Honza, /var/run won't be a supported operation in rhel5.6 and can be removed from the openais work in progress patch. As a result, /dev/shm is the only thing selinux must be concerned with.
Steven /dev/shm should be labeled tmpfs_t? This looks like something is mislabeled?
Dan, Not entirely sure - Honza (jfriesse) ran the tests. It is possible his system is not labeled properly. He should be able to provide more information on the topic.
(In reply to comment #2) > Steven /dev/shm should be labeled tmpfs_t? This looks like something is > mislabeled? Dan, it looks like (maybe) bug in selinux: - I've ran restorecon -RvF / (to make sure that my compiled binaries have right context) ls -ladZ /dev/shm drwxrwxrwt root root system_u:object_r:device_t /dev/shm - After computer reboot (I didn't reboot it before) ls -ladZ /dev/shm drwxrwxrwt root root system_u:object_r:tmpfs_t /dev/shm - It's fully updated RHEL 5.5 - rpm -qa selinux* selinux-policy-targeted-2.4.6-279.el5 selinux-policy-2.4.6-279.el5 selinux-policy-devel-2.4.6-279.el5 - getenforce Enforcing But back to the openais problem. It looks like simple reboot solved main problem, but unlink problem is still there: type=AVC msg=audit(1279007167.111:29): avc: denied { unlink } for pid=3610 comm="aisexec" name="openais_shm-TzIxst" dev=tmpfs ino=14559 scontext=root:system_r:aisexec_t:s0 tcontext=root:object_r:tmpfs_t:s0 tclass=file
We are working on it with Jan.
Jan, could you test it with selinux-policy-2.4.6-283.el5 selinux-policy-targeted-2.4.6-283.el5 packages.
Miroslav, We moved the openais_shm* bug fix out to rhel 5.7 because of 5.6 capacity constraints. My apologies for being unaware of this bug and recommending it for 5.7 rather then 5.6.
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: Recently, the OpenAIS Standards-Based Cluster Framework, an open implementation of the Application Interface Specification (AIS), started using POSIX semaphores instead of the SysV semaphores. With this update, relevant SELinux rules have been adjusted to reflect this change.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-0026.html