Red Hat Bugzilla – Bug 460192
If selinux is enabled, then luci does not show proper status of clustered services
Last modified: 2010-10-23 00:05:41 EDT
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:188.8.131.52) Gecko/2008071615 Fedora/3.0.1-1.fc9 Firefox/3.0.1
Conga always reports clustered services in state "Stopped" when SELinux is enforcing on the cluster nodes. Setting SELinux to permissive mode on either node and refreshing the page then presents the correct status. However in either mode no AVC denials are printed to /var/log/audit/audit.log when the problem occurs. Also turned on setroubleshoot and no errors pop up when it happens. To make sure I did
# semodule -b /usr/share/selinux/targeted/enableaudit.pp
But still no denials are printed. In my tests it did not matter what kind of resources were in the service, all had the same issue (cluster.conf I used is attached).
type ricci_modclusterd_t, ricci_modcluster_t;
Made and loaded the module on both nodes, then rebooted and restarted luci. Still fails to show correct status or print any avc denials.
And also tried one of dwalsh's latest builds of selinux*.
In all cases, no errors are produced and everything works as expected as long as selinux is disabled.
I have tested the cluster nodes(cluster2 in lab, jrummy's nodes) with my Luci server and the problem showed up. So, it appears it is something to do with nodes.
When I disable selinux everything works correctly.
This appears to be an selinux issue on the cluster node side, and I have no idea how to reproduce this issue. We have seen this issue on jrummy's, cluster2, and the customer's clusters. I was unable to reproduce this issue in my recreation. Somehow I was able to avoid this issue, even thought we have same selinux* packages installed.
Steps to Reproduce:
1) Configure clustered service(s) and start them
2) Set SELinux to enforcing on all nodes
# setenforce 1
3) In conga, click cluster tab
4) Set SELinux to permissive
# setenforce 0
5) In conga, refresh cluster page
All services show stopped at step #3, running at step #5
At step 3, all services should reflect true state (running)
I have a reproducer setup if you need access to it.
Fixed in selinux-policy-2.4.6-150.el5
Currently available as u3 preview on