Bug 1134883

Ah, SELinux boolean daemons_enable_cluster_mode only avoids "allow drbd_t 
cluster_var_lib_t:dir write;" from what I can see.

type=AVC msg=audit(1409227821.850:252395): avc:  denied  { open } for  pid=33583 comm="drbd" path="/etc/passwd" dev="sda1" ino=787545 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
type=SYSCALL msg=audit(1409227821.850:252395): arch=c000003e syscall=2 success=no exit=-13 a0=7f66ff07ad8a a1=80000 a2=1b6 a3=0 items=0 ppid=18989 pid=33583 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="drbd" exe="/usr/bin/bash" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1409227821.876:252396): avc:  denied  { sys_admin } for  pid=33605 comm="drbdsetup-84" capability=21  scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:system_r:drbd_t:s0 tclass=capability
type=SYSCALL msg=audit(1409227821.876:252396): arch=c000003e syscall=1 success=yes exit=44 a0=3 a1=1161080 a2=2c a3=ffffffe0 items=0 ppid=33583 pid=33605 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="drbdsetup-84" exe="/usr/lib/drbd/drbdsetup-84" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1409227821.878:252397): avc:  denied  { open } for  pid=33606 comm="crm_master" path="/etc/passwd" dev="sda1" ino=787545 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
type=SYSCALL msg=audit(1409227821.878:252397): arch=c000003e syscall=2 success=no exit=-13 a0=7fe4e249dd8a a1=80000 a2=1b6 a3=0 items=0 ppid=33583 pid=33606 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="crm_master" exe="/usr/bin/bash" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1409227821.882:252398): avc:  denied  { open } for  pid=33608 comm="crm_node" path="/var/log/pacemaker.log" dev="sda1" ino=657624 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=file
type=SYSCALL msg=audit(1409227821.882:252398): arch=c000003e syscall=2 success=no exit=-13 a0=7fff761b5be2 a1=441 a2=1b6 a3=7fff761b3aa0 items=0 ppid=33606 pid=33608 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="crm_node" exe="/usr/sbin/crm_node" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1409227821.885:252399): avc:  denied  { search } for  pid=33608 comm="crm_node" name="/" dev="tmpfs" ino=10245 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
type=SYSCALL msg=audit(1409227821.885:252399): arch=c000003e syscall=2 success=no exit=-13 a0=7fff761aeaa0 a1=2 a2=180 a3=7fff761ae6c0 items=0 ppid=33606 pid=33608 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="crm_node" exe="/usr/sbin/crm_node" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1409227821.888:252400): avc:  denied  { search } for  pid=33608 comm="crm_node" name="/" dev="tmpfs" ino=10245 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
type=SYSCALL msg=audit(1409227821.888:252400): arch=c000003e syscall=2 success=no exit=-13 a0=7fff761aeb60 a1=2 a2=180 a3=25 items=0 ppid=33606 pid=33608 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="crm_node" exe="/usr/sbin/crm_node" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1409227822.890:252401): avc:  denied  { search } for  pid=33608 comm="crm_node" name="/" dev="tmpfs" ino=10245 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
type=SYSCALL msg=audit(1409227822.890:252401): arch=c000003e syscall=2 success=no exit=-13 a0=7fff761aeb60 a1=2 a2=180 a3=25 items=0 ppid=33606 pid=33608 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="crm_node" exe="/usr/sbin/crm_node" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1409227824.893:252402): avc:  denied  { search } for  pid=33608 comm="crm_node" name="/" dev="tmpfs" ino=10245 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
type=SYSCALL msg=audit(1409227824.893:252402): arch=c000003e syscall=2 success=no exit=-13 a0=7fff761aeb60 a1=2 a2=180 a3=25 items=0 ppid=33606 pid=33608 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="crm_node" exe="/usr/sbin/crm_node" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1409227827.895:252403): avc:  denied  { search } for  pid=33608 comm="crm_node" name="/" dev="tmpfs" ino=10245 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
type=SYSCALL msg=audit(1409227827.895:252403): arch=c000003e syscall=2 success=no exit=-13 a0=7fff761aeb60 a1=2 a2=180 a3=25 items=0 ppid=33606 pid=33608 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="crm_node" exe="/usr/sbin/crm_node" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1409227831.899:252404): avc:  denied  { search } for  pid=33608 comm="crm_node" name="/" dev="tmpfs" ino=10245 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
type=SYSCALL msg=audit(1409227831.899:252404): arch=c000003e syscall=2 success=no exit=-13 a0=7fff761aeb60 a1=2 a2=180 a3=25 items=0 ppid=33606 pid=33608 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="crm_node" exe="/usr/sbin/crm_node" subj=system_u:system_r:drbd_t:s0 key=(null)

type=AVC msg=audit(1409227977.446:252566): avc:  denied  { getattr } for  pid=33979 comm="drbd" path="/etc/passwd" dev="sda1" ino=787545 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
type=SYSCALL msg=audit(1409227977.446:252566): arch=c000003e syscall=5 success=no exit=-13 a0=3 a1=7fff0849c380 a2=7fff0849c380 a3=0 items=0 ppid=18989 pid=33979 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="drbd" exe="/usr/bin/bash" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1409227977.481:252567): avc:  denied  { getattr } for  pid=34002 comm="crm_master" path="/etc/passwd" dev="sda1" ino=787545 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
type=SYSCALL msg=audit(1409227977.481:252567): arch=c000003e syscall=5 success=no exit=-13 a0=3 a1=7fff29ecbf40 a2=7fff29ecbf40 a3=0 items=0 ppid=33979 pid=34002 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="crm_master" exe="/usr/bin/bash" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1409227977.486:252568): avc:  denied  { open } for  pid=34004 comm="crm_node" path="/var/log/pacemaker.log" dev="sda1" ino=657624 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=file
type=SYSCALL msg=audit(1409227977.486:252568): arch=c000003e syscall=2 success=no exit=-13 a0=7fffaacd4b7e a1=441 a2=1b6 a3=7fffaacd31a0 items=0 ppid=34002 pid=34004 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="crm_node" exe="/usr/sbin/crm_node" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1409227977.490:252569): avc:  denied  { read write } for  pid=34004 comm="crm_node" name="qb-cpg-request-18971-34004-27-header" dev="tmpfs" ino=2681801 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:cluster_tmpfs_t:s0 tclass=file
type=SYSCALL msg=audit(1409227977.490:252569): arch=c000003e syscall=2 success=no exit=-13 a0=7fffaacce1a0 a1=2 a2=180 a3=7fffaaccddc0 items=0 ppid=34002 pid=34004 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="crm_node" exe="/usr/sbin/crm_node" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1409227977.494:252570): avc:  denied  { read write } for  pid=34004 comm="crm_node" name="qb-cmap-request-18971-34004-27-header" dev="tmpfs" ino=2681810 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:cluster_tmpfs_t:s0 tclass=file
type=SYSCALL msg=audit(1409227977.494:252570): arch=c000003e syscall=2 success=no exit=-13 a0=7fffaacce260 a1=2 a2=180 a3=25 items=0 ppid=34002 pid=34004 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="crm_node" exe="/usr/sbin/crm_node" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1409227978.496:252571): avc:  denied  { read write } for  pid=34004 comm="crm_node" name="qb-cmap-request-18971-34004-27-header" dev="tmpfs" ino=2681817 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:cluster_tmpfs_t:s0 tclass=file
type=SYSCALL msg=audit(1409227978.496:252571): arch=c000003e syscall=2 success=no exit=-13 a0=7fffaacce260 a1=2 a2=180 a3=25 items=0 ppid=34002 pid=34004 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="crm_node" exe="/usr/sbin/crm_node" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1409227980.499:252572): avc:  denied  { read write } for  pid=34004 comm="crm_node" name="qb-cmap-request-18971-34004-27-header" dev="tmpfs" ino=2691325 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:cluster_tmpfs_t:s0 tclass=file
type=SYSCALL msg=audit(1409227980.499:252572): arch=c000003e syscall=2 success=no exit=-13 a0=7fffaacce260 a1=2 a2=180 a3=25 items=0 ppid=34002 pid=34004 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="crm_node" exe="/usr/sbin/crm_node" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1409227983.502:252573): avc:  denied  { read write } for  pid=34004 comm="crm_node" name="qb-cmap-request-18971-34004-27-header" dev="tmpfs" ino=2681824 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:cluster_tmpfs_t:s0 tclass=file
type=SYSCALL msg=audit(1409227983.502:252573): arch=c000003e syscall=2 success=no exit=-13 a0=7fffaacce260 a1=2 a2=180 a3=25 items=0 ppid=34002 pid=34004 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="crm_node" exe="/usr/sbin/crm_node" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1409227985.111:252574): avc:  denied  { getattr } for  pid=34006 comm="drbd" path="/etc/passwd" dev="sda1" ino=787545 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
type=SYSCALL msg=audit(1409227985.111:252574): arch=c000003e syscall=5 success=no exit=-13 a0=3 a1=7fff96ed1dd0 a2=7fff96ed1dd0 a3=0 items=0 ppid=18989 pid=34006 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="drbd" exe="/usr/bin/bash" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1409227985.144:252575): avc:  denied  { getattr } for  pid=34029 comm="crm_master" path="/etc/passwd" dev="sda1" ino=787545 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
type=SYSCALL msg=audit(1409227985.144:252575): arch=c000003e syscall=5 success=no exit=-13 a0=3 a1=7fff91b9dbf0 a2=7fff91b9dbf0 a3=0 items=0 ppid=34006 pid=34029 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="crm_master" exe="/usr/bin/bash" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1409227985.150:252576): avc:  denied  { open } for  pid=34031 comm="crm_node" path="/var/log/pacemaker.log" dev="sda1" ino=657624 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=file
type=SYSCALL msg=audit(1409227985.150:252576): arch=c000003e syscall=2 success=no exit=-13 a0=7fff97155b7e a1=441 a2=1b6 a3=7fff97155010 items=0 ppid=34029 pid=34031 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="crm_node" exe="/usr/sbin/crm_node" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1409227985.153:252577): avc:  denied  { read write } for  pid=34031 comm="crm_node" name="qb-cpg-request-18971-34031-27-header" dev="tmpfs" ino=2691332 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:cluster_tmpfs_t:s0 tclass=file
type=SYSCALL msg=audit(1409227985.153:252577): arch=c000003e syscall=2 success=no exit=-13 a0=7fff97150010 a1=2 a2=180 a3=7fff9714fc30 items=0 ppid=34029 pid=34031 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="crm_node" exe="/usr/sbin/crm_node" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1409227985.156:252578): avc:  denied  { read write } for  pid=34031 comm="crm_node" name="qb-cmap-request-18971-34031-27-header" dev="tmpfs" ino=2691341 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:cluster_tmpfs_t:s0 tclass=file
type=SYSCALL msg=audit(1409227985.156:252578): arch=c000003e syscall=2 success=no exit=-13 a0=7fff971500d0 a1=2 a2=180 a3=25 items=0 ppid=34029 pid=34031 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="crm_node" exe="/usr/sbin/crm_node" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1409227986.158:252579): avc:  denied  { read write } for  pid=34031 comm="crm_node" name="qb-cmap-request-18971-34031-27-header" dev="tmpfs" ino=2691348 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:cluster_tmpfs_t:s0 tclass=file
type=SYSCALL msg=audit(1409227986.158:252579): arch=c000003e syscall=2 success=no exit=-13 a0=7fff971500d0 a1=2 a2=180 a3=25 items=0 ppid=34029 pid=34031 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="crm_node" exe="/usr/sbin/crm_node" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1409227987.505:252580): avc:  denied  { read write } for  pid=34004 comm="crm_node" name="qb-cmap-request-18971-34004-27-header" dev="tmpfs" ino=2691355 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:cluster_tmpfs_t:s0 tclass=file
type=SYSCALL msg=audit(1409227987.505:252580): arch=c000003e syscall=2 success=no exit=-13 a0=7fffaacce260 a1=2 a2=180 a3=25 items=0 ppid=34002 pid=34004 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="crm_node" exe="/usr/sbin/crm_node" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1409227988.161:252581): avc:  denied  { read write } for  pid=34031 comm="crm_node" name="qb-cmap-request-18971-34031-27-header" dev="tmpfs" ino=2681831 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:cluster_tmpfs_t:s0 tclass=file
type=SYSCALL msg=audit(1409227988.161:252581): arch=c000003e syscall=2 success=no exit=-13 a0=7fff971500d0 a1=2 a2=180 a3=25 items=0 ppid=34029 pid=34031 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="crm_node" exe="/usr/sbin/crm_node" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1409227991.163:252582): avc:  denied  { read write } for  pid=34031 comm="crm_node" name="qb-cmap-request-18971-34031-27-header" dev="tmpfs" ino=2691362 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:cluster_tmpfs_t:s0 tclass=file
type=SYSCALL msg=audit(1409227991.163:252582): arch=c000003e syscall=2 success=no exit=-13 a0=7fff971500d0 a1=2 a2=180 a3=25 items=0 ppid=34029 pid=34031 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="crm_node" exe="/usr/sbin/crm_node" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1409227992.511:252583): avc:  denied  { open } for  pid=34032 comm="crm_attribute" path="/var/log/pacemaker.log" dev="sda1" ino=657624 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=file
type=SYSCALL msg=audit(1409227992.511:252583): arch=c000003e syscall=2 success=no exit=-13 a0=7fff5fdddb74 a1=441 a2=1b6 a3=7fff5fddbe40 items=0 ppid=34002 pid=34032 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="crm_attribute" exe="/usr/sbin/crm_attribute" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1409227992.513:252584): avc:  denied  { read write } for  pid=34032 comm="crm_attribute" name="qb-cib_rw-request-18987-34032-13-header" dev="tmpfs" ino=2682686 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:cluster_tmpfs_t:s0 tclass=file
type=SYSCALL msg=audit(1409227992.513:252584): arch=c000003e syscall=2 success=no exit=-13 a0=7fff5fdd7090 a1=2 a2=180 a3=7fff5fdd6cb0 items=0 ppid=34002 pid=34032 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="crm_attribute" exe="/usr/sbin/crm_attribute" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1409227992.516:252585): avc:  denied  { create } for  pid=34034 comm="logger" scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:system_r:drbd_t:s0 tclass=unix_dgram_socket
type=SYSCALL msg=audit(1409227992.516:252585): arch=c000003e syscall=41 success=no exit=-13 a0=1 a1=80002 a2=0 a3=3e items=0 ppid=33979 pid=34034 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="logger" exe="/usr/bin/logger" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1409227992.518:252586): avc:  denied  { open } for  pid=33979 comm="drbd" path="/var/log/pacemaker.log" dev="sda1" ino=657624 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=file
type=SYSCALL msg=audit(1409227992.518:252586): arch=c000003e syscall=2 success=no exit=-13 a0=1f30710 a1=441 a2=1b6 a3=1 items=0 ppid=18989 pid=33979 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="drbd" exe="/usr/bin/bash" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1409227992.518:252587): avc:  denied  { open } for  pid=33979 comm="drbd" path="/var/log/pacemaker.log" dev="sda1" ino=657624 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=file
type=SYSCALL msg=audit(1409227992.518:252587): arch=c000003e syscall=2 success=no exit=-13 a0=1f30710 a1=401 a2=1b6 a3=1 items=0 ppid=18989 pid=33979 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="drbd" exe="/usr/bin/bash" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1409227992.522:252588): avc:  denied  { create } for  pid=34040 comm="logger" scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:system_r:drbd_t:s0 tclass=unix_dgram_socket
type=SYSCALL msg=audit(1409227992.522:252588): arch=c000003e syscall=41 success=no exit=-13 a0=1 a1=80002 a2=0 a3=1a items=0 ppid=33979 pid=34040 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="logger" exe="/usr/bin/logger" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1409227992.524:252589): avc:  denied  { open } for  pid=33979 comm="drbd" path="/var/log/pacemaker.log" dev="sda1" ino=657624 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=file
type=SYSCALL msg=audit(1409227992.524:252589): arch=c000003e syscall=2 success=no exit=-13 a0=1f2f640 a1=441 a2=1b6 a3=21 items=0 ppid=18989 pid=33979 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="drbd" exe="/usr/bin/bash" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1409227992.524:252590): avc:  denied  { open } for  pid=33979 comm="drbd" path="/var/log/pacemaker.log" dev="sda1" ino=657624 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=file
type=SYSCALL msg=audit(1409227992.524:252590): arch=c000003e syscall=2 success=no exit=-13 a0=1f2f640 a1=401 a2=1b6 a3=21 items=0 ppid=18989 pid=33979 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="drbd" exe="/usr/bin/bash" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1409227992.528:252591): avc:  denied  { create } for  pid=34046 comm="logger" scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:system_r:drbd_t:s0 tclass=unix_dgram_socket
type=SYSCALL msg=audit(1409227992.528:252591): arch=c000003e syscall=41 success=no exit=-13 a0=1 a1=80002 a2=0 a3=1d items=0 ppid=33979 pid=34046 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="logger" exe="/usr/bin/logger" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1409227992.530:252592): avc:  denied  { open } for  pid=33979 comm="drbd" path="/var/log/pacemaker.log" dev="sda1" ino=657624 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=file
type=SYSCALL msg=audit(1409227992.530:252592): arch=c000003e syscall=2 success=no exit=-13 a0=1f30710 a1=441 a2=1b6 a3=1 items=0 ppid=18989 pid=33979 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="drbd" exe="/usr/bin/bash" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1409227992.530:252593): avc:  denied  { open } for  pid=33979 comm="drbd" path="/var/log/pacemaker.log" dev="sda1" ino=657624 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=file
type=SYSCALL msg=audit(1409227992.530:252593): arch=c000003e syscall=2 success=no exit=-13 a0=1f30710 a1=401 a2=1b6 a3=1 items=0 ppid=18989 pid=33979 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="drbd" exe="/usr/bin/bash" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1409227995.167:252594): avc:  denied  { read write } for  pid=34031 comm="crm_node" name="qb-cmap-request-18971-34031-27-header" dev="tmpfs" ino=2681838 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:cluster_tmpfs_t:s0 tclass=file
type=SYSCALL msg=audit(1409227995.167:252594): arch=c000003e syscall=2 success=no exit=-13 a0=7fff971500d0 a1=2 a2=180 a3=25 items=0 ppid=34029 pid=34031 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="crm_node" exe="/usr/sbin/crm_node" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1409227998.139:252595): avc:  denied  { getattr } for  pid=34059 comm="drbd" path="/etc/passwd" dev="sda1" ino=787545 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
type=SYSCALL msg=audit(1409227998.139:252595): arch=c000003e syscall=5 success=no exit=-13 a0=3 a1=7fffef7ac480 a2=7fffef7ac480 a3=0 items=0 ppid=18989 pid=34059 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="drbd" exe="/usr/bin/bash" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1409227998.169:252596): avc:  denied  { getattr } for  pid=34082 comm="crm_master" path="/etc/passwd" dev="sda1" ino=787545 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
type=SYSCALL msg=audit(1409227998.169:252596): arch=c000003e syscall=5 success=no exit=-13 a0=3 a1=7fff74d449d0 a2=7fff74d449d0 a3=0 items=0 ppid=34059 pid=34082 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="crm_master" exe="/usr/bin/bash" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1409227998.174:252597): avc:  denied  { open } for  pid=34084 comm="crm_node" path="/var/log/pacemaker.log" dev="sda1" ino=657624 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=file
type=SYSCALL msg=audit(1409227998.174:252597): arch=c000003e syscall=2 success=no exit=-13 a0=7fffbe8f3be2 a1=441 a2=1b6 a3=7fffbe8f28d0 items=0 ppid=34082 pid=34084 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="crm_node" exe="/usr/sbin/crm_node" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1409227998.177:252598): avc:  denied  { read write } for  pid=34084 comm="crm_node" name="qb-cpg-request-18971-34084-27-header" dev="tmpfs" ino=2691369 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:cluster_tmpfs_t:s0 tclass=file
type=SYSCALL msg=audit(1409227998.177:252598): arch=c000003e syscall=2 success=no exit=-13 a0=7fffbe8ed8d0 a1=2 a2=180 a3=7fffbe8ed4f0 items=0 ppid=34082 pid=34084 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="crm_node" exe="/usr/sbin/crm_node" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1409227998.180:252599): avc:  denied  { read write } for  pid=34084 comm="crm_node" name="qb-cmap-request-18971-34084-27-header" dev="tmpfs" ino=2691378 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:cluster_tmpfs_t:s0 tclass=file
type=SYSCALL msg=audit(1409227998.180:252599): arch=c000003e syscall=2 success=no exit=-13 a0=7fffbe8ed990 a1=2 a2=180 a3=25 items=0 ppid=34082 pid=34084 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="crm_node" exe="/usr/sbin/crm_node" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1409227999.183:252600): avc:  denied  { read write } for  pid=34084 comm="crm_node" name="qb-cmap-request-18971-34084-27-header" dev="tmpfs" ino=2681845 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:cluster_tmpfs_t:s0 tclass=file
type=SYSCALL msg=audit(1409227999.183:252600): arch=c000003e syscall=2 success=no exit=-13 a0=7fffbe8ed990 a1=2 a2=180 a3=25 items=0 ppid=34082 pid=34084 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="crm_node" exe="/usr/sbin/crm_node" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1409228000.171:252601): avc:  denied  { open } for  pid=34085 comm="crm_attribute" path="/var/log/pacemaker.log" dev="sda1" ino=657624 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=file
type=SYSCALL msg=audit(1409228000.171:252601): arch=c000003e syscall=2 success=no exit=-13 a0=7fffaa292b74 a1=441 a2=1b6 a3=7fffaa291f80 items=0 ppid=34029 pid=34085 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="crm_attribute" exe="/usr/sbin/crm_attribute" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1409228000.173:252602): avc:  denied  { read write } for  pid=34085 comm="crm_attribute" name="qb-cib_rw-request-18987-34085-13-header" dev="tmpfs" ino=2676599 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:cluster_tmpfs_t:s0 tclass=file
type=SYSCALL msg=audit(1409228000.173:252602): arch=c000003e syscall=2 success=no exit=-13 a0=7fffaa28d1d0 a1=2 a2=180 a3=7fffaa28cdf0 items=0 ppid=34029 pid=34085 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="crm_attribute" exe="/usr/sbin/crm_attribute" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1409228000.176:252603): avc:  denied  { create } for  pid=34087 comm="logger" scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:system_r:drbd_t:s0 tclass=unix_dgram_socket
type=SYSCALL msg=audit(1409228000.176:252603): arch=c000003e syscall=41 success=no exit=-13 a0=1 a1=80002 a2=0 a3=3e items=0 ppid=34006 pid=34087 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="logger" exe="/usr/bin/logger" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1409228000.178:252604): avc:  denied  { open } for  pid=34006 comm="drbd" path="/var/log/pacemaker.log" dev="sda1" ino=657624 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=file
type=SYSCALL msg=audit(1409228000.178:252604): arch=c000003e syscall=2 success=no exit=-13 a0=1d7d710 a1=441 a2=1b6 a3=1 items=0 ppid=18989 pid=34006 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="drbd" exe="/usr/bin/bash" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1409228000.178:252605): avc:  denied  { open } for  pid=34006 comm="drbd" path="/var/log/pacemaker.log" dev="sda1" ino=657624 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=file
type=SYSCALL msg=audit(1409228000.178:252605): arch=c000003e syscall=2 success=no exit=-13 a0=1d7d710 a1=401 a2=1b6 a3=1 items=0 ppid=18989 pid=34006 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="drbd" exe="/usr/bin/bash" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1409228000.181:252606): avc:  denied  { create } for  pid=34093 comm="logger" scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:system_r:drbd_t:s0 tclass=unix_dgram_socket
type=SYSCALL msg=audit(1409228000.181:252606): arch=c000003e syscall=41 success=no exit=-13 a0=1 a1=80002 a2=0 a3=1a items=0 ppid=34006 pid=34093 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="logger" exe="/usr/bin/logger" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1409228000.183:252607): avc:  denied  { open } for  pid=34006 comm="drbd" path="/var/log/pacemaker.log" dev="sda1" ino=657624 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=file
type=SYSCALL msg=audit(1409228000.183:252607): arch=c000003e syscall=2 success=no exit=-13 a0=1d7c640 a1=441 a2=1b6 a3=21 items=0 ppid=18989 pid=34006 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="drbd" exe="/usr/bin/bash" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1409228000.183:252608): avc:  denied  { open } for  pid=34006 comm="drbd" path="/var/log/pacemaker.log" dev="sda1" ino=657624 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=file
type=SYSCALL msg=audit(1409228000.183:252608): arch=c000003e syscall=2 success=no exit=-13 a0=1d7c640 a1=401 a2=1b6 a3=21 items=0 ppid=18989 pid=34006 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="drbd" exe="/usr/bin/bash" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1409228000.186:252609): avc:  denied  { create } for  pid=34099 comm="logger" scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:system_r:drbd_t:s0 tclass=unix_dgram_socket
type=SYSCALL msg=audit(1409228000.186:252609): arch=c000003e syscall=41 success=no exit=-13 a0=1 a1=80002 a2=0 a3=1d items=0 ppid=34006 pid=34099 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="logger" exe="/usr/bin/logger" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1409228000.188:252610): avc:  denied  { open } for  pid=34006 comm="drbd" path="/var/log/pacemaker.log" dev="sda1" ino=657624 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=file
type=SYSCALL msg=audit(1409228000.188:252610): arch=c000003e syscall=2 success=no exit=-13 a0=1d7d710 a1=441 a2=1b6 a3=1 items=0 ppid=18989 pid=34006 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="drbd" exe="/usr/bin/bash" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1409228000.188:252611): avc:  denied  { open } for  pid=34006 comm="drbd" path="/var/log/pacemaker.log" dev="sda1" ino=657624 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=file
type=SYSCALL msg=audit(1409228000.188:252611): arch=c000003e syscall=2 success=no exit=-13 a0=1d7d710 a1=401 a2=1b6 a3=1 items=0 ppid=18989 pid=34006 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="drbd" exe="/usr/bin/bash" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1409228001.185:252612): avc:  denied  { read write } for  pid=34084 comm="crm_node" name="qb-cmap-request-18971-34084-27-header" dev="tmpfs" ino=2681852 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:cluster_tmpfs_t:s0 tclass=file
type=SYSCALL msg=audit(1409228001.185:252612): arch=c000003e syscall=2 success=no exit=-13 a0=7fffbe8ed990 a1=2 a2=180 a3=25 items=0 ppid=34082 pid=34084 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="crm_node" exe="/usr/sbin/crm_node" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1409228004.188:252613): avc:  denied  { read write } for  pid=34084 comm="crm_node" name="qb-cmap-request-18971-34084-27-header" dev="tmpfs" ino=2691385 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:cluster_tmpfs_t:s0 tclass=file
type=SYSCALL msg=audit(1409228004.188:252613): arch=c000003e syscall=2 success=no exit=-13 a0=7fffbe8ed990 a1=2 a2=180 a3=25 items=0 ppid=34082 pid=34084 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="crm_node" exe="/usr/sbin/crm_node" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1409228008.190:252614): avc:  denied  { read write } for  pid=34084 comm="crm_node" name="qb-cmap-request-18971-34084-27-header" dev="tmpfs" ino=2697219 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:cluster_tmpfs_t:s0 tclass=file
type=SYSCALL msg=audit(1409228008.190:252614): arch=c000003e syscall=2 success=no exit=-13 a0=7fffbe8ed990 a1=2 a2=180 a3=25 items=0 ppid=34082 pid=34084 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="crm_node" exe="/usr/sbin/crm_node" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1409228013.195:252615): avc:  denied  { open } for  pid=34110 comm="crm_attribute" path="/var/log/pacemaker.log" dev="sda1" ino=657624 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=file
type=SYSCALL msg=audit(1409228013.195:252615): arch=c000003e syscall=2 success=no exit=-13 a0=7fff19184bd8 a1=441 a2=1b6 a3=7fff19183ee0 items=0 ppid=34082 pid=34110 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="crm_attribute" exe="/usr/sbin/crm_attribute" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1409228013.197:252616): avc:  denied  { read write } for  pid=34110 comm="crm_attribute" name="qb-cib_rw-request-18987-34110-13-header" dev="tmpfs" ino=2676606 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:cluster_tmpfs_t:s0 tclass=file
type=SYSCALL msg=audit(1409228013.197:252616): arch=c000003e syscall=2 success=no exit=-13 a0=7fff1917f130 a1=2 a2=180 a3=7fff1917ed50 items=0 ppid=34082 pid=34110 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="crm_attribute" exe="/usr/sbin/crm_attribute" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1409228013.199:252617): avc:  denied  { create } for  pid=34112 comm="logger" scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:system_r:drbd_t:s0 tclass=unix_dgram_socket
type=SYSCALL msg=audit(1409228013.199:252617): arch=c000003e syscall=41 success=no exit=-13 a0=1 a1=80002 a2=0 a3=3e items=0 ppid=34059 pid=34112 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="logger" exe="/usr/bin/logger" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1409228013.201:252618): avc:  denied  { open } for  pid=34059 comm="drbd" path="/var/log/pacemaker.log" dev="sda1" ino=657624 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=file
type=SYSCALL msg=audit(1409228013.201:252618): arch=c000003e syscall=2 success=no exit=-13 a0=2304400 a1=441 a2=1b6 a3=1 items=0 ppid=18989 pid=34059 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="drbd" exe="/usr/bin/bash" subj=system_u:system_r:drbd_t:s0 key=(null)

type=AVC msg=audit(1409228250.540:252883): avc:  denied  { read } for  pid=34781 comm="crm_attribute" name="pacemaker.log" dev="sda1" ino=657624 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=file
type=SYSCALL msg=audit(1409228250.540:252883): arch=c000003e syscall=2 success=no exit=-13 a0=7fffe0c35b74 a1=442 a2=1b6 a3=2 items=0 ppid=34750 pid=34781 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="crm_attribute" exe="/usr/sbin/crm_attribute" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1409228250.543:252884): avc:  denied  { open } for  pid=34781 comm="crm_attribute" path="/dev/shm/qb-cib_rw-request-18987-34781-13-header" dev="tmpfs" ino=2692418 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:cluster_tmpfs_t:s0 tclass=file
type=SYSCALL msg=audit(1409228250.543:252884): arch=c000003e syscall=2 success=no exit=-13 a0=7fffe0c2eed0 a1=2 a2=180 a3=7fffe0c2eaf0 items=0 ppid=34750 pid=34781 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="crm_attribute" exe="/usr/sbin/crm_attribute" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1409228250.546:252885): avc:  denied  { connect } for  pid=34783 comm="logger" scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:system_r:drbd_t:s0 tclass=unix_dgram_socket
type=SYSCALL msg=audit(1409228250.546:252885): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=7f85cce21740 a2=6e a3=3e items=0 ppid=34727 pid=34783 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="logger" exe="/usr/bin/logger" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1409228250.550:252886): avc:  denied  { connect } for  pid=34789 comm="logger" scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:system_r:drbd_t:s0 tclass=unix_dgram_socket
type=SYSCALL msg=audit(1409228250.550:252886): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=7f21244ed740 a2=6e a3=1a items=0 ppid=34727 pid=34789 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="logger" exe="/usr/bin/logger" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1409228250.555:252887): avc:  denied  { connect } for  pid=34795 comm="logger" scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:system_r:drbd_t:s0 tclass=unix_dgram_socket
type=SYSCALL msg=audit(1409228250.555:252887): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=7f824e7b6740 a2=6e a3=1d items=0 ppid=34727 pid=34795 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="logger" exe="/usr/bin/logger" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1409228254.129:252888): avc:  denied  { read } for  pid=34825 comm="crm_node" name="pacemaker.log" dev="sda1" ino=657624 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=file
type=SYSCALL msg=audit(1409228254.129:252888): arch=c000003e syscall=2 success=no exit=-13 a0=7fffcfcb7b7e a1=442 a2=1b6 a3=2 items=0 ppid=34823 pid=34825 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="crm_node" exe="/usr/sbin/crm_node" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1409228254.132:252889): avc:  denied  { open } for  pid=34825 comm="crm_node" path="/dev/shm/qb-cpg-request-18971-34825-27-header" dev="tmpfs" ino=2691755 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:cluster_tmpfs_t:s0 tclass=file
type=SYSCALL msg=audit(1409228254.132:252889): arch=c000003e syscall=2 success=no exit=-13 a0=7fffcfcb0e40 a1=2 a2=180 a3=7fffcfcb0a60 items=0 ppid=34823 pid=34825 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="crm_node" exe="/usr/sbin/crm_node" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1409228254.135:252890): avc:  denied  { open } for  pid=34825 comm="crm_node" path="/dev/shm/qb-cmap-request-18971-34825-27-header" dev="tmpfs" ino=2691764 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:cluster_tmpfs_t:s0 tclass=file
type=SYSCALL msg=audit(1409228254.135:252890): arch=c000003e syscall=2 success=no exit=-13 a0=7fffcfcb0f00 a1=2 a2=180 a3=25 items=0 ppid=34823 pid=34825 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="crm_node" exe="/usr/sbin/crm_node" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1409228255.138:252891): avc:  denied  { open } for  pid=34825 comm="crm_node" path="/dev/shm/qb-cmap-request-18971-34825-27-header" dev="tmpfs" ino=2697457 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:cluster_tmpfs_t:s0 tclass=file
type=SYSCALL msg=audit(1409228255.138:252891): arch=c000003e syscall=2 success=no exit=-13 a0=7fffcfcb0f00 a1=2 a2=180 a3=25 items=0 ppid=34823 pid=34825 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="crm_node" exe="/usr/sbin/crm_node" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1409228257.141:252892): avc:  denied  { open } for  pid=34825 comm="crm_node" path="/dev/shm/qb-cmap-request-18971-34825-27-header" dev="tmpfs" ino=2697464 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:cluster_tmpfs_t:s0 tclass=file
type=SYSCALL msg=audit(1409228257.141:252892): arch=c000003e syscall=2 success=no exit=-13 a0=7fffcfcb0f00 a1=2 a2=180 a3=25 items=0 ppid=34823 pid=34825 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="crm_node" exe="/usr/sbin/crm_node" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1409228260.144:252893): avc:  denied  { open } for  pid=34825 comm="crm_node" path="/dev/shm/qb-cmap-request-18971-34825-27-header" dev="tmpfs" ino=2697471 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:cluster_tmpfs_t:s0 tclass=file
type=SYSCALL msg=audit(1409228260.144:252893): arch=c000003e syscall=2 success=no exit=-13 a0=7fffcfcb0f00 a1=2 a2=180 a3=25 items=0 ppid=34823 pid=34825 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="crm_node" exe="/usr/sbin/crm_node" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1409228264.146:252894): avc:  denied  { open } for  pid=34825 comm="crm_node" path="/dev/shm/qb-cmap-request-18971-34825-27-header" dev="tmpfs" ino=2691771 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:cluster_tmpfs_t:s0 tclass=file
type=SYSCALL msg=audit(1409228264.146:252894): arch=c000003e syscall=2 success=no exit=-13 a0=7fffcfcb0f00 a1=2 a2=180 a3=25 items=0 ppid=34823 pid=34825 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="crm_node" exe="/usr/sbin/crm_node" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1409228269.153:252895): avc:  denied  { read } for  pid=34826 comm="crm_attribute" name="pacemaker.log" dev="sda1" ino=657624 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:cluster_var_log_t:s0 tclass=file
type=SYSCALL msg=audit(1409228269.153:252895): arch=c000003e syscall=2 success=no exit=-13 a0=7fff53063b74 a1=442 a2=1b6 a3=2 items=0 ppid=34823 pid=34826 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="crm_attribute" exe="/usr/sbin/crm_attribute" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1409228269.155:252896): avc:  denied  { open } for  pid=34826 comm="crm_attribute" path="/dev/shm/qb-cib_rw-request-18987-34826-13-header" dev="tmpfs" ino=2692428 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:cluster_tmpfs_t:s0 tclass=file
type=SYSCALL msg=audit(1409228269.155:252896): arch=c000003e syscall=2 success=no exit=-13 a0=7fff5305cab0 a1=2 a2=180 a3=7fff5305c6d0 items=0 ppid=34823 pid=34826 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="crm_attribute" exe="/usr/sbin/crm_attribute" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1409228269.158:252897): avc:  denied  { connect } for  pid=34828 comm="logger" scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:system_r:drbd_t:s0 tclass=unix_dgram_socket
type=SYSCALL msg=audit(1409228269.158:252897): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=7fc0b1663740 a2=6e a3=3e items=0 ppid=34800 pid=34828 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="logger" exe="/usr/bin/logger" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1409228269.164:252898): avc:  denied  { connect } for  pid=34834 comm="logger" scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:system_r:drbd_t:s0 tclass=unix_dgram_socket
type=SYSCALL msg=audit(1409228269.164:252898): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=7f9d9c563740 a2=6e a3=1a items=0 ppid=34800 pid=34834 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="logger" exe="/usr/bin/logger" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1409228269.170:252899): avc:  denied  { connect } for  pid=34840 comm="logger" scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:system_r:drbd_t:s0 tclass=unix_dgram_socket
type=SYSCALL msg=audit(1409228269.170:252899): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=7f2ba3b77740 a2=6e a3=1d items=0 ppid=34800 pid=34840 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="logger" exe="/usr/bin/logger" subj=system_u:system_r:drbd_t:s0 key=(null)

type=SYSCALL msg=audit(1409233002.388:359024): arch=c000003e syscall=2 success=no exit=-13 a0=1fbf4a0 a1=42 a2=180 a3=7fff88802ee0 items=0 ppid=20097 pid=20099 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="drbdmeta" exe="/usr/sbin/drbdmeta" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1409233002.390:359025): avc:  denied  { write } for  pid=20101 comm="logger" name="log" dev="devtmpfs" ino=17422 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=sock_file
type=SYSCALL msg=audit(1409233002.390:359025): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=7f01d4b49740 a2=6e a3=3f items=0 ppid=20075 pid=20101 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="logger" exe="/usr/bin/logger" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1409233002.394:359026): avc:  denied  { write } for  pid=20107 comm="logger" name="log" dev="devtmpfs" ino=17422 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=sock_file
type=SYSCALL msg=audit(1409233002.394:359026): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=7fb7dff1b740 a2=6e a3=19 items=0 ppid=20075 pid=20107 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="logger" exe="/usr/bin/logger" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1409233002.398:359027): avc:  denied  { write } for  pid=20113 comm="logger" name="log" dev="devtmpfs" ino=17422 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=sock_file
type=SYSCALL msg=audit(1409233002.398:359027): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=7f36d936e740 a2=6e a3=1d items=0 ppid=20075 pid=20113 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="logger" exe="/usr/bin/logger" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1409233002.414:359028): avc:  denied  { read write } for  pid=20127 comm="drbdmeta" name="drbd-147-0" dev="tmpfs" ino=19627 scontext=system_u:system_r:drbd_t:s0 tcontext=unconfined_u:object_r:var_lock_t:s0 tclass=file

Is it possible that there is no DRBD policy for DRBD 8.4 so far? This is what
I ended up with:

allow drbd_t fs_t:filesystem getattr;
allow drbd_t passwd_file_t:file { getattr open read };
allow drbd_t self:capability { dac_read_search dac_override sys_admin sys_module };
allow drbd_t tmp_t:dir { add_name write remove_name };
allow drbd_t tmp_t:file { create open write unlink };
allow drbd_t tmpfs_t:dir search;
allow drbd_t self:unix_dgram_socket { create connect sendto write };
allow drbd_t kernel_t:unix_dgram_socket sendto;
allow drbd_t cluster_tmpfs_t:file { open read write };
allow drbd_t cluster_var_log_t:file { open read };
allow drbd_t devlog_t:sock_file write;
allow drbd_t var_lock_t:file { open read write lock };
allow drbd_t var_run_t:dir { write remove_name create add_name };
allow drbd_t var_run_t:lnk_file { create unlink };
allow drbd_t fixed_disk_device_t:blk_file write;
allow drbd_t insmod_exec_t:file { getattr execute read open execute_no_trans };
allow drbd_t modules_conf_t:dir { getattr read open search };
allow drbd_t modules_conf_t:file { read getattr open };
allow drbd_t modules_object_t:dir search;
allow drbd_t modules_object_t:file { open read getattr };

commit ac388171d02d7bd37645ca7bbff18b09b5924eda
Author: Lukas Vrabec <lvrabec>
Date:   Mon Oct 6 16:03:13 2014 +0200

    Fix bug in drbd policy, BZ (#1134883)

And what about permissive mode?

Following AVCs appeared in permissive mode as a result of "service drbd start" and "service drbd stop":
----
type=SYSCALL msg=audit(10/15/2014 11:27:10.942:512) : arch=x86_64 syscall=fstat success=yes exit=0 a0=0x3 a1=0x7fff49fec680 a2=0x7fff49fec680 a3=0x7fff49fec530 items=0 ppid=3300 pid=3301 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=1 comm=modinfo exe=/usr/bin/kmod subj=unconfined_u:system_r:drbd_t:s0 key=(null) 
type=AVC msg=audit(10/15/2014 11:27:10.942:512) : avc:  denied  { getattr } for  pid=3301 comm=modinfo path=/usr/lib/modules/3.10.0-160.el7.x86_64/modules.dep.bin dev="vda3" ino=9462897 scontext=unconfined_u:system_r:drbd_t:s0 tcontext=unconfined_u:object_r:modules_object_t:s0 tclass=file 
----
type=PATH msg=audit(10/15/2014 11:27:10.942:511) : item=0 name=/lib/modules/3.10.0-160.el7.x86_64/modules.dep.bin inode=9462897 dev=fd:03 mode=file,644 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:modules_object_t:s0 objtype=NORMAL 
type=CWD msg=audit(10/15/2014 11:27:10.942:511) :  cwd=/ 
type=SYSCALL msg=audit(10/15/2014 11:27:10.942:511) : arch=x86_64 syscall=open success=yes exit=3 a0=0x7fff49fec800 a1=O_RDONLY|O_CLOEXEC a2=0x1b6 a3=0x7fff49fec550 items=1 ppid=3300 pid=3301 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=1 comm=modinfo exe=/usr/bin/kmod subj=unconfined_u:system_r:drbd_t:s0 key=(null) 
type=AVC msg=audit(10/15/2014 11:27:10.942:511) : avc:  denied  { open } for  pid=3301 comm=modinfo path=/usr/lib/modules/3.10.0-160.el7.x86_64/modules.dep.bin dev="vda3" ino=9462897 scontext=unconfined_u:system_r:drbd_t:s0 tcontext=unconfined_u:object_r:modules_object_t:s0 tclass=file 
type=AVC msg=audit(10/15/2014 11:27:10.942:511) : avc:  denied  { read } for  pid=3301 comm=modinfo name=modules.dep.bin dev="vda3" ino=9462897 scontext=unconfined_u:system_r:drbd_t:s0 tcontext=unconfined_u:object_r:modules_object_t:s0 tclass=file 
type=AVC msg=audit(10/15/2014 11:27:10.942:511) : avc:  denied  { search } for  pid=3301 comm=modinfo name=modules dev="vda3" ino=25521911 scontext=unconfined_u:system_r:drbd_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=dir 
----
type=PATH msg=audit(10/15/2014 11:27:10.962:513) : item=0 name=/lib/modules/3.10.0-160.el7.x86_64/modules.dep.bin inode=9462897 dev=fd:03 mode=file,644 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:modules_object_t:s0 objtype=NORMAL 
type=CWD msg=audit(10/15/2014 11:27:10.962:513) :  cwd=/ 
type=SYSCALL msg=audit(10/15/2014 11:27:10.962:513) : arch=x86_64 syscall=open success=yes exit=8 a0=0x7fffb4a5e860 a1=O_RDONLY|O_CLOEXEC a2=0x1b6 a3=0x7fffb4a5e5b0 items=1 ppid=3300 pid=3304 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=1 comm=modinfo exe=/usr/bin/kmod subj=unconfined_u:system_r:drbd_t:s0 key=(null) 
type=AVC msg=audit(10/15/2014 11:27:10.962:513) : avc:  denied  { open } for  pid=3304 comm=modinfo path=/usr/lib/modules/3.10.0-160.el7.x86_64/modules.dep.bin dev="vda3" ino=9462897 scontext=unconfined_u:system_r:drbd_t:s0 tcontext=unconfined_u:object_r:modules_object_t:s0 tclass=file 
type=AVC msg=audit(10/15/2014 11:27:10.962:513) : avc:  denied  { read } for  pid=3304 comm=modinfo name=modules.dep.bin dev="vda3" ino=9462897 scontext=unconfined_u:system_r:drbd_t:s0 tcontext=unconfined_u:object_r:modules_object_t:s0 tclass=file 
type=AVC msg=audit(10/15/2014 11:27:10.962:513) : avc:  denied  { search } for  pid=3304 comm=modinfo name=modules dev="vda3" ino=25521911 scontext=unconfined_u:system_r:drbd_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=dir 
----
type=SYSCALL msg=audit(10/15/2014 11:27:10.962:514) : arch=x86_64 syscall=fstat success=yes exit=0 a0=0x8 a1=0x7fffb4a5e6e0 a2=0x7fffb4a5e6e0 a3=0x7fffb4a5e590 items=0 ppid=3300 pid=3304 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=1 comm=modinfo exe=/usr/bin/kmod subj=unconfined_u:system_r:drbd_t:s0 key=(null) 
type=AVC msg=audit(10/15/2014 11:27:10.962:514) : avc:  denied  { getattr } for  pid=3304 comm=modinfo path=/usr/lib/modules/3.10.0-160.el7.x86_64/modules.dep.bin dev="vda3" ino=9462897 scontext=unconfined_u:system_r:drbd_t:s0 tcontext=unconfined_u:object_r:modules_object_t:s0 tclass=file 
----
type=SOCKADDR msg=audit(10/15/2014 11:27:11.341:515) : saddr=inet host:212.69.161.111 serv:80 
type=SYSCALL msg=audit(10/15/2014 11:27:11.341:515) : arch=x86_64 syscall=connect success=yes exit=0 a0=0x8 a1=0x7fff7f57e140 a2=0x10 a3=0x7fff7f57d990 items=0 ppid=3299 pid=3300 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=1 comm=drbdadm exe=/usr/sbin/drbdadm subj=unconfined_u:system_r:drbd_t:s0 key=(null) 
type=AVC msg=audit(10/15/2014 11:27:11.341:515) : avc:  denied  { name_connect } for  pid=3300 comm=drbdadm dest=80 scontext=unconfined_u:system_r:drbd_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket 
----

commit 31a23fcd93ce14e50ea58ff0f0d2ad83065c6e23
Author: Lukas Vrabec <lvrabec>
Date:   Wed Oct 15 12:49:55 2014 +0200

    Allow drbd_t read kernel_modules.

commit dfa384da8297e744791c459afd7110eb0962d9ce
Author: Lukas Vrabec <lvrabec>
Date:   Wed Oct 15 12:47:03 2014 +0200

    Allow drbd_t to connect on httpd port.

Since latest RHEL updates (selinux-policy-3.12.1-153.el7_0.11.noarch) we see 
this (additionally to my rules in comment #5):

type=AVC msg=audit(1413460511.791:108918): avc:  denied  { open } for  pid=5264 comm="crm_node" path="/var/log/pacemaker.log" dev="sda1" ino=919694 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file
type=SYSCALL msg=audit(1413460511.791:108918): arch=x86_64 syscall=open success=no exit=EACCES a0=7fff971fb8bb a1=441 a2=1b6 a3=7fff971f9ae0 items=0 ppid=5261 pid=5264 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=crm_node exe=/usr/sbin/crm_node subj=system_u:system_r:drbd_t:s0 key=(null)

type=AVC msg=audit(1413460647.809:115546): avc:  denied  { open } for  pid=29142 comm="crm_node" path="/var/log/pacemaker.log" dev="sda1" ino=657624 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file

type=AVC msg=audit(1413460647.809:115546): avc:  denied  { open } for  pid=29142 comm="crm_node" path="/var/log/pacemaker.log" dev="sda1" ino=657624 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file

type=AVC msg=audit(1413460647.809:115546): avc:  denied  { open } for  pid=29142 comm="crm_node" path="/var/log/pacemaker.log" dev="sda1" ino=657624 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file

Is this relevant for you maybe as well? Or do you already cover this?

type=AVC msg=audit(1413473677.592:6623): avc:  denied  { read } for  pid=7016 comm="crm_node" name="pacemaker.log" dev="sda1" ino=919694 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file
type=SYSCALL msg=audit(1413473677.592:6623): arch=x86_64 syscall=open success=no exit=EACCES a0=7fff1d5f0b7e a1=442 a2=1b6 a3=2 items=0 ppid=7012 pid=7016 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=crm_node exe=/usr/sbin/crm_node subj=system_u:system_r:drbd_t:s0 key=(null)

Is "/var/log/pacemaker.log" owned by drbd service?

It's about pacemaker.

Robert,
is pacemaker running with correct domain?

ps -eZ |grep cluster

(In reply to Miroslav Grepl from comment #16)
> is pacemaker running with correct domain?
> 
> ps -eZ |grep cluster

# ps -eZ |grep cluster
system_u:system_r:cluster_t:s0   1563 ?        00:00:00 pcsd
system_u:system_r:cluster_t:s0   1586 ?        00:00:00 bash
system_u:system_r:cluster_t:s0   1587 ?        00:00:16 ruby
system_u:system_r:cluster_t:s0   2519 ?        00:12:49 corosync
system_u:system_r:cluster_t:s0   2695 ?        00:00:09 pacemakerd
system_u:system_r:cluster_t:s0   2702 ?        00:01:06 cib
system_u:system_r:cluster_t:s0   2703 ?        00:00:13 stonithd
system_u:system_r:cluster_t:s0   2704 ?        00:00:34 lrmd
system_u:system_r:cluster_t:s0   2705 ?        00:00:29 attrd
system_u:system_r:cluster_t:s0   2706 ?        00:00:10 pengine
system_u:system_r:cluster_t:s0   2707 ?        00:00:10 crmd
# 

But just to be sure: These AVC denieds didn't result from the new policy that
you guys worked or are working on.

# rpm -qa selinux-policy\*
selinux-policy-doc-3.13.1-16.el7.noarch
selinux-policy-devel-3.13.1-16.el7.noarch
selinux-policy-3.13.1-16.el7.noarch
selinux-policy-minimum-3.13.1-16.el7.noarch
selinux-policy-sandbox-3.13.1-15.el7.noarch
selinux-policy-targeted-3.13.1-16.el7.noarch
selinux-policy-mls-3.13.1-16.el7.noarch
# matchpathcon /var/log/pacemaker.log 
/var/log/pacemaker.log	system_u:object_r:var_log_t:s0
#

But the log file is created by the pacemaker service and gets following label:

# ls -Z /var/log/pacemaker.log 
-rw-rw----. hacluster haclient system_u:object_r:cluster_var_log_t:s0 /var/log/pacemaker.log
#

I believe that cluster_var_log_t is correct label.

Yes but should be created as cluster_log_t if pacemaker runs with correct domain. 

type_transition cluster_t var_log_t : file cluster_var_log_t;

I don't see additional bug here. 

Robert,
how does it work for you now?

Miroslav, I did not recognize that this would be fixed. Should the above
mentioned selinux-policy-3.13.1-5.el7 contain all fixes?

(In reply to Robert Scheck from comment #25)
> Miroslav, I did not recognize that this would be fixed. Should the above
> mentioned selinux-policy-3.13.1-5.el7 contain all fixes?

What is your actual issue?

If I understand correctly it is/was about

type=AVC msg=audit(1413473677.592:6623): avc:  denied  { read } for  pid=7016 comm="crm_node" name="pacemaker.log" dev="sda1" ino=919694 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file

right?

(In reply to Miroslav Grepl from comment #26)
> What is your actual issue?

Miroslav, I am using selinux-policy-targeted-3.13.1-23.el7.noarch and DRBD
with Pacemaker still leads to AVC denieds, such as:

type=AVC msg=audit(1429548630.115:49): avc:  denied  { getattr } for  pid=785 comm="drbd" name="/" dev="vda2" ino=2 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
type=AVC msg=audit(1429548630.115:50): avc:  denied  { create } for  pid=785 comm="drbd" name="sh-thd-1429549744" scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=AVC msg=audit(1429548630.170:51): avc:  denied  { getattr } for  pid=813 comm="modprobe" path="/etc/modprobe.d" dev="vda2" ino=137147 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir
type=AVC msg=audit(1429548630.223:52): avc:  denied  { getattr } for  pid=864 comm="modprobe" path="/etc/modprobe.d" dev="vda2" ino=137147 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir
type=AVC msg=audit(1429548630.230:53): avc:  denied  { getattr } for  pid=871 comm="modprobe" path="/etc/modprobe.d" dev="vda2" ino=137147 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir
type=AVC msg=audit(1429548630.232:54): avc:  denied  { getattr } for  pid=873 comm="modprobe" path="/etc/modprobe.d" dev="vda2" ino=137147 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir
type=AVC msg=audit(1429548630.329:55): avc:  denied  { getattr } for  pid=945 comm="modprobe" path="/etc/modprobe.d" dev="vda2" ino=137147 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir

Am I testing the wrong version? Is there a newer policy? If so, can you
provide a RPM?

(In reply to Robert Scheck from comment #28)
> (In reply to Miroslav Grepl from comment #26)
> > What is your actual issue?
> 
> Miroslav, I am using selinux-policy-targeted-3.13.1-23.el7.noarch and DRBD
> with Pacemaker still leads to AVC denieds, such as:
> 
> type=AVC msg=audit(1429548630.115:49): avc:  denied  { getattr } for 
> pid=785 comm="drbd" name="/" dev="vda2" ino=2
> scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:fs_t:s0
> tclass=filesystem
> type=AVC msg=audit(1429548630.115:50): avc:  denied  { create } for  pid=785
> comm="drbd" name="sh-thd-1429549744" scontext=system_u:system_r:drbd_t:s0
> tcontext=system_u:object_r:tmp_t:s0 tclass=file
> type=AVC msg=audit(1429548630.170:51): avc:  denied  { getattr } for 
> pid=813 comm="modprobe" path="/etc/modprobe.d" dev="vda2" ino=137147
> scontext=system_u:system_r:drbd_t:s0
> tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir
> type=AVC msg=audit(1429548630.223:52): avc:  denied  { getattr } for 
> pid=864 comm="modprobe" path="/etc/modprobe.d" dev="vda2" ino=137147
> scontext=system_u:system_r:drbd_t:s0
> tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir
> type=AVC msg=audit(1429548630.230:53): avc:  denied  { getattr } for 
> pid=871 comm="modprobe" path="/etc/modprobe.d" dev="vda2" ino=137147
> scontext=system_u:system_r:drbd_t:s0
> tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir
> type=AVC msg=audit(1429548630.232:54): avc:  denied  { getattr } for 
> pid=873 comm="modprobe" path="/etc/modprobe.d" dev="vda2" ino=137147
> scontext=system_u:system_r:drbd_t:s0
> tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir
> type=AVC msg=audit(1429548630.329:55): avc:  denied  { getattr } for 
> pid=945 comm="modprobe" path="/etc/modprobe.d" dev="vda2" ino=137147
> scontext=system_u:system_r:drbd_t:s0
> tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir
> 
> Am I testing the wrong version? Is there a newer policy? If so, can you
> provide a RPM?

Robert,
any chance to test it with permissive for drbd_t to see if get more AVCs coming from modprobe?

Robert, 
Any update here?

Created attachment 1055722 [details]
AVC denied messages from node 1

Tested using selinux-policy-targeted-3.13.1-23.el7_1.8.noarch

Created attachment 1055723 [details]
AVC denied messages from node 2

Tested using selinux-policy-targeted-3.13.1-23.el7_1.8.noarch

(In reply to Lukas Vrabec from comment #31)
> Any update here?

Lukas, sorry for my delay. Above are the information requested by Miroslav.

If there is a newer/other selinux-policy-targeted package for testing, please
provide it somehow to me.

commit 002bf48cb0a03f81121be7b087dae78e75dadec0
Author: Lukas Vrabec <lvrabec>
Date:   Mon Jul 27 11:45:41 2015 +0200

    Allow drbd to read configuration options used when loading modules.
    Resolves: #1134883

commit 78c7046183b561282931dfc2df4dd767df1c7a0f
Author: Lukas Vrabec <lvrabec>
Date:   Mon Jul 27 12:13:24 2015 +0200

    Allow drbd to get attributes from filesystems.

Lukas, could you provide selinux-policy-3.13.1-35.el7 somehow, please? Then
I would run our tests here again.

(In reply to Robert Scheck from comment #38)
> Lukas, could you provide selinux-policy-3.13.1-35.el7 somehow, please? Then
> I would run our tests here again.

Robert,

The test builds have been attached to ticket 01182594

Thank you guys.

Simon, thank you. But are you really sure the packages contain the changes?
Running 3.13.1-45.el7 with enforced policy leads to an unusable setup here:
Module drbd can't be loaded and other messages (the rest is likely caused by
the previous ones). Attaching both audit logs (enforced and permissive) for
comparisions.

Created attachment 1066880 [details]
/var/log/audit/audit.log with 3.13.1-45.el7 (enforced)

Created attachment 1066881 [details]
/var/log/audit/audit.log with 3.13.1-45.el7 (permissive)

Would it be helpful if I either offer you virtual machine images or access
to such a system? If yes, please let me know.

The suggested "restorecon -v -R /var/lib/drbd/" lead to some output however
this didn't solve it, after a reboot DRBD was not up but this in audit logs:

type=AVC msg=audit(1440693207.839:49): avc:  denied  { create } for  pid=724 comm="drbd" name="sh-thd-1440680199" scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=SYSCALL msg=audit(1440693207.839:49): arch=c000003e syscall=2 success=no exit=-13 a0=1e3da50 a1=2c1 a2=180 a3=0 items=0 ppid=719 pid=724 auid=4294967295 uid=189 gid=189 euid=189 suid=189 fsuid=189 egid=189 sgid=189 fsgid=189 tty=(none) ses=4294967295 comm="drbd" exe="/usr/bin/bash" subj=system_u:system_r:drbd_t:s0 key=(null)

(In reply to Robert Scheck from comment #50)
> The suggested "restorecon -v -R /var/lib/drbd/" lead to some output however
> this didn't solve it, after a reboot DRBD was not up but this in audit logs:

Is this the only denial now?

We need to update file transition rules.

(In reply to Simon Sekidde from comment #51)
> Is this the only denial now?

Unfortunately not, with permissive:

type=AVC msg=audit(1441628962.614:48): avc:  denied  { create } for  pid=726 comm="drbd" name="sh-thd-1441655822" scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=AVC msg=audit(1441628962.614:48): avc:  denied  { write open } for  pid=726 comm="drbd" path="/tmp/sh-thd-1441655822" dev="vda2" ino=262303 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=SYSCALL msg=audit(1441628962.614:48): arch=c000003e syscall=2 success=yes exit=3 a0=236ca50 a1=2c1 a2=180 a3=0 items=0 ppid=721 pid=726 auid=4294967295 uid=189 gid=189 euid=189 suid=189 fsuid=189 egid=189 sgid=189 fsgid=189 tty=(none) ses=4294967295 comm="drbd" exe="/usr/bin/bash" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1441628962.615:49): avc:  denied  { unlink } for  pid=726 comm="drbd" name="sh-thd-1441655822" dev="vda2" ino=262303 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=SYSCALL msg=audit(1441628962.615:49): arch=c000003e syscall=87 success=yes exit=0 a0=236ca50 a1=0 a2=180 a3=7ffe458345b0 items=0 ppid=721 pid=726 auid=4294967295 uid=189 gid=189 euid=189 suid=189 fsuid=189 egid=189 sgid=189 fsgid=189 tty=(none) ses=4294967295 comm="drbd" exe="/usr/bin/bash" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1441628962.681:50): avc:  denied  { write } for  pid=767 comm="drbdadm-84" name="/" dev="tmpfs" ino=6099 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir
type=AVC msg=audit(1441628962.681:50): avc:  denied  { add_name } for  pid=767 comm="drbdadm-84" name="drbd" scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir
type=AVC msg=audit(1441628962.681:50): avc:  denied  { create } for  pid=767 comm="drbdadm-84" name="drbd" scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir
type=SYSCALL msg=audit(1441628962.681:50): arch=c000003e syscall=83 success=yes exit=0 a0=428d4e a1=1c0 a2=1000 a3=7ffdfe61dd90 items=0 ppid=727 pid=767 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="drbdadm-84" exe="/usr/lib/drbd/drbdadm-84" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1441628962.681:51): avc:  denied  { create } for  pid=767 comm="drbdadm-84" name="drbd-resource-data.conf" scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=lnk_file
type=SYSCALL msg=audit(1441628962.681:51): arch=c000003e syscall=88 success=yes exit=0 a0=a0f270 a1=7ffdfe61f040 a2=1000 a3=7ffdfe61dd90 items=0 ppid=727 pid=767 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="drbdadm-84" exe="/usr/lib/drbd/drbdadm-84" subj=system_u:system_r:drbd_t:s0 key=(null)

Given the combination of DRBD and RHEL is basically supported by both parties,
I am not that happy to see that postponed again.

Robert,
could test it with the following local policy?

$ cat mydrbd.te
policy_module(mydrbd,1.0)

type drbd_var_run_t;
files_pid_file(drbd1_var_run_t)

type drbd_tmp_t;
files_tmp_file(drbd_tmp_t)

manage_dirs_pattern(drbd_t, drbd_var_run_t, drbd_var_run_t)
manage_files_pattern(drbd_t, drbd_var_run_t, drbd_var_run_t)
manage_lnk_files_pattern(drbd_t, drbd_var_run_t, drbd_var_run_t)
files_pid_filetrans(drbd_t, drbd_var_run_t, { file dir })

manage_dirs_pattern(drbd_t, drbd_tmp_t, drbd_tmp_t)
manage_files_pattern(drbd_t, drbd_tmp_t, drbd_tmp_t)
files_tmp_filetrans(drbd_t, drbd_tmp_t, { file dir})


and run

# make -f /usr/share/selinux/devel/Makefile mydrbd.pp
# semodule -i mydrbd.pp

*** Bug 1130675 has been marked as a duplicate of this bug. ***

I am unfortunately not able to build this local policy using the RHEL 7.2
selinux-policy-3.13.1-60.el7.noarch packages:

mydrbd.te":4:ERROR 'unknown type drbd1_var_run_t' at token ';' on line 3221:
-> s/drbd1/drbd/ -- I guess this was a typo.

mydrbd.te":9:ERROR 'unknown type drbd_t' at token ';' on line 3390:
-> What's the mistake here?

For selinux-policy-3.13.1-45.el7.noarch.rpm, I don't have the -devel RPM.

$ cat mydrbd.te 
policy_module(mydrbd,1.0)

gen_require(`
    type drbd_t;
    type drbd_tmp_t;
')

type drbd_var_run_t;
files_pid_file(drbd_var_run_t)

manage_dirs_pattern(drbd_t, drbd_var_run_t, drbd_var_run_t)
manage_files_pattern(drbd_t, drbd_var_run_t, drbd_var_run_t)
manage_lnk_files_pattern(drbd_t, drbd_var_run_t, drbd_var_run_t)
files_pid_filetrans(drbd_t, drbd_var_run_t, { file dir })

manage_dirs_pattern(drbd_t, drbd_tmp_t, drbd_tmp_t)
manage_files_pattern(drbd_t, drbd_tmp_t, drbd_tmp_t)
files_tmp_filetrans(drbd_t, drbd_tmp_t, { file dir})

Attaching working local module for testing.

# make -f /usr/share/selinux/devel/Makefile mydrbd.pp
# semodule -i mydrbd.pp

Above custom policy + 3.13.1-60.el7 leads in permissive mode to:

type=AVC msg=audit(1448362519.066:28): avc:  denied  { create } for  pid=697 comm="drbd" name="sh-thd-1448365639" scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=AVC msg=audit(1448362519.066:28): avc:  denied  { write open } for  pid=697 comm="drbd" path="/tmp/sh-thd-1448365639" dev="vda2" ino=18360 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=SYSCALL msg=audit(1448362519.066:28): arch=c000003e syscall=2 success=yes exit=3 a0=147ba50 a1=2c1 a2=180 a3=0 items=0 ppid=692 pid=697 auid=4294967295 uid=189 gid=189 euid=189 suid=189 fsuid=189 egid=189 sgid=189 fsgid=189 tty=(none) ses=4294967295 comm="drbd" exe="/usr/bin/bash" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1448362519.067:29): avc:  denied  { unlink } for  pid=697 comm="drbd" name="sh-thd-1448365639" dev="vda2" ino=18360 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file

Robert, 
Please remove all tmp files related to drbd before testing. I believe these AVCs are from previous testing without rules from comment 62.

I already ensured this before. However something in DRBD creates a file
called /tmp/sh-thd-$SOMETHING and removes it afterwards:

 -> /tmp/sh-thd-1448365639 at first reboot
 -> /tmp/sh-thd-1448387857 at second reboot
 -> /tmp/sh-thd-1448388075 at third reboot

$SOMETHING seems to be the Unix timestamp. That would make it predictable,
is this maybe even a security flaw?

I added missing rules to drbd_t policy.
    - create new file type: drbd_var_run_t
    - allow drbd_t to manage drbd_var_run_t files
    - allow drbd_t to create drbd_tmp_t files in /tmp

Robert, 
I don't think this can be any security flaw.

This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune with any questions

Please retest your scenario in RHEL-7.3 Beta. Let us know if your scenario generates any SELinux denials.

Tests with RHEL 7.3 Beta unfortunately lead to "modprobe: ERROR: could not
insert 'drbd': Operation not permitted" - however no SELinux denials (even
not with 'semodule -DB'). So what has been changed or broken here?

Args, I overlooked it - sorry! So, a new SELinux denial unfortunately, which
prevents DRBD completely from working:

type=AVC msg=audit(1474915046.925:43): avc:  denied  { sys_module } for  pid=763 comm="modprobe" capability=16  scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:system_r:drbd_t:s0 tclass=capability
type=SYSCALL msg=audit(1474915046.925:43): arch=c000003e syscall=313 success=no exit=-1 a0=3 a1=1a6ffb0 a2=0 a3=3 items=0 ppid=736 pid=763 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="modprobe" exe="/usr/bin/kmod" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1474915047.022:44): avc:  denied  { sys_module } for  pid=820 comm="modprobe" capability=16  scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:system_r:drbd_t:s0 tclass=capability
type=SYSCALL msg=audit(1474915047.022:44): arch=c000003e syscall=313 success=no exit=-1 a0=3 a1=41a15c a2=0 a3=3 items=0 ppid=819 pid=820 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="modprobe" exe="/usr/bin/kmod" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1474915047.032:45): avc:  denied  { sys_module } for  pid=827 comm="modprobe" capability=16  scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:system_r:drbd_t:s0 tclass=capability
type=SYSCALL msg=audit(1474915047.032:45): arch=c000003e syscall=313 success=no exit=-1 a0=4 a1=41a15c a2=0 a3=4 items=0 ppid=826 pid=827 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="modprobe" exe="/usr/bin/kmod" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1474915047.035:46): avc:  denied  { sys_module } for  pid=829 comm="modprobe" capability=16  scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:system_r:drbd_t:s0 tclass=capability
type=SYSCALL msg=audit(1474915047.035:46): arch=c000003e syscall=313 success=no exit=-1 a0=4 a1=41a15c a2=0 a3=4 items=0 ppid=828 pid=829 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="modprobe" exe="/usr/bin/kmod" subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1474915047.119:47): avc:  denied  { sys_module } for  pid=901 comm="modprobe" capability=16  scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:system_r:drbd_t:s0 tclass=capability
type=SYSCALL msg=audit(1474915047.119:47): arch=c000003e syscall=313 success=no exit=-1 a0=4 a1=41a15c a2=0 a3=4 items=0 ppid=900 pid=901 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="modprobe" exe="/usr/bin/kmod" subj=system_u:system_r:drbd_t:s0 key=(null)

After allowing above, the next SELinux denials appear (but only when with
'semodule -DB' as it seems, doesn't seem to have impact on run-time, too):

type=AVC msg=audit(1474914949.568:64): avc:  denied  { search } for  pid=790 comm="modprobe" name="/" dev="debugfs" ino=1 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=dir
type=AVC msg=audit(1474914949.608:65): avc:  denied  { search } for  pid=806 comm="drbdsetup-84" name="bdi" dev="debugfs" ino=5 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=dir
type=AVC msg=audit(1474914949.608:65): avc:  denied  { search } for  pid=806 comm="drbdsetup-84" name="/" dev="debugfs" ino=1 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=dir

Conclusion: Something like "allow drbd_t self:capability sys_module;" should
be added to the SELinux policy to get it working at all...

Some more SELinux denial unfortunately since upgrading to RHEL 7.3 final:

type=AVC msg=audit(1478622299.358:239): avc:  denied  { open } for  pid=6144 comm="drbdmeta" path="/var/lib/drbd/drbd-minor-0.lkbd" dev="dm-0" ino=525448 scontext=system_u:system_r:drbd_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file
type=SYSCALL msg=audit(1478622299.358:239): arch=x86_64 syscall=open success=no exit=EACCES a0=9404c0 a1=0 a2=1b6 a3=24 items=0 ppid=6142 pid=6144 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=drbdmeta exe=/usr/sbin/drbdmeta subj=system_u:system_r:drbd_t:s0 key=(null)
type=AVC msg=audit(1478623483.180:207): avc:  denied  { getattr } for  pid=2654 comm="drbdmeta" path="/var/lib/drbd/drbd-minor-0.lkbd" dev="dm-0" ino=525448 scontext=system_u:system_r:drbd_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file
type=SYSCALL msg=audit(1478623483.180:207): arch=x86_64 syscall=fstat success=no exit=EACCES a0=6 a1=7fff6b2a1640 a2=7fff6b2a1640 a3=0 items=0 ppid=2652 pid=2654 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=drbdmeta exe=/usr/sbin/drbdmeta subj=system_u:system_r:drbd_t:s0 key=(null)

Thus something like "allow drbd_t var_lib_t:file { open read write getattr };"
is needed as well...

(In reply to Robert Scheck from comment #79)
> Some more SELinux denial unfortunately since upgrading to RHEL 7.3 final:

Thank you for testing this

> Thus something like "allow drbd_t var_lib_t:file { open read write getattr
> };"
> is needed as well...

Actually the path /var/lib/drbd/drbd-minor-0.lkbd is mislabeled and should be drbd_var_lib_t

# semanage fcontext -l | grep -w /var/lib/drbd
/var/lib/drbd(/.*)?                                all files          system_u:object_r:drbd_var_lib_t:s0

Good pointer...but why didn't the relabelling happen automagically with the
new policy here, given it's a new context? Is that intended to be manually in
this context?

(In reply to Robert Scheck from comment #82)
> Good pointer...but why didn't the relabelling happen automagically with the
> new policy here, given it's a new context? Is that intended to be manually in
> this context?

Fresh setup with RHEL 7.3 including all updates, /var/lib/drbd does not yet 
exist. But once it exists, it has the wrong context (var_lib_t). Interestingly
the directory is not part of a RPM package - could this cause the wrong context
maybe?

(In reply to Robert Scheck from comment #83)
> (In reply to Robert Scheck from comment #82)
> > Good pointer...but why didn't the relabelling happen automagically with the
> > new policy here, given it's a new context? Is that intended to be manually in
> > this context?
> 

Not sure what went wrong since we have this file transition rule 

  files_var_lib_filetrans(drbd_t, drbd_var_lib_t, dir)

which states that objects created by drbd in /var/lib/ get labeled drbd_var_lib_t

> Fresh setup with RHEL 7.3 including all updates, /var/lib/drbd does not yet 
> exist. But once it exists, it has the wrong context (var_lib_t).
> Interestingly
> the directory is not part of a RPM package - could this cause the wrong
> context
> maybe?

Possibly. Which RPM package is this? A quick check on Fedora lists both drbd and dbrd-utils and the path exists in the latter.

Unfortunately it's a third party package, because RHEL does not ship the
drbd kernel module, thus the drbd package is not in EPEL. Will check with
the packager.

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1861