[Linux-cluster] RHEL 5.3: Joining fence domain hangs when selinux is enabled
Ian Hayes
cthulhucalling at gmail.com
Wed Aug 12 17:26:20 UTC 2009
I'm assuming that you're running the Targeted policy and not the strict
policy...
RHEL5 has a module for ccs, but I haven't taken it apart. The files for
fencing may be incorrectly labeled or the policy doesn't allow fenced to run
correctly.
Look at your /var/log/audit/audit.log files and see what's being denied. You
may want to install sealert and setroubleshootd so you can browse the
messages. First, check the file contexts of the files that are appearing in
your audit logs. Nothing should be default_t. If anything looks out of
whack, try restoring the correct file contexts with restorecon and see if
the file contexts have changed. If you're feeling brave, you can start
writing a custom policy module to permit fenced to start up.
The audit logs will tell you everything, and where you will need to start. I
managed to knock out a policy for 389Server in about an hour, but I had the
benefit of just coming back from Redhat's SELinux class.
On Wed, Aug 12, 2009 at 9:15 AM, de Jong, MarkJan <deJongm at teoco.com> wrote:
> It seems that with selinux enabled, fencing hangs during ‘service cman
> start’.
>
>
>
> When selinux is set to enforcing, the cman startup script hangs at
> “Starting fencing ….” and never times out.
>
> There are NO logs related to the event in /var/log/audit/audit.log, nor
> anything telling in /var/log/messages. ‘fence_tool dump’ also does not
> provide any further details.
>
>
>
> After setting selinux to permissive, fencing starts up without incident.
>
>
>
> I’m using the following packages:
>
>
>
> kernel-xen-2.6.18-128.4.1.el5
>
> cman-2.0.98-1.el5_3.4
>
>
>
> Let me know if I can provide any further info.
>
>
>
> thanks,
>
> Mark de Jong
>
>
>
>
>
>
>
>
>
> ------------------------------
> PRIVILEGED AND CONFIDENTIAL
> PLEASE NOTE: The information contained in this message is privileged and
> confidential, and is intended only for the use of the individual to whom it
> is addressed and others who have been specifically authorized to receive it.
> If you are not the intended recipient, you are hereby notified that any
> dissemination, distribution or copying of this communication is strictly
> prohibited. If you have received this communication in error, or if any
> problems occur with transmission, please contact sender. Thank you.
>
> --
> Linux-cluster mailing list
> Linux-cluster at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-cluster
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-cluster/attachments/20090812/78fba72a/attachment.htm>
More information about the Linux-cluster
mailing list