denial

Charles_McKinnis at Dell.com Charles_McKinnis at Dell.com
Tue Aug 28 20:41:37 UTC 2007 

The SELinux policy is set to Enabled/Enforcing. I am not sure how to
check the gfs/gfs2 policy. Can I check it from the shell?

Thank you,
Charles

-----Original Message-----
From: linux-cluster-bounces at redhat.com
[mailto:linux-cluster-bounces at redhat.com] On Behalf Of Ryan O'Hara
Sent: Tuesday, August 28, 2007 1:44 PM
To: linux clustering
Subject: Re: [Linux-cluster] GFS, SELinux denial

Charles_McKinnis at Dell.com wrote:
> I am having issues with a server running gfs and an SELinux error. 
> When /etc/init.d/gfs start or service gfs start is run, it results in 
> a SELinux denial. If mount -a -t gfs is run as root it works fine. The

> scripts also work if setenforce 0 is used. Running setsebool -P
> allow_mount_anyfile=1 does not fix the problem (as seen in sealert), 
> although it is set.


What selinux policy are you using? The policy must be such that gfs (or
gfs2) are declared to support/usr selinux xattrs.


> # cat /etc/fstab
> /dev/VolGroup00/LogVol00 /                       ext3    defaults
> 1 1
> LABEL=/boot             /boot                   ext3    defaults
> 1 2
> devpts                  /dev/pts                devpts  gid=5,mode=620
> 0 0
> tmpfs                   /dev/shm                tmpfs   defaults
> 0 0
> proc                    /proc                   proc    defaults
> 0 0
> sysfs                   /sys                    sysfs   defaults
> 0 0
> /dev/VolGroup00/LogVol01 swap                    swap    defaults
> 0 0
> /dev/hda                /media/cdrecorder       auto
> pamconsole,fscontext=system_u:object_r:removable_t,exec,noauto,managed
0
> 0
> /dev/winchester/array	/opt/winchester		gfs
> rw,localflocks,localcaching,oopses_ok 	0 0
> 
> # /etc/init.d/gfs stop
> Mounting GFS filesystems:  /sbin/mount.gfs: error 13 mounting
> /dev/winchester/array on /opt/winchester
> 
> # tail /var/log/messages
> Aug 28 11:56:24 ronnie-vidrine kernel: Trying to join cluster
> "lock_nolock", "dm-2"
> Aug 28 11:56:24 ronnie-vidrine kernel: Joined cluster. Now mounting
> FS...
> Aug 28 11:56:24 ronnie-vidrine kernel: GFS: fsid=dm-2.0: jid=0: Trying
> to acquire journal lock...
> Aug 28 11:56:24 ronnie-vidrine kernel: GFS: fsid=dm-2.0: jid=0:
Looking
> at journal...
> Aug 28 11:56:24 ronnie-vidrine kernel: GFS: fsid=dm-2.0: jid=0: Done
Aug
> 28 11:56:24 ronnie-vidrine kernel: GFS: fsid=dm-2.0: jid=1: Trying to
> acquire journal lock...
> Aug 28 11:56:24 ronnie-vidrine kernel: GFS: fsid=dm-2.0: jid=1:
Looking
> at journal...
> Aug 28 11:56:24 ronnie-vidrine kernel: GFS: fsid=dm-2.0: jid=1: Done
Aug
> 28 11:56:24 ronnie-vidrine kernel: SELinux: (dev dm-2, type gfs)
> getxattr errno 13
> Aug 28 11:56:26 ronnie-vidrine setroubleshoot:      SELinux prevented
> /sbin/mount.gfs2 from mounting on the file or directory     "/" (type
> "unlabeled_t").      For complete SELinux messages. run sealert -l
> c3fabd9a-3aac-4af4-aa26-300e19aab70e
> 
> # sealert -l c3fabd9a-3aac-4af4-aa26-300e19aab70e
> Summary
>     SELinux prevented /sbin/mount.gfs2 from mounting on the file or
> directory
>     "/" (type "unlabeled_t").
> 
> Detailed Description
>     SELinux prevented /sbin/mount.gfs2 from mounting a filesystem on
the
> file or
>     directory "/" of type "unlabeled_t". By default SELinux limits the
> mounting
>     of filesystems to only some files or directories (those with types
> that have
>     the mountpoint attribute). The type "unlabeled_t" does not have
this
>     attribute. You can either relabel the file or directory or set the
> boolean
>     "allow_mount_anyfile" to true to allow mounting on any file or
> directory.
> 
> Allowing Access
>     Changing the "allow_mount_anyfile" boolean to true will allow this
> access:
>     "setsebool -P allow_mount_anyfile=1."
> 
>     The following command will allow this access:
>     setsebool -P allow_mount_anyfile=1
> 
> Additional Information        
> 
> Source Context                user_u:system_r:mount_t
> Target Context                system_u:object_r:unlabeled_t
> Target Objects                / [ dir ]
> Affected RPM Packages         gfs2-utils-0.1.25-1.el5
>                               [application]filesystem-2.4.0-1 [target]
> Policy RPM                    selinux-policy-2.4.6-30.el5
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Enforcing
> Plugin Name                   plugins.allow_mount_anyfile
> Host Name                     server.net
> Platform                      Linux server.net
>                               2.6.18-8.el5 #1 SMP Fri Jan 26 14:15:21
> EST 2007
>                               i686 i686
> Alert Count                   14
> Line Numbers                  
> 
> Raw Audit Messages            
> 
> avc: denied { read } for comm="mount.gfs" dev=dm-2 egid=0 euid=0
> exe="/sbin/mount.gfs2" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="/"
> pid=4802 scontext=user_u:system_r:mount_t:s0 sgid=0
> subj=user_u:system_r:mount_t:s0 suid=0 tclass=dir
> tcontext=system_u:object_r:unlabeled_t:s0 tty=pts1 uid=0
> 
> --
> Linux-cluster mailing list
> Linux-cluster at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-cluster

--
Linux-cluster mailing list
Linux-cluster at redhat.com
https://www.redhat.com/mailman/listinfo/linux-cluster

More information about the Linux-cluster mailing list