Thanks. The problem was that I forgot to open port 3260/tcp on my node1 and node2. I opened that port on my nodes and result is: Full List of Resources: * Resource Group: apache: * httpd_fs (ocf::heartbeat:Filesystem): Started * httpd_vip (ocf::heartbeat:IPaddr2): Started * httpd_ser (ocf::heartbeat:apache): Started On Wednesday, April 7, 2021, 08:50:33 PM GMT+4:30, Zdenek Pytela <zpytela@xxxxxxxxxx> wrote: On Wed, Apr 7, 2021 at 5:39 PM Jason Long <hack3rcon@xxxxxxxxx> wrote: > Thank you. > I'm using Fedora Server 33 and the output of your command is: > > # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today > ---- > type=AVC msg=audit(04/07/2021 20:00:30.231:144) : avc: denied { name_bind } for pid=693 comm=unbound-anchor src=61000 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=udp_socket permissive=0 This should be fixed soon: https://bugzilla.redhat.com/show_bug.cgi?id=1935101 > > > > > > > > > On Tuesday, April 6, 2021, 02:37:59 PM GMT+4:30, Zdenek Pytela <zpytela@xxxxxxxxxx> wrote: > > > > > > > > On Sun, Apr 4, 2021 at 12:56 PM Jason Long <hack3rcon@xxxxxxxxx> wrote: >> Hello, >> I'm using Fedora Server as an iSCSI Shared Storage. When I rebooted my server then the "iscsi.service" couldn't load: >> >> [root@node3 ~]# systemctl status iscsi.service >> ● iscsi.service - Login and scanning of iSCSI devices >> Loaded: loaded (/usr/lib/systemd/system/iscsi.service; enabled; vendor preset: enabled) >> Active: inactive (dead) >> Condition: start condition failed at Sat 2021-04-03 18:49:08 +0430; 2s ago >> └─ ConditionDirectoryNotEmpty=/var/lib/iscsi/nodes was not met >> Docs: man:iscsiadm(8) >> man:iscsid(8) >> >> >> >> >> Apr 03 18:39:17 node3.localhost.localdomain systemd[1]: Condition check resulted in Login and scanning of iSCSI devices being skipped. >> Apr 03 18:39:17 node3.localhost.localdomain systemd[1]: iscsi.service: Unit cannot be reloaded because it is inactive. >> Apr 03 18:39:17 node3.localhost.localdomain systemd[1]: iscsi.service: Unit cannot be reloaded because it is inactive. >> Apr 03 18:49:08 node3.localhost.localdomain systemd[1]: Condition check resulted in Login and scanning of iSCSI devices being skipped. >> >> >> SELinux is enabled on my Fedora Server: >> >> # sestatus >> SELinux status: enabled >> SELinuxfs mount: /sys/fs/selinux >> SELinux root directory: /etc/selinux >> Loaded policy name: targeted >> Current mode: enforcing >> Mode from config file: enforcing >> Policy MLS status: enabled >> Policy deny_unknown status: allowed >> Memory protection checking: actual (secure) >> Max kernel policy version: 33 >> >> [root@node3 ~]# ps -eZ | grep iscsid_t >> [root@node3 ~]# >> >> And when I looked at the log, then I saw below errors: >> >> # dmesg -H -l err >> [Apr 4 15:05] [drm:vmw_host_log [vmwgfx]] *ERROR* Failed to send host log message. >> [ +0.000009] [drm:vmw_host_log [vmwgfx]] *ERROR* Failed to send host log message. >> [ +9.037994] dev[000000004a7f146c]: Unable to change SE Device alua_support: alua_support has fixed value >> [ +0.000014] dev[000000004a7f146c]: Unable to change SE Device alua_support: alua_support has fixed value >> [ +0.000798] dev[000000004a7f146c]: Unable to change SE Device pgr_support: pgr_support has fixed value >> [ +0.000004] dev[000000004a7f146c]: Unable to change SE Device pgr_support: pgr_support has fixed value >> >> How can I configure SELinux for an iSCSI Shared Storage? > Hi, > > Do you have any indication it was SELinux blocking some access? Can you look for AVCs in the audit log? Which Fedora version it is? > > # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today > > >> >> Thank you. >> >> _______________________________________________ >> selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx >> To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx >> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx >> Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure >> > > > -- > > Zdenek Pytela > Security SELinux team > > > _______________________________________________ > selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx > Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure > > -- Zdenek Pytela Security SELinux team _______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure _______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure