On 03/12/2013 02:57 PM, Alan Orth wrote: > All, > > I just learned how to create a new module to allow this request. In a > nutshell, use audit2allow to check the audit log and create a new > module, see [1] and [2]. My exact steps: > > mkdir ~/selinux_gluster > cd ~/selinux_gluster > setenforce 0 > load_policy > service netfs start > audit2allow -M glusterd_centos64 -l -i /var/log/audit/audit.log > setenforce 1 > semodule -i glusterd_centos64.pp > service netfs start > > More precisely, what you are doing is: > > 1. setting selinux to permissive mode > 2. re-loading the policy to get a clean "starting point" > 3. performing the actions which are being denied > 4. creating a module > 5. re-enabling selinux enforcing mode > 6. loading the new selinux module (which, after loading, is copied into > /etc/selinux/targeted/modules/active/modules/ and will persist after > reboot) > 7. gluster should now be able to mount via /etc/fstab on boot, or via > the netfs service, etc (ie, not manually as root). > > Hope this helps some future traveler, > > Alan > > [1] http://fedorasolved.org/security-solutions/selinux-module-building > [2] man audit2allow > > On 03/12/2013 11:32 AM, Alan Orth wrote: >> All, >> >> I've updated one of my GlusterFS clients from CentOS 6.3 to CentOS 6.4 >> and now my gluster volumes fail to mount at boot. dmesg shows: >> >> type=1400 audit(1363004014.209:4): avc: denied { execute } for >> pid=1150 comm="mount.glusterfs" name="glusterfsd" dev=sda1 ino=1315297 >> scontext=system_u:system_r:mount_t:s0 >> tcontext=system_u:object_r:glusterd_exec_t:s0 tclass=file >> >> Mounting manually as root works, but obviously isn't optimal. >> >> Does anyone know how to fix this? >> >> Thanks! >> > > -- > Alan Orth > alan.orth at gmail.com > http://alaninkenya.org > http://mjanja.co.ke > "I have always wished for my computer to be as easy to use as my telephone; my wish has come true because I can no longer figure out how to use my telephone." -Bjarne Stroustrup, inventor of C++ > > > > _______________________________________________ > Gluster-users mailing list > Gluster-users at gluster.org > http://supercolony.gluster.org/mailman/listinfo/gluster-users > This should be fixed with the latest SELinux policy update, which was out for Red Hat Enterprise Linux today - selinux-policy-targeted-3.7.19-195.el6_4.3.noarch, selinux-policy-3.7.19-195.el6_4.3.noarch . -- Regards, Rejy M Cyriac (rmc)
