Bug 460192 - If selinux is enabled, then luci does not show proper status of clustered services
Summary: If selinux is enabled, then luci does not show proper status of clustered ser...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy
Version: 5.2
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-08-26 17:53 UTC by Shane Bradley
Modified: 2018-11-14 18:04 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-02-07 11:48:03 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description Shane Bradley 2008-08-26 17:53:36 UTC
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.1) Gecko/2008071615 Fedora/3.0.1-1.fc9 Firefox/3.0.1

Conga always reports clustered services in state "Stopped" when SELinux is enforcing on the cluster nodes.  Setting SELinux to permissive mode on either node and refreshing the page then presents the correct status.  However in either mode no AVC denials are printed to /var/log/audit/audit.log when the problem occurs.  Also turned on setroubleshoot and no errors pop up when it happens.  To make sure I did

  # semodule -b /usr/share/selinux/targeted/enableaudit.pp

But still no denials are printed.  In my tests it did not matter what kind of resources were in the service, all had the same issue (cluster.conf I used is attached).

Also tried:
cat mypol.te
policy_module(mypol, 1.0)
gen_require(`
type ricci_modclusterd_t, ricci_modcluster_t;
')
domain_read_all_domains_state(ricci_modclusterd_t)
domain_read_all_domains_state(ricci_modcluster_t)

Made and loaded the module on both nodes, then rebooted and restarted luci.  Still fails to show correct status or print any avc denials.

And also tried one of dwalsh's latest builds of selinux*.

In all cases, no errors are produced and everything works as expected as long as selinux is disabled.

----

I have tested the cluster nodes(cluster2 in lab, jrummy's nodes) with my Luci server and the problem showed up. So, it appears it is something to do with nodes.

When I disable selinux everything works correctly.

This appears to be an selinux issue on the cluster node side, and I have no idea how to reproduce this issue. We have seen this issue on jrummy's, cluster2, and the customer's clusters. I was unable to reproduce this issue in my recreation. Somehow I was able to avoid this issue, even thought we have same selinux* packages installed.




Reproducible: Always

Steps to Reproduce:
1) Configure clustered service(s) and start them
2) Set SELinux to enforcing on all nodes

    # setenforce 1

3) In conga, click cluster tab
4) Set SELinux to permissive

    # setenforce 0

5) In conga, refresh cluster page
Actual Results:  
All services show stopped at step #3, running at step #5


Expected Results:  
At step 3, all services should reflect true state (running)

I have a reproducer setup if you need access to it.

Comment 1 Daniel Walsh 2008-09-02 20:53:14 UTC
Fixed in selinux-policy-2.4.6-150.el5

Currently available as u3 preview on 

http://people.redhat.com/dwalsh/SELinux/RHEL5


Note You need to log in before you can comment on or make changes to this bug.