[Linux-cluster] GFS, SELinux denial
Charles_McKinnis at Dell.com
Charles_McKinnis at Dell.com
Tue Aug 28 17:56:37 UTC 2007
I am having issues with a server running gfs and an SELinux error. When
/etc/init.d/gfs start or service gfs start is run, it results in a
SELinux denial. If mount -a -t gfs is run as root it works fine. The
scripts also work if setenforce 0 is used. Running setsebool -P
allow_mount_anyfile=1 does not fix the problem (as seen in sealert),
although it is set.
Thank you,
Charles McKinnis
# cat /etc/fstab
/dev/VolGroup00/LogVol00 / ext3 defaults
1 1
LABEL=/boot /boot ext3 defaults
1 2
devpts /dev/pts devpts gid=5,mode=620
0 0
tmpfs /dev/shm tmpfs defaults
0 0
proc /proc proc defaults
0 0
sysfs /sys sysfs defaults
0 0
/dev/VolGroup00/LogVol01 swap swap defaults
0 0
/dev/hda /media/cdrecorder auto
pamconsole,fscontext=system_u:object_r:removable_t,exec,noauto,managed 0
0
/dev/winchester/array /opt/winchester gfs
rw,localflocks,localcaching,oopses_ok 0 0
# /etc/init.d/gfs stop
Mounting GFS filesystems: /sbin/mount.gfs: error 13 mounting
/dev/winchester/array on /opt/winchester
# tail /var/log/messages
Aug 28 11:56:24 ronnie-vidrine kernel: Trying to join cluster
"lock_nolock", "dm-2"
Aug 28 11:56:24 ronnie-vidrine kernel: Joined cluster. Now mounting
FS...
Aug 28 11:56:24 ronnie-vidrine kernel: GFS: fsid=dm-2.0: jid=0: Trying
to acquire journal lock...
Aug 28 11:56:24 ronnie-vidrine kernel: GFS: fsid=dm-2.0: jid=0: Looking
at journal...
Aug 28 11:56:24 ronnie-vidrine kernel: GFS: fsid=dm-2.0: jid=0: Done Aug
28 11:56:24 ronnie-vidrine kernel: GFS: fsid=dm-2.0: jid=1: Trying to
acquire journal lock...
Aug 28 11:56:24 ronnie-vidrine kernel: GFS: fsid=dm-2.0: jid=1: Looking
at journal...
Aug 28 11:56:24 ronnie-vidrine kernel: GFS: fsid=dm-2.0: jid=1: Done Aug
28 11:56:24 ronnie-vidrine kernel: SELinux: (dev dm-2, type gfs)
getxattr errno 13
Aug 28 11:56:26 ronnie-vidrine setroubleshoot: SELinux prevented
/sbin/mount.gfs2 from mounting on the file or directory "/" (type
"unlabeled_t"). For complete SELinux messages. run sealert -l
c3fabd9a-3aac-4af4-aa26-300e19aab70e
# sealert -l c3fabd9a-3aac-4af4-aa26-300e19aab70e
Summary
SELinux prevented /sbin/mount.gfs2 from mounting on the file or
directory
"/" (type "unlabeled_t").
Detailed Description
SELinux prevented /sbin/mount.gfs2 from mounting a filesystem on the
file or
directory "/" of type "unlabeled_t". By default SELinux limits the
mounting
of filesystems to only some files or directories (those with types
that have
the mountpoint attribute). The type "unlabeled_t" does not have this
attribute. You can either relabel the file or directory or set the
boolean
"allow_mount_anyfile" to true to allow mounting on any file or
directory.
Allowing Access
Changing the "allow_mount_anyfile" boolean to true will allow this
access:
"setsebool -P allow_mount_anyfile=1."
The following command will allow this access:
setsebool -P allow_mount_anyfile=1
Additional Information
Source Context user_u:system_r:mount_t
Target Context system_u:object_r:unlabeled_t
Target Objects / [ dir ]
Affected RPM Packages gfs2-utils-0.1.25-1.el5
[application]filesystem-2.4.0-1 [target]
Policy RPM selinux-policy-2.4.6-30.el5
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name plugins.allow_mount_anyfile
Host Name server.net
Platform Linux server.net
2.6.18-8.el5 #1 SMP Fri Jan 26 14:15:21
EST 2007
i686 i686
Alert Count 14
Line Numbers
Raw Audit Messages
avc: denied { read } for comm="mount.gfs" dev=dm-2 egid=0 euid=0
exe="/sbin/mount.gfs2" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="/"
pid=4802 scontext=user_u:system_r:mount_t:s0 sgid=0
subj=user_u:system_r:mount_t:s0 suid=0 tclass=dir
tcontext=system_u:object_r:unlabeled_t:s0 tty=pts1 uid=0
More information about the Linux-cluster
mailing list