Bug 244319

Summary: Selinux denies congas minions from deploying / adding self to conga.
Product: Red Hat Enterprise Linux 5 Reporter: Wade Mealing <wmealing>
Component: congaAssignee: Jim Parsons <jparsons>
Status: CLOSED WORKSFORME QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: 5.0CC: cluster-maint, mnielsen, xen-maint
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-01-23 04:52:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Wade Mealing 2007-06-14 23:22:19 UTC 
Description of problem:

When attempting to add the xen domai-0 host to the cluster (to be the xen
fencing server), Selinux errors prevent xen from being able to do its thang.


Version-Release number of selected component (if applicable):


selinux-policy-targeted-2.4.6-30.el5

How reproducible:

Every time

Steps to Reproduce:
1. Create a cluster using luci and rici
2. Add the xen domain-0 to the cluster.
3. See below messages appear in logs.
  
Actual results:

The node can not be joined to the cluster, unable to connect messages appear in
the conga web interface.

Expected results:

Node to be added to the cluster.

Additional info:

These are the information that appeared in the log files.

Jun 14 18:40:53 dhcp-96 setroubleshoot:      SELinux is preventing virsh (xm_t)
"send" access to <Unknown> (unlabeled_t).      For complete SELinux messages.
run sealert -l aff3bf92-2f7c-4c52-9cfa-b510375d4eed
Jun 14 18:41:02 dhcp-96 setroubleshoot:      SELinux is preventing <Unknown>
(xm_t) "send" access to <Unknown> (unlabeled_t).      For complete SELinux
messages. run sealert -l aff3bf92-2f7c-4c52-9cfa-b510375d4eed
Jun 14 18:41:02 dhcp-96 setroubleshoot:      SELinux is preventing
/usr/libexec/libvirt_proxy (xm_t) "write" access to xend-socket
(xend_var_lib_t).      For complete SELinux messages. run sealert -l
a37bcf4b-357f-451a-b916-a9fdd12c37d3
Jun 14 18:41:02 dhcp-96 setroubleshoot:      SELinux is preventing virsh (xm_t)
"send" access to <Unknown> (unlabeled_t).      For complete SELinux messages.
run sealert -l aff3bf92-2f7c-4c52-9cfa-b510375d4eed
Jun 14 18:41:02 dhcp-96 setroubleshoot:      SELinux is preventing <Unknown>
(xm_t) "send" access to <Unknown> (unlabeled_t).      For complete SELinux
messages. run sealert -l aff3bf92-2f7c-4c52-9cfa-b510375d4eed

Even after running the command suggested by the sealert program (     setsebool
-P xm_disable_trans=1 ) the error still persisted.
Comment 1 Daniel Berrangé 2007-06-15 00:08:17 UTC 
Nothing todo with virt-manager. From the looks of the limit logs above the
problem is the SELinux context under which virsh is run when launched from
Conga. So something for either Conga or the Conga SELinux policy to address.
Comment 2 Wade Mealing 2007-06-18 23:42:11 UTC 
Ah, sorry about that daniel.  I even put conga in the title, dont know why I set
this to virt manager.
Comment 3 Mark Nielsen 2007-07-03 18:26:07 UTC 
I'm having the same issue. 

Nothing to add except that the only way I could get ricci to talk to luci was
putting SELinux in to permissive. Enabling auditing in system-config-selinux
just caused the setroubleshootd to crash.
Comment 4 Ryan McCabe 2007-10-30 17:24:43 UTC 
Is anyone still seeing this?
Comment 5 Mark Nielsen 2007-10-30 18:32:09 UTC 
I was having no issues when I left off with the latest selinux-policy I had
tested. Unfortunately I've had to temporarily stop development on my RHEL 5.1
cluster. I'll be looking to start up again in the next week or two.
Comment 6 Wade Mealing 2008-01-23 04:52:59 UTC 
Fixed on my end.