Bug 244319 - Selinux denies congas minions from deploying / adding self to conga.
Selinux denies congas minions from deploying / adding self to conga.
Status: CLOSED WORKSFORME
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: conga (Show other bugs)
5.0
All Linux
low Severity low
: ---
: ---
Assigned To: Jim Parsons
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-06-14 19:22 EDT by Wade Mealing
Modified: 2009-04-16 18:54 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-01-22 23:52:59 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Wade Mealing 2007-06-14 19:22:19 EDT
Description of problem:

When attempting to add the xen domai-0 host to the cluster (to be the xen
fencing server), Selinux errors prevent xen from being able to do its thang.


Version-Release number of selected component (if applicable):


selinux-policy-targeted-2.4.6-30.el5

How reproducible:

Every time

Steps to Reproduce:
1. Create a cluster using luci and rici
2. Add the xen domain-0 to the cluster.
3. See below messages appear in logs.
  
Actual results:

The node can not be joined to the cluster, unable to connect messages appear in
the conga web interface.

Expected results:

Node to be added to the cluster.

Additional info:

These are the information that appeared in the log files.

Jun 14 18:40:53 dhcp-96 setroubleshoot:      SELinux is preventing virsh (xm_t)
"send" access to <Unknown> (unlabeled_t).      For complete SELinux messages.
run sealert -l aff3bf92-2f7c-4c52-9cfa-b510375d4eed
Jun 14 18:41:02 dhcp-96 setroubleshoot:      SELinux is preventing <Unknown>
(xm_t) "send" access to <Unknown> (unlabeled_t).      For complete SELinux
messages. run sealert -l aff3bf92-2f7c-4c52-9cfa-b510375d4eed
Jun 14 18:41:02 dhcp-96 setroubleshoot:      SELinux is preventing
/usr/libexec/libvirt_proxy (xm_t) "write" access to xend-socket
(xend_var_lib_t).      For complete SELinux messages. run sealert -l
a37bcf4b-357f-451a-b916-a9fdd12c37d3
Jun 14 18:41:02 dhcp-96 setroubleshoot:      SELinux is preventing virsh (xm_t)
"send" access to <Unknown> (unlabeled_t).      For complete SELinux messages.
run sealert -l aff3bf92-2f7c-4c52-9cfa-b510375d4eed
Jun 14 18:41:02 dhcp-96 setroubleshoot:      SELinux is preventing <Unknown>
(xm_t) "send" access to <Unknown> (unlabeled_t).      For complete SELinux
messages. run sealert -l aff3bf92-2f7c-4c52-9cfa-b510375d4eed

Even after running the command suggested by the sealert program (     setsebool
-P xm_disable_trans=1 ) the error still persisted.
Comment 1 Daniel Berrange 2007-06-14 20:08:17 EDT
Nothing todo with virt-manager. From the looks of the limit logs above the
problem is the SELinux context under which virsh is run when launched from
Conga. So something for either Conga or the Conga SELinux policy to address.
Comment 2 Wade Mealing 2007-06-18 19:42:11 EDT
Ah, sorry about that daniel.  I even put conga in the title, dont know why I set
this to virt manager.
Comment 3 Mark Nielsen 2007-07-03 14:26:07 EDT
I'm having the same issue. 

Nothing to add except that the only way I could get ricci to talk to luci was
putting SELinux in to permissive. Enabling auditing in system-config-selinux
just caused the setroubleshootd to crash.
Comment 4 Ryan McCabe 2007-10-30 13:24:43 EDT
Is anyone still seeing this?
Comment 5 Mark Nielsen 2007-10-30 14:32:09 EDT
I was having no issues when I left off with the latest selinux-policy I had
tested. Unfortunately I've had to temporarily stop development on my RHEL 5.1
cluster. I'll be looking to start up again in the next week or two.
Comment 6 Wade Mealing 2008-01-22 23:52:59 EST
Fixed on my end.

Note You need to log in before you can comment on or make changes to this bug.