The SELinux policy is set to Enabled/Enforcing. I am not sure how to check the gfs/gfs2 policy. Can I check it from the shell? Thank you, Charles -----Original Message----- From: linux-cluster-bounces@xxxxxxxxxx [mailto:linux-cluster-bounces@xxxxxxxxxx] On Behalf Of Ryan O'Hara Sent: Tuesday, August 28, 2007 1:44 PM To: linux clustering Subject: Re: GFS, SELinux denial Charles_McKinnis@xxxxxxxx wrote: > I am having issues with a server running gfs and an SELinux error. > When /etc/init.d/gfs start or service gfs start is run, it results in > a SELinux denial. If mount -a -t gfs is run as root it works fine. The > scripts also work if setenforce 0 is used. Running setsebool -P > allow_mount_anyfile=1 does not fix the problem (as seen in sealert), > although it is set. What selinux policy are you using? The policy must be such that gfs (or gfs2) are declared to support/usr selinux xattrs. > # cat /etc/fstab > /dev/VolGroup00/LogVol00 / ext3 defaults > 1 1 > LABEL=/boot /boot ext3 defaults > 1 2 > devpts /dev/pts devpts gid=5,mode=620 > 0 0 > tmpfs /dev/shm tmpfs defaults > 0 0 > proc /proc proc defaults > 0 0 > sysfs /sys sysfs defaults > 0 0 > /dev/VolGroup00/LogVol01 swap swap defaults > 0 0 > /dev/hda /media/cdrecorder auto > pamconsole,fscontext=system_u:object_r:removable_t,exec,noauto,managed 0 > 0 > /dev/winchester/array /opt/winchester gfs > rw,localflocks,localcaching,oopses_ok 0 0 > > # /etc/init.d/gfs stop > Mounting GFS filesystems: /sbin/mount.gfs: error 13 mounting > /dev/winchester/array on /opt/winchester > > # tail /var/log/messages > Aug 28 11:56:24 ronnie-vidrine kernel: Trying to join cluster > "lock_nolock", "dm-2" > Aug 28 11:56:24 ronnie-vidrine kernel: Joined cluster. Now mounting > FS... > Aug 28 11:56:24 ronnie-vidrine kernel: GFS: fsid=dm-2.0: jid=0: Trying > to acquire journal lock... > Aug 28 11:56:24 ronnie-vidrine kernel: GFS: fsid=dm-2.0: jid=0: Looking > at journal... > Aug 28 11:56:24 ronnie-vidrine kernel: GFS: fsid=dm-2.0: jid=0: Done Aug > 28 11:56:24 ronnie-vidrine kernel: GFS: fsid=dm-2.0: jid=1: Trying to > acquire journal lock... > Aug 28 11:56:24 ronnie-vidrine kernel: GFS: fsid=dm-2.0: jid=1: Looking > at journal... > Aug 28 11:56:24 ronnie-vidrine kernel: GFS: fsid=dm-2.0: jid=1: Done Aug > 28 11:56:24 ronnie-vidrine kernel: SELinux: (dev dm-2, type gfs) > getxattr errno 13 > Aug 28 11:56:26 ronnie-vidrine setroubleshoot: SELinux prevented > /sbin/mount.gfs2 from mounting on the file or directory "/" (type > "unlabeled_t"). For complete SELinux messages. run sealert -l > c3fabd9a-3aac-4af4-aa26-300e19aab70e > > # sealert -l c3fabd9a-3aac-4af4-aa26-300e19aab70e > Summary > SELinux prevented /sbin/mount.gfs2 from mounting on the file or > directory > "/" (type "unlabeled_t"). > > Detailed Description > SELinux prevented /sbin/mount.gfs2 from mounting a filesystem on the > file or > directory "/" of type "unlabeled_t". By default SELinux limits the > mounting > of filesystems to only some files or directories (those with types > that have > the mountpoint attribute). The type "unlabeled_t" does not have this > attribute. You can either relabel the file or directory or set the > boolean > "allow_mount_anyfile" to true to allow mounting on any file or > directory. > > Allowing Access > Changing the "allow_mount_anyfile" boolean to true will allow this > access: > "setsebool -P allow_mount_anyfile=1." > > The following command will allow this access: > setsebool -P allow_mount_anyfile=1 > > Additional Information > > Source Context user_u:system_r:mount_t > Target Context system_u:object_r:unlabeled_t > Target Objects / [ dir ] > Affected RPM Packages gfs2-utils-0.1.25-1.el5 > [application]filesystem-2.4.0-1 [target] > Policy RPM selinux-policy-2.4.6-30.el5 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name plugins.allow_mount_anyfile > Host Name server.net > Platform Linux server.net > 2.6.18-8.el5 #1 SMP Fri Jan 26 14:15:21 > EST 2007 > i686 i686 > Alert Count 14 > Line Numbers > > Raw Audit Messages > > avc: denied { read } for comm="mount.gfs" dev=dm-2 egid=0 euid=0 > exe="/sbin/mount.gfs2" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="/" > pid=4802 scontext=user_u:system_r:mount_t:s0 sgid=0 > subj=user_u:system_r:mount_t:s0 suid=0 tclass=dir > tcontext=system_u:object_r:unlabeled_t:s0 tty=pts1 uid=0 > > -- > Linux-cluster mailing list > Linux-cluster@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/linux-cluster -- Linux-cluster mailing list Linux-cluster@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/linux-cluster -- Linux-cluster mailing list Linux-cluster@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/linux-cluster