Bug 503141 - cluster won't start with SELinux enforcing - aisexec sem/shm denials
cluster won't start with SELinux enforcing - aisexec sem/shm denials
Status: CLOSED DUPLICATE of bug 522158
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy-targeted (Show other bugs)
All Linux
high Severity high
: rc
: ---
Assigned To: Daniel Walsh
Depends On: 522158
Blocks: 499522 504606 511150
  Show dependency treegraph
Reported: 2009-05-29 04:30 EDT by Tom Lanyon
Modified: 2016-04-26 11:26 EDT (History)
20 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 504606 511150 522158 (view as bug list)
Last Closed: 2009-10-22 13:32:11 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
denial messages from auditd (1.86 KB, text/plain)
2009-05-29 04:30 EDT, Tom Lanyon
no flags Details
Policies (1.40 MB, application/x-gzip)
2009-06-15 06:45 EDT, Christine Caulfield
no flags Details
Updated Policy (24.37 KB, application/x-gzip)
2009-06-17 04:37 EDT, Christine Caulfield
no flags Details
Another update (24.38 KB, application/x-gzip)
2009-06-19 09:21 EDT, Christine Caulfield
no flags Details

  None (edit)
Description Tom Lanyon 2009-05-29 04:30:43 EDT
Created attachment 345866 [details]
denial messages from auditd

Description of problem:
Hosts running RHEL 5.3 with SELinux enforcing will not be able to create a RHCS cluster.

Upon cluster start (service cman start), aisexec attempts to allocate some shared memory segments / semaphores, which is denied by the default RHEL 5.3 targeted SELinux policy. Whilst the cluster is technically quorate at this point, it results in the cluster startup hanging indefinitely at "Starting fencing..." where fenced is, I assume, trying to communicate with aisexec via the non-existant shared memory realm.

This also causes "cman_tool services" to hang, also unable to communicate with aisexec.

Version-Release number of selected component (if applicable):


How reproducible:
Every time.

Steps to Reproduce:
1. Install rhel5.3 with selinux enforcing
2. Configure RHCS cluster
3. Attempt to start it
Actual results:
Cluster unusable, as described above. Auditd reports denials in audit.log (attached).

Expected results:
Cluster starts normally.

Additional info:

I assume a simple policy update to include:
    allow ccs_t initrc_t:sem { unix_read unix_write };
    allow ccs_t initrc_t:shm { unix_read unix_write };
or similar will fix this.
Comment 1 Christine Caulfield 2009-06-04 09:23:29 EDT
I strongly suspect that SElinux in enforcing mode will also generate plenty of other errors too, even if those two are fixed.

There is an open project to make Cluster Suite work nicely with SElinux, though I can't locate a bugzilla off-hand.
Comment 2 Tom Lanyon 2009-06-04 19:12:37 EDT
Should it at least be documented, then, that Cluster Suite is not supported with SELinux enforcing?

None of the RHCS documentation even mentions SELinux let alone that it will not work.
Comment 4 Perry Myers 2009-06-08 09:44:16 EDT
(In reply to comment #1)
> There is an open project to make Cluster Suite work nicely with SElinux, though
> I can't locate a bugzilla off-hand.  

As of now, this is the bugzilla for tracking selinux support for cluster-suite in RHEL5.  Will clone for RHEL6 as well.
Comment 6 Christine Caulfield 2009-06-15 06:45:32 EDT
Created attachment 347911 [details]

Here are some policies for the cluster suite daemons.

With these in place I can enabled SELinux enforcing and start up a 2 node qdisk cluster and mount GFS filesystems.
Comment 7 Shing-Shong Shei 2009-06-16 08:49:19 EDT
> Here are some policies for the cluster suite daemons

I have downloaded the tar file but how do I apply them?
Comment 8 Shing-Shong Shei 2009-06-16 08:56:09 EDT
Do I cp all .pp files /usr/share/selinux/targeted/?  Thanks.
Comment 9 Christine Caulfield 2009-06-17 04:37:44 EDT
Created attachment 348221 [details]
Updated Policy

This attachment has an updated policy that should be easier to use and has fewer nasty dependency problems.

I've also included a README file so people might have some idea of how to use it!

Note that this policy is for STABLE3, not RHEL5. There are some odd stubs of policy already in RHEL5 that are troublesome.
Comment 10 Christine Caulfield 2009-06-19 09:21:49 EDT
Created attachment 348662 [details]
Another update

This one is only slightly updated from the last one. It prevents a failure of corosync to start if it crashed last time.
Comment 12 J.H.M. Dassen (Ray) 2009-07-15 08:04:12 EDT
(In reply to comment #4)
> Will clone for RHEL6 as well.

Note that there is already an RFE for an SELinux policy for the Red Hat Cluster Suite for RHEL6: bug #498139.
Comment 16 Florian Brand 2009-08-04 08:37:09 EDT
(In reply to comment #8)
> Do I cp all .pp files /usr/share/selinux/targeted/?  Thanks.  

semodule -i *.pp is the correct way of installing selinux modules. Thus the modules are activated immediately and you can see if the modules work.
Comment 17 Christine Caulfield 2009-08-04 08:49:18 EDT
yes, I only found that this works persistently quite recently.
Comment 37 Daniel Walsh 2009-10-15 14:29:46 EDT
Cluster policy 

Fixed in selinux-policy-2.4.6-260.el5
Comment 40 Daniel Walsh 2009-10-17 07:37:08 EDT
Fixed in selinux-policy-2.4.6-261.el5
Comment 46 Perry Myers 2009-10-22 13:32:11 EDT

*** This bug has been marked as a duplicate of bug 522158 ***

Note You need to log in before you can comment on or make changes to this bug.