Bug 1362693
| Summary: | Carbon-cache not allowed to create and write /var/lib directory | ||
|---|---|---|---|
| Product: | [Red Hat Storage] Red Hat Storage Console | Reporter: | Timothy Asir <tjeyasin> |
| Component: | core | Assignee: | Timothy Asir <tjeyasin> |
| core sub component: | configuration | QA Contact: | sds-qe-bugs |
| Status: | CLOSED WONTFIX | Docs Contact: | |
| Severity: | unspecified | ||
| Priority: | unspecified | CC: | lvrabec, mbukatov, nthomas, vsarmila |
| Version: | 2 | ||
| Target Milestone: | --- | ||
| Target Release: | 3 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-03-23 04:06:16 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1326788 | ||
Change the default carbon data directory with SELinux enabled
Steps to fix this issue:
1. Stop the carbon-cache service
2. Create a new data directory and move the content
from the old data directory
3. Correct the carbon configuration file
4. Adjust SELinux parameters to accept our new change
5. Start the carbon-cache service
1. Stopping the carbon-cache service
this service can be stopped using "service carbon-cache stop"
2. Create a new data diretory and move the content from the old one
One can create a directory like /usr/lib/carbon or in /srv/carbon or in any other allowed places and move the old content from /var/lib/carbon.
ex:-
mkdir /usr/lib/carbon
chown carbon:carbon /usr/lib/carbon
mv /var/lib/carbon/* /usr/lib/carbon/ -avi
3. Correct the carbon configuration file
Edit the /etc/carbon/carbon.conf file. Replace /var/ with the new path.
like:
STORAGE_DIR = /usr/lib/carbon/
LOCAL_DATA_DIR = /usr/lib/carbon/whisper/
WHITELISTS_DIR = /usr/lib/carbon/lists/
4. Adjust SELinux parameters to accept our new change
ex:-
semanage fcontext -a -t carbon_var_lib_t "/usr/lib/carbon(/.*)?"
restorecon -Rv /usr/lib/carbon
5. Starting the carbon-cache service
ex:- service carbon-cache start
6. Verify and check the connectivity.
/usr/lib/carbon is not a good place for data. Either we can keep it in some other path or we can resolve this by: semanage fcontext -a -t carbon_var_lib_t "/var/lib/carbon(/.*)? @"Lukas Vrabec" <lvrabec> : Could you please add your views or suggestion |
Description of problem: Carbon-cache not allowed to create and write /var/lib directory by selinux policy. AVC Denial type=AVC msg=audit(1469705553.928:1215): avc: denied { write } for pid=11657 comm="carbon-cache" name="plugins" dev="vda2" ino=92276763 scontext=system_u:system_r:carbon_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=dir type=AVC msg=audit(1469705553.928:1215): avc: denied { create } for pid=11657 comm="carbon-cache" name="G7_cpK7WB-scrOqHdropin.cache.new" scontext=system_u:system_r:carbon_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file type=AVC msg=audit(1469705553.929:1216): avc: denied { remove_name } for pid=11657 comm="carbon-cache" name="G7_cpK7WB-scrOqHdropin.cache.new" dev="vda2" ino=92358149 scontext=system_u:system_r:carbon_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=dir Additional info: The default storage directory for carbon_cache is /var/lib/carbon and its local data directory is configured to /var/lib/carbon/whisper which is not allowed for any service to keep their regular data. This should be configured to either /usr/lib directory or any other directory.