Created attachment 345866 [details] denial messages from auditd Description of problem: Hosts running RHEL 5.3 with SELinux enforcing will not be able to create a RHCS cluster. Upon cluster start (service cman start), aisexec attempts to allocate some shared memory segments / semaphores, which is denied by the default RHEL 5.3 targeted SELinux policy. Whilst the cluster is technically quorate at this point, it results in the cluster startup hanging indefinitely at "Starting fencing..." where fenced is, I assume, trying to communicate with aisexec via the non-existant shared memory realm. This also causes "cman_tool services" to hang, also unable to communicate with aisexec. Version-Release number of selected component (if applicable): openais-0.80.3-22.el5_3.4 cman-2.0.98-1.el5_3.1 selinux-policy-targeted-2.4.6-203.el5 selinux-policy-2.4.6-203.el5 How reproducible: Every time. Steps to Reproduce: 1. Install rhel5.3 with selinux enforcing 2. Configure RHCS cluster 3. Attempt to start it Actual results: Cluster unusable, as described above. Auditd reports denials in audit.log (attached). Expected results: Cluster starts normally. Additional info: I assume a simple policy update to include: allow ccs_t initrc_t:sem { unix_read unix_write }; allow ccs_t initrc_t:shm { unix_read unix_write }; or similar will fix this.
I strongly suspect that SElinux in enforcing mode will also generate plenty of other errors too, even if those two are fixed. There is an open project to make Cluster Suite work nicely with SElinux, though I can't locate a bugzilla off-hand.
Should it at least be documented, then, that Cluster Suite is not supported with SELinux enforcing? None of the RHCS documentation even mentions SELinux let alone that it will not work.
(In reply to comment #1) > There is an open project to make Cluster Suite work nicely with SElinux, though > I can't locate a bugzilla off-hand. As of now, this is the bugzilla for tracking selinux support for cluster-suite in RHEL5. Will clone for RHEL6 as well.
Created attachment 347911 [details] Policies Here are some policies for the cluster suite daemons. With these in place I can enabled SELinux enforcing and start up a 2 node qdisk cluster and mount GFS filesystems.
> Here are some policies for the cluster suite daemons I have downloaded the tar file but how do I apply them?
Do I cp all .pp files /usr/share/selinux/targeted/? Thanks.
Created attachment 348221 [details] Updated Policy This attachment has an updated policy that should be easier to use and has fewer nasty dependency problems. I've also included a README file so people might have some idea of how to use it! Note that this policy is for STABLE3, not RHEL5. There are some odd stubs of policy already in RHEL5 that are troublesome.
Created attachment 348662 [details] Another update This one is only slightly updated from the last one. It prevents a failure of corosync to start if it crashed last time.
(In reply to comment #4) > Will clone for RHEL6 as well. Note that there is already an RFE for an SELinux policy for the Red Hat Cluster Suite for RHEL6: bug #498139.
(In reply to comment #8) > Do I cp all .pp files /usr/share/selinux/targeted/? Thanks. semodule -i *.pp is the correct way of installing selinux modules. Thus the modules are activated immediately and you can see if the modules work.
yes, I only found that this works persistently quite recently.
Cluster policy Fixed in selinux-policy-2.4.6-260.el5
Fixed in selinux-policy-2.4.6-261.el5
*** This bug has been marked as a duplicate of bug 522158 ***