On Mon, Mar 07, 2011 at 11:10:08PM +0100, Gianluca Cecchi wrote:
> On Mon, 7 Mar 2011 16:52:00 -0500 Lon Hohberger wrote:
>
> > Check /var/log/audit/audit.log for an AVC denial around self:capability
> > setpcap for xm_t?
>
> Uhm,
> SElinux is disabled on both nodes (I'll cross check tomorrow anyway)
> and auditd is chkconfig off too (even if I notice in rh el 6 many
> audit messages related to cron writing in /var/log/messages...)
> Could it be of any help an "strace -f" of the virsh command where I
> can see the ssh and netcat forked calls but am not able to identify
> the point where eventually there is something strange?
>
Nothing comes to mind; in my RHEL6 development cluster, I have a
custom SELinux policy:
#==== cut
module clusterlocal 1.0;
require {
type xm_t;
type debugfs_t;
type fenced_t;
type mount_t;
type telnetd_port_t;
class capability setpcap;
class tcp_socket name_connect;
class dir mounton;
}
allow fenced_t telnetd_port_t:tcp_socket name_connect;
allow mount_t debugfs_t:dir mounton;
allow xm_t self:capability setpcap;
#=== end cut
And the following firewall rules:
-A INPUT -p tcp -m state --state NEW -m multiport --dports 21064 -j
ACCEPT
-A INPUT -p tcp -m state --state NEW -m multiport --dports 11111 -j
ACCEPT
-A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j
ACCEPT
I'm using bridging (as documented in the RHEL6 documentation) and
everything pretty much just works.
Are you seeing any other notable behaviors, besides the migration
failing?
--
Lon Hohberger - Red Hat, Inc.
--
Linux-cluster mailing list
Linux-cluster@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/linux-cluster
