Charles_McKinnis@xxxxxxxx wrote:
I am having issues with a server running gfs and an SELinux error. When /etc/init.d/gfs start or service gfs start is run, it results in a SELinux denial. If mount -a -t gfs is run as root it works fine. The scripts also work if setenforce 0 is used. Running setsebool -P allow_mount_anyfile=1 does not fix the problem (as seen in sealert), although it is set.
What selinux policy are you using? The policy must be such that gfs (or gfs2) are declared to support/usr selinux xattrs.
# cat /etc/fstab /dev/VolGroup00/LogVol00 / ext3 defaults 1 1 LABEL=/boot /boot ext3 defaults 1 2 devpts /dev/pts devpts gid=5,mode=620 0 0 tmpfs /dev/shm tmpfs defaults 0 0 proc /proc proc defaults 0 0 sysfs /sys sysfs defaults 0 0 /dev/VolGroup00/LogVol01 swap swap defaults 0 0 /dev/hda /media/cdrecorder auto pamconsole,fscontext=system_u:object_r:removable_t,exec,noauto,managed 0 0 /dev/winchester/array /opt/winchester gfs rw,localflocks,localcaching,oopses_ok 0 0 # /etc/init.d/gfs stop Mounting GFS filesystems: /sbin/mount.gfs: error 13 mounting /dev/winchester/array on /opt/winchester # tail /var/log/messages Aug 28 11:56:24 ronnie-vidrine kernel: Trying to join cluster "lock_nolock", "dm-2" Aug 28 11:56:24 ronnie-vidrine kernel: Joined cluster. Now mounting FS... Aug 28 11:56:24 ronnie-vidrine kernel: GFS: fsid=dm-2.0: jid=0: Trying to acquire journal lock... Aug 28 11:56:24 ronnie-vidrine kernel: GFS: fsid=dm-2.0: jid=0: Looking at journal... Aug 28 11:56:24 ronnie-vidrine kernel: GFS: fsid=dm-2.0: jid=0: Done Aug 28 11:56:24 ronnie-vidrine kernel: GFS: fsid=dm-2.0: jid=1: Trying to acquire journal lock... Aug 28 11:56:24 ronnie-vidrine kernel: GFS: fsid=dm-2.0: jid=1: Looking at journal... Aug 28 11:56:24 ronnie-vidrine kernel: GFS: fsid=dm-2.0: jid=1: Done Aug 28 11:56:24 ronnie-vidrine kernel: SELinux: (dev dm-2, type gfs) getxattr errno 13 Aug 28 11:56:26 ronnie-vidrine setroubleshoot: SELinux prevented /sbin/mount.gfs2 from mounting on the file or directory "/" (type "unlabeled_t"). For complete SELinux messages. run sealert -l c3fabd9a-3aac-4af4-aa26-300e19aab70e # sealert -l c3fabd9a-3aac-4af4-aa26-300e19aab70e Summary SELinux prevented /sbin/mount.gfs2 from mounting on the file or directory "/" (type "unlabeled_t"). Detailed Description SELinux prevented /sbin/mount.gfs2 from mounting a filesystem on the file or directory "/" of type "unlabeled_t". By default SELinux limits the mounting of filesystems to only some files or directories (those with types that have the mountpoint attribute). The type "unlabeled_t" does not have this attribute. You can either relabel the file or directory or set the boolean "allow_mount_anyfile" to true to allow mounting on any file or directory. Allowing Access Changing the "allow_mount_anyfile" boolean to true will allow this access: "setsebool -P allow_mount_anyfile=1." The following command will allow this access: setsebool -P allow_mount_anyfile=1Additional InformationSource Context user_u:system_r:mount_t Target Context system_u:object_r:unlabeled_t Target Objects / [ dir ] Affected RPM Packages gfs2-utils-0.1.25-1.el5 [application]filesystem-2.4.0-1 [target] Policy RPM selinux-policy-2.4.6-30.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.allow_mount_anyfile Host Name server.net Platform Linux server.net 2.6.18-8.el5 #1 SMP Fri Jan 26 14:15:21 EST 2007 i686 i686 Alert Count 14Line Numbers Raw Audit Messagesavc: denied { read } for comm="mount.gfs" dev=dm-2 egid=0 euid=0 exe="/sbin/mount.gfs2" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="/" pid=4802 scontext=user_u:system_r:mount_t:s0 sgid=0 subj=user_u:system_r:mount_t:s0 suid=0 tclass=dir tcontext=system_u:object_r:unlabeled_t:s0 tty=pts1 uid=0 -- Linux-cluster mailing list Linux-cluster@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/linux-cluster
-- Linux-cluster mailing list Linux-cluster@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/linux-cluster
