[Linux-cluster] RHEL 5.3: Joining fence domain hangs when selinux is enabled

Ian Hayes cthulhucalling at gmail.com
Wed Aug 12 18:08:35 UTC 2009 

There may be a dontaudit clause in either the base or the ccs modules. Try
inserting the enableaudit.pp module and see what happens. I'm not sure if
RHEL5.3 supports "semodule -DB" but that would turn off dontaudit also.

On Wed, Aug 12, 2009 at 10:50 AM, de Jong, MarkJan <deJongm at teoco.com>wrote:

>  That’s just it. There are no logs being generated in audit.log. I’m
> pretty well versed in creating custom SELInux policies.
>
>
>
> I’ve reported on issues in the past where SELinux does not generate logs.
> It was a while ago and have since forgotten what the resolution was but I
> was fixed by the devs.. I’ll be more than happy to file a bug report.
>
>
>
> Thx,
>
> M
>
>
>
> *From:* linux-cluster-bounces at redhat.com [mailto:
> linux-cluster-bounces at redhat.com] *On Behalf Of *Ian Hayes
> *Sent:* Wednesday, August 12, 2009 1:26 PM
> *To:* linux clustering
> *Subject:* Re: [Linux-cluster] RHEL 5.3: Joining fence domain hangs when
> selinux is enabled
>
>
>
> I'm assuming that you're running the Targeted policy and not the strict
> policy...
>
> RHEL5 has a module for ccs, but I haven't taken it apart. The files for
> fencing may be incorrectly labeled or the policy doesn't allow fenced to run
> correctly.
>
> Look at your /var/log/audit/audit.log files and see what's being denied.
> You may want to install sealert and setroubleshootd so you can browse the
> messages. First, check the file contexts of the files that are appearing in
> your audit logs.  Nothing should be default_t. If anything looks out of
> whack, try restoring the correct file contexts with restorecon and see if
> the file contexts have changed.  If you're feeling brave, you can start
> writing a custom policy module to permit fenced to start up.
>
> The audit logs will tell you everything, and where you will need to start.
> I managed to knock out a policy for 389Server in about an hour, but I had
> the benefit of just coming back from Redhat's SELinux class.
>
>  On Wed, Aug 12, 2009 at 9:15 AM, de Jong, MarkJan <deJongm at teoco.com>
> wrote:
>
> It seems that with selinux enabled, fencing hangs during ‘service cman
> start’.
>
>
>
> When selinux is set to enforcing, the cman startup script hangs at
> “Starting fencing ….” and never times out.
>
> There are NO logs related to the event in /var/log/audit/audit.log, nor
> anything telling in /var/log/messages. ‘fence_tool dump’ also does not
> provide any further details.
>
>
>
> After setting selinux to permissive, fencing starts up without incident.
>
>
>
> I’m using the following packages:
>
>
>
> kernel-xen-2.6.18-128.4.1.el5
>
> cman-2.0.98-1.el5_3.4
>
>
>
> Let me know if I can provide any further info.
>
>
>
> thanks,
>
> Mark de Jong
>
>
>
>
>
>
>
>
>
>
>  ------------------------------
>
> PRIVILEGED AND CONFIDENTIAL
> PLEASE NOTE: The information contained in this message is privileged and
> confidential, and is intended only for the use of the individual to whom it
> is addressed and others who have been specifically authorized to receive it.
> If you are not the intended recipient, you are hereby notified that any
> dissemination, distribution or copying of this communication is strictly
> prohibited. If you have received this communication in error, or if any
> problems occur with transmission, please contact sender. Thank you.
>
>
> --
> Linux-cluster mailing list
> Linux-cluster at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-cluster
>
>
>
> ------------------------------
> PRIVILEGED AND CONFIDENTIAL
> PLEASE NOTE: The information contained in this message is privileged and
> confidential, and is intended only for the use of the individual to whom it
> is addressed and others who have been specifically authorized to receive it.
> If you are not the intended recipient, you are hereby notified that any
> dissemination, distribution or copying of this communication is strictly
> prohibited. If you have received this communication in error, or if any
> problems occur with transmission, please contact sender. Thank you.
>
> --
> Linux-cluster mailing list
> Linux-cluster at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-cluster
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-cluster/attachments/20090812/66c178d7/attachment.htm>

More information about the Linux-cluster mailing list