Thank you. The problem was that I must turn on the iSCSI Shared Storage before of other nodes. On Thursday, April 8, 2021, 12:20:39 PM GMT+4:30, Zdenek Pytela <zpytela@xxxxxxxxxx> wrote: On Wed, Apr 7, 2021 at 7:38 PM Jason Long <hack3rcon@xxxxxxxxx> wrote: > Sorry, problem not solved. > When I restarted my servers, then that problem appeared again. Thus, is it a bug? Which problem reappeared? Are there any AVC/USER_AVC denials? > > > > > > > On Wednesday, April 7, 2021, 09:40:35 PM GMT+4:30, Jason Long <hack3rcon@xxxxxxxxx> wrote: > > > > > > Thanks. > The problem was that I forgot to open port 3260/tcp on my node1 and node2. I opened that port on my nodes and result is: > > Full List of Resources: > * Resource Group: apache: > * httpd_fs (ocf::heartbeat:Filesystem): Started > * httpd_vip (ocf::heartbeat:IPaddr2): Started > * httpd_ser (ocf::heartbeat:apache): Started > > > > > > > On Wednesday, April 7, 2021, 08:50:33 PM GMT+4:30, Zdenek Pytela <zpytela@xxxxxxxxxx> wrote: > > > > > > > > On Wed, Apr 7, 2021 at 5:39 PM Jason Long <hack3rcon@xxxxxxxxx> wrote: >> Thank you. >> I'm using Fedora Server 33 and the output of your command is: >> >> # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today >> ---- >> type=AVC msg=audit(04/07/2021 20:00:30.231:144) : avc: denied { name_bind } for pid=693 comm=unbound-anchor src=61000 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=udp_socket permissive=0 > This should be fixed soon: > https://bugzilla.redhat.com/show_bug.cgi?id=1935101 > >> >> >> >> >> >> >> >> >> On Tuesday, April 6, 2021, 02:37:59 PM GMT+4:30, Zdenek Pytela <zpytela@xxxxxxxxxx> wrote: >> >> >> >> >> >> >> >> On Sun, Apr 4, 2021 at 12:56 PM Jason Long <hack3rcon@xxxxxxxxx> wrote: >>> Hello, >>> I'm using Fedora Server as an iSCSI Shared Storage. When I rebooted my server then the "iscsi.service" couldn't load: >>> >>> [root@node3 ~]# systemctl status iscsi.service >>> ● iscsi.service - Login and scanning of iSCSI devices >>> Loaded: loaded (/usr/lib/systemd/system/iscsi.service; enabled; vendor preset: enabled) >>> Active: inactive (dead) >>> Condition: start condition failed at Sat 2021-04-03 18:49:08 +0430; 2s ago >>> └─ ConditionDirectoryNotEmpty=/var/lib/iscsi/nodes was not met >>> Docs: man:iscsiadm(8) >>> man:iscsid(8) >>> >>> >>> >>> >>> Apr 03 18:39:17 node3.localhost.localdomain systemd[1]: Condition check resulted in Login and scanning of iSCSI devices being skipped. >>> Apr 03 18:39:17 node3.localhost.localdomain systemd[1]: iscsi.service: Unit cannot be reloaded because it is inactive. >>> Apr 03 18:39:17 node3.localhost.localdomain systemd[1]: iscsi.service: Unit cannot be reloaded because it is inactive. >>> Apr 03 18:49:08 node3.localhost.localdomain systemd[1]: Condition check resulted in Login and scanning of iSCSI devices being skipped. >>> >>> >>> SELinux is enabled on my Fedora Server: >>> >>> # sestatus >>> SELinux status: enabled >>> SELinuxfs mount: /sys/fs/selinux >>> SELinux root directory: /etc/selinux >>> Loaded policy name: targeted >>> Current mode: enforcing >>> Mode from config file: enforcing >>> Policy MLS status: enabled >>> Policy deny_unknown status: allowed >>> Memory protection checking: actual (secure) >>> Max kernel policy version: 33 >>> >>> [root@node3 ~]# ps -eZ | grep iscsid_t >>> [root@node3 ~]# >>> >>> And when I looked at the log, then I saw below errors: >>> >>> # dmesg -H -l err >>> [Apr 4 15:05] [drm:vmw_host_log [vmwgfx]] *ERROR* Failed to send host log message. >>> [ +0.000009] [drm:vmw_host_log [vmwgfx]] *ERROR* Failed to send host log message. >>> [ +9.037994] dev[000000004a7f146c]: Unable to change SE Device alua_support: alua_support has fixed value >>> [ +0.000014] dev[000000004a7f146c]: Unable to change SE Device alua_support: alua_support has fixed value >>> [ +0.000798] dev[000000004a7f146c]: Unable to change SE Device pgr_support: pgr_support has fixed value >>> [ +0.000004] dev[000000004a7f146c]: Unable to change SE Device pgr_support: pgr_support has fixed value >>> >>> How can I configure SELinux for an iSCSI Shared Storage? >> Hi, >> >> Do you have any indication it was SELinux blocking some access? Can you look for AVCs in the audit log? Which Fedora version it is? >> >> # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today >> >> >>> >>> Thank you. >>> >>> _______________________________________________ >>> selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx >>> To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx >>> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>> List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx >>> Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure >>> >> >> >> -- >> >> Zdenek Pytela >> Security SELinux team > >> >> >> _______________________________________________ >> selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx >> To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx >> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx >> Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure >> >> > > > -- > > Zdenek Pytela > Security SELinux team > > _______________________________________________ > selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx > Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure > > -- Zdenek Pytela Security SELinux team _______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure _______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure