[Linux-cluster] GFS, SELinux denial
Ryan O'Hara
rohara at redhat.com
Wed Aug 29 17:01:46 UTC 2007
Charles_McKinnis at Dell.com wrote:
> The problem was the lack of xattr on the gfs. When we added them it
> works correctly. Thank you for the assistance.
Excellent. Glad that worked. I'll talk to the right people and see
if/how we can get gfs or gfs2 added to the core policy as a filesystem
that supports selinux xattrs. The problem is that there are older
version of gfs(1) that did not support selinux xattrs, so making that
change to the selinux policy could potentially break older versions of
gfs. On the other hand, gfs2 had support for selinux xattrs early on, so
it shouldn't have this problem.
Let me know if you encounter any other problem with gfs/selinux.
Ryan
> -----Original Message-----
> From: linux-cluster-bounces at redhat.com
> [mailto:linux-cluster-bounces at redhat.com] On Behalf Of Ryan O'Hara
> Sent: Tuesday, August 28, 2007 1:44 PM
> To: linux clustering
> Subject: Re: [Linux-cluster] GFS, SELinux denial
>
> Charles_McKinnis at Dell.com wrote:
>> I am having issues with a server running gfs and an SELinux error.
>> When /etc/init.d/gfs start or service gfs start is run, it results in
>> a SELinux denial. If mount -a -t gfs is run as root it works fine. The
>
>> scripts also work if setenforce 0 is used. Running setsebool -P
>> allow_mount_anyfile=1 does not fix the problem (as seen in sealert),
>> although it is set.
>
>
> What selinux policy are you using? The policy must be such that gfs (or
> gfs2) are declared to support/usr selinux xattrs.
>
>
>> # cat /etc/fstab
>> /dev/VolGroup00/LogVol00 / ext3 defaults
>> 1 1
>> LABEL=/boot /boot ext3 defaults
>> 1 2
>> devpts /dev/pts devpts gid=5,mode=620
>> 0 0
>> tmpfs /dev/shm tmpfs defaults
>> 0 0
>> proc /proc proc defaults
>> 0 0
>> sysfs /sys sysfs defaults
>> 0 0
>> /dev/VolGroup00/LogVol01 swap swap defaults
>> 0 0
>> /dev/hda /media/cdrecorder auto
>> pamconsole,fscontext=system_u:object_r:removable_t,exec,noauto,managed
> 0
>> 0
>> /dev/winchester/array /opt/winchester gfs
>> rw,localflocks,localcaching,oopses_ok 0 0
>>
>> # /etc/init.d/gfs stop
>> Mounting GFS filesystems: /sbin/mount.gfs: error 13 mounting
>> /dev/winchester/array on /opt/winchester
>>
>> # tail /var/log/messages
>> Aug 28 11:56:24 ronnie-vidrine kernel: Trying to join cluster
>> "lock_nolock", "dm-2"
>> Aug 28 11:56:24 ronnie-vidrine kernel: Joined cluster. Now mounting
>> FS...
>> Aug 28 11:56:24 ronnie-vidrine kernel: GFS: fsid=dm-2.0: jid=0: Trying
>> to acquire journal lock...
>> Aug 28 11:56:24 ronnie-vidrine kernel: GFS: fsid=dm-2.0: jid=0:
> Looking
>> at journal...
>> Aug 28 11:56:24 ronnie-vidrine kernel: GFS: fsid=dm-2.0: jid=0: Done
> Aug
>> 28 11:56:24 ronnie-vidrine kernel: GFS: fsid=dm-2.0: jid=1: Trying to
>> acquire journal lock...
>> Aug 28 11:56:24 ronnie-vidrine kernel: GFS: fsid=dm-2.0: jid=1:
> Looking
>> at journal...
>> Aug 28 11:56:24 ronnie-vidrine kernel: GFS: fsid=dm-2.0: jid=1: Done
> Aug
>> 28 11:56:24 ronnie-vidrine kernel: SELinux: (dev dm-2, type gfs)
>> getxattr errno 13
>> Aug 28 11:56:26 ronnie-vidrine setroubleshoot: SELinux prevented
>> /sbin/mount.gfs2 from mounting on the file or directory "/" (type
>> "unlabeled_t"). For complete SELinux messages. run sealert -l
>> c3fabd9a-3aac-4af4-aa26-300e19aab70e
>>
>> # sealert -l c3fabd9a-3aac-4af4-aa26-300e19aab70e
>> Summary
>> SELinux prevented /sbin/mount.gfs2 from mounting on the file or
>> directory
>> "/" (type "unlabeled_t").
>>
>> Detailed Description
>> SELinux prevented /sbin/mount.gfs2 from mounting a filesystem on
> the
>> file or
>> directory "/" of type "unlabeled_t". By default SELinux limits the
>> mounting
>> of filesystems to only some files or directories (those with types
>> that have
>> the mountpoint attribute). The type "unlabeled_t" does not have
> this
>> attribute. You can either relabel the file or directory or set the
>> boolean
>> "allow_mount_anyfile" to true to allow mounting on any file or
>> directory.
>>
>> Allowing Access
>> Changing the "allow_mount_anyfile" boolean to true will allow this
>> access:
>> "setsebool -P allow_mount_anyfile=1."
>>
>> The following command will allow this access:
>> setsebool -P allow_mount_anyfile=1
>>
>> Additional Information
>>
>> Source Context user_u:system_r:mount_t
>> Target Context system_u:object_r:unlabeled_t
>> Target Objects / [ dir ]
>> Affected RPM Packages gfs2-utils-0.1.25-1.el5
>> [application]filesystem-2.4.0-1 [target]
>> Policy RPM selinux-policy-2.4.6-30.el5
>> Selinux Enabled True
>> Policy Type targeted
>> MLS Enabled True
>> Enforcing Mode Enforcing
>> Plugin Name plugins.allow_mount_anyfile
>> Host Name server.net
>> Platform Linux server.net
>> 2.6.18-8.el5 #1 SMP Fri Jan 26 14:15:21
>> EST 2007
>> i686 i686
>> Alert Count 14
>> Line Numbers
>>
>> Raw Audit Messages
>>
>> avc: denied { read } for comm="mount.gfs" dev=dm-2 egid=0 euid=0
>> exe="/sbin/mount.gfs2" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="/"
>> pid=4802 scontext=user_u:system_r:mount_t:s0 sgid=0
>> subj=user_u:system_r:mount_t:s0 suid=0 tclass=dir
>> tcontext=system_u:object_r:unlabeled_t:s0 tty=pts1 uid=0
>>
>> --
>> Linux-cluster mailing list
>> Linux-cluster at redhat.com
>> https://www.redhat.com/mailman/listinfo/linux-cluster
>
> --
> Linux-cluster mailing list
> Linux-cluster at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-cluster
>
> --
> Linux-cluster mailing list
> Linux-cluster at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-cluster
More information about the Linux-cluster
mailing list