Bug 667703

Summary: selinux policy for corosync fails to allow it to read config
Product: [Fedora] Fedora Reporter: Steve Whitehouse <swhiteho>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 14CC: dwalsh, fdinitto, mgrepl, sdake
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-01-06 19:21:16 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
ausearch -m avc -ts today >my.avc none

Description Steve Whitehouse 2011-01-06 15:08:05 UTC 
Take one newly installed f14 via beaker provisioning, add gfs2-utils, gfs2-cluster and the deps. Turn off NetworkManager, turn on network. Create /etc/cluster/cluster.conf, do /etc/init.d/cman start, and I get this:

[root@gfs-a24c-01 ~]# /etc/init.d/cman start
Starting cluster: 
   Checking Network Manager... [  OK  ]
   Global setup... [  OK  ]
   Loading kernel modules... [  107.997256] DLM (built Oct 18 2010 23:59:12) ind
[  OK  ]
   Mounting configfs... [  OK  ]
   Starting cman... I/O warning : failed to load external entity "/etc/cluster/"

Unable to get the configuration
I/O warning : failed to load external entity "/etc/cluster/cluster.conf"
corosync [MAIN  ] Corosync Cluster Engine ('1.3.0'): started and ready to provi.
corosync [MAIN  ] Corosync built-in features: nss rdma
corosync [MAIN  ] Unable to read config from /etc/cluster/cluster.conf
corosync [MAIN  ] Corosync Cluster Engine exiting with status 8 at main.c:1626.
corosync died: Could not read cluster configuration Check cluster logs for detas
[FAILED]

Turn selinux into permissive mode and it appears to work correctly.
Comment 1 Miroslav Grepl 2011-01-06 15:15:39 UTC 
What AVC messages are you seeing?

# ausearch -m avc -ts today 


Also how is "/etc/cluster/cluster.conf" labeled?

# ls -Z /etc/cluster/cluster.conf
Comment 2 Steve Whitehouse 2011-01-06 15:25:59 UTC 
[root@gfs-a24c-01 ~]# ls -Z /etc/cluster/cluster.conf
-rw-r-----. root root unconfined_u:object_r:admin_home_t:s0 /etc/cluster/cluster.conf
Comment 3 Steve Whitehouse 2011-01-06 15:28:03 UTC 
Created attachment 472079 [details]
ausearch -m avc -ts today >my.avc
Comment 4 Daniel Walsh 2011-01-06 19:21:16 UTC 
Steve you created the file in /root and then moved it to /etc/cluster/cluster.conf

This means it maintained the label of admin_home_t which corosync would not be allowed to read.

Run restorecon -R -v /etc/cluster

Will fix the problem.