[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Linux-cluster] GFS, SELinux denial



Charles_McKinnis Dell com wrote:
The problem was the lack of xattr on the gfs. When we added them it
works correctly. Thank you for the assistance.

Excellent. Glad that worked. I'll talk to the right people and see if/how we can get gfs or gfs2 added to the core policy as a filesystem that supports selinux xattrs. The problem is that there are older version of gfs(1) that did not support selinux xattrs, so making that change to the selinux policy could potentially break older versions of gfs. On the other hand, gfs2 had support for selinux xattrs early on, so it shouldn't have this problem.

Let me know if you encounter any other problem with gfs/selinux.

Ryan



-----Original Message-----
From: linux-cluster-bounces redhat com
[mailto:linux-cluster-bounces redhat com] On Behalf Of Ryan O'Hara
Sent: Tuesday, August 28, 2007 1:44 PM
To: linux clustering
Subject: Re: [Linux-cluster] GFS, SELinux denial

Charles_McKinnis Dell com wrote:
I am having issues with a server running gfs and an SELinux error. When /etc/init.d/gfs start or service gfs start is run, it results in a SELinux denial. If mount -a -t gfs is run as root it works fine. The

scripts also work if setenforce 0 is used. Running setsebool -P
allow_mount_anyfile=1 does not fix the problem (as seen in sealert), although it is set.


What selinux policy are you using? The policy must be such that gfs (or
gfs2) are declared to support/usr selinux xattrs.


# cat /etc/fstab
/dev/VolGroup00/LogVol00 /                       ext3    defaults
1 1
LABEL=/boot             /boot                   ext3    defaults
1 2
devpts                  /dev/pts                devpts  gid=5,mode=620
0 0
tmpfs                   /dev/shm                tmpfs   defaults
0 0
proc                    /proc                   proc    defaults
0 0
sysfs                   /sys                    sysfs   defaults
0 0
/dev/VolGroup00/LogVol01 swap                    swap    defaults
0 0
/dev/hda                /media/cdrecorder       auto
pamconsole,fscontext=system_u:object_r:removable_t,exec,noauto,managed
0
0
/dev/winchester/array	/opt/winchester		gfs
rw,localflocks,localcaching,oopses_ok 	0 0

# /etc/init.d/gfs stop
Mounting GFS filesystems:  /sbin/mount.gfs: error 13 mounting
/dev/winchester/array on /opt/winchester

# tail /var/log/messages
Aug 28 11:56:24 ronnie-vidrine kernel: Trying to join cluster
"lock_nolock", "dm-2"
Aug 28 11:56:24 ronnie-vidrine kernel: Joined cluster. Now mounting
FS...
Aug 28 11:56:24 ronnie-vidrine kernel: GFS: fsid=dm-2.0: jid=0: Trying
to acquire journal lock...
Aug 28 11:56:24 ronnie-vidrine kernel: GFS: fsid=dm-2.0: jid=0:
Looking
at journal...
Aug 28 11:56:24 ronnie-vidrine kernel: GFS: fsid=dm-2.0: jid=0: Done
Aug
28 11:56:24 ronnie-vidrine kernel: GFS: fsid=dm-2.0: jid=1: Trying to
acquire journal lock...
Aug 28 11:56:24 ronnie-vidrine kernel: GFS: fsid=dm-2.0: jid=1:
Looking
at journal...
Aug 28 11:56:24 ronnie-vidrine kernel: GFS: fsid=dm-2.0: jid=1: Done
Aug
28 11:56:24 ronnie-vidrine kernel: SELinux: (dev dm-2, type gfs)
getxattr errno 13
Aug 28 11:56:26 ronnie-vidrine setroubleshoot:      SELinux prevented
/sbin/mount.gfs2 from mounting on the file or directory     "/" (type
"unlabeled_t").      For complete SELinux messages. run sealert -l
c3fabd9a-3aac-4af4-aa26-300e19aab70e

# sealert -l c3fabd9a-3aac-4af4-aa26-300e19aab70e
Summary
    SELinux prevented /sbin/mount.gfs2 from mounting on the file or
directory
    "/" (type "unlabeled_t").

Detailed Description
    SELinux prevented /sbin/mount.gfs2 from mounting a filesystem on
the
file or
    directory "/" of type "unlabeled_t". By default SELinux limits the
mounting
    of filesystems to only some files or directories (those with types
that have
    the mountpoint attribute). The type "unlabeled_t" does not have
this
    attribute. You can either relabel the file or directory or set the
boolean
    "allow_mount_anyfile" to true to allow mounting on any file or
directory.

Allowing Access
    Changing the "allow_mount_anyfile" boolean to true will allow this
access:
    "setsebool -P allow_mount_anyfile=1."

    The following command will allow this access:
    setsebool -P allow_mount_anyfile=1

Additional Information
Source Context                user_u:system_r:mount_t
Target Context                system_u:object_r:unlabeled_t
Target Objects                / [ dir ]
Affected RPM Packages         gfs2-utils-0.1.25-1.el5
                              [application]filesystem-2.4.0-1 [target]
Policy RPM                    selinux-policy-2.4.6-30.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.allow_mount_anyfile
Host Name                     server.net
Platform                      Linux server.net
                              2.6.18-8.el5 #1 SMP Fri Jan 26 14:15:21
EST 2007
                              i686 i686
Alert Count                   14
Line Numbers Raw Audit Messages
avc: denied { read } for comm="mount.gfs" dev=dm-2 egid=0 euid=0
exe="/sbin/mount.gfs2" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="/"
pid=4802 scontext=user_u:system_r:mount_t:s0 sgid=0
subj=user_u:system_r:mount_t:s0 suid=0 tclass=dir
tcontext=system_u:object_r:unlabeled_t:s0 tty=pts1 uid=0

--
Linux-cluster mailing list
Linux-cluster redhat com
https://www.redhat.com/mailman/listinfo/linux-cluster

--
Linux-cluster mailing list
Linux-cluster redhat com
https://www.redhat.com/mailman/listinfo/linux-cluster

--
Linux-cluster mailing list
Linux-cluster redhat com
https://www.redhat.com/mailman/listinfo/linux-cluster


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]