Bug 460192 - If selinux is enabled, then luci does not show proper status of clustered services
If selinux is enabled, then luci does not show proper status of clustered ser...
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.2
All Linux
medium Severity medium
: rc
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-08-26 13:53 EDT by Shane Bradley
Modified: 2010-10-23 00:05 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-02-07 06:48:03 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Shane Bradley 2008-08-26 13:53:36 EDT
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.1) Gecko/2008071615 Fedora/3.0.1-1.fc9 Firefox/3.0.1

Conga always reports clustered services in state "Stopped" when SELinux is enforcing on the cluster nodes.  Setting SELinux to permissive mode on either node and refreshing the page then presents the correct status.  However in either mode no AVC denials are printed to /var/log/audit/audit.log when the problem occurs.  Also turned on setroubleshoot and no errors pop up when it happens.  To make sure I did

  # semodule -b /usr/share/selinux/targeted/enableaudit.pp

But still no denials are printed.  In my tests it did not matter what kind of resources were in the service, all had the same issue (cluster.conf I used is attached).

Also tried:
cat mypol.te
policy_module(mypol, 1.0)
gen_require(`
type ricci_modclusterd_t, ricci_modcluster_t;
')
domain_read_all_domains_state(ricci_modclusterd_t)
domain_read_all_domains_state(ricci_modcluster_t)

Made and loaded the module on both nodes, then rebooted and restarted luci.  Still fails to show correct status or print any avc denials.

And also tried one of dwalsh's latest builds of selinux*.

In all cases, no errors are produced and everything works as expected as long as selinux is disabled.

----

I have tested the cluster nodes(cluster2 in lab, jrummy's nodes) with my Luci server and the problem showed up. So, it appears it is something to do with nodes.

When I disable selinux everything works correctly.

This appears to be an selinux issue on the cluster node side, and I have no idea how to reproduce this issue. We have seen this issue on jrummy's, cluster2, and the customer's clusters. I was unable to reproduce this issue in my recreation. Somehow I was able to avoid this issue, even thought we have same selinux* packages installed.




Reproducible: Always

Steps to Reproduce:
1) Configure clustered service(s) and start them
2) Set SELinux to enforcing on all nodes

    # setenforce 1

3) In conga, click cluster tab
4) Set SELinux to permissive

    # setenforce 0

5) In conga, refresh cluster page
Actual Results:  
All services show stopped at step #3, running at step #5


Expected Results:  
At step 3, all services should reflect true state (running)

I have a reproducer setup if you need access to it.
Comment 1 Daniel Walsh 2008-09-02 16:53:14 EDT
Fixed in selinux-policy-2.4.6-150.el5

Currently available as u3 preview on 

http://people.redhat.com/dwalsh/SELinux/RHEL5

Note You need to log in before you can comment on or make changes to this bug.