Description of problem:
more info is at https://fedorahosted.org/pipermail/cluster-commits/2011-March/001843.html
I don't see AVCs as a result of this move now, but they could appear in the future depending on what actions will be performed on that file.
Version-Release number of selected component (if applicable):
# matchpathcon /var/lib/cluster/fence_scsi.key
# matchpathcon /var/run/cluster/fence_scsi.key
Who needs to access to this file?
(In reply to comment #2)
> Who needs to access to this file?
The fence_scsi agent (/usr/sbin/fence_scsi) and potentially the fence_scsi_check watchdog script.
does it cause an issue? Does it work with SELinux in enforing mode?
(In reply to comment #5)
> does it cause an issue? Does it work with SELinux in enforing mode?
I have not seen any issues, but QE needs to give the official answer here.
I encountered no issues when testing on RHEL6.2.
Note that the files created in /var/run/cluster/ by fence_scsi get the following context in my test:
# ls -Z /var/run/cluster/
-rw-r--r--. root root unconfined_u:object_r:fenced_var_run_t:s0 fence_scsi.dev
-rw-r--r--. root root unconfined_u:object_r:fenced_var_run_t:s0 fence_scsi.key
That does not match what is reported in comment #1.
Yes, this is ok. But I need to add labeling for it. I didn't realize we have a transition rule for /var/run/cluster directory.
But the /var/run/cluster/fence directory would be nice.
Fixed in selinux-policy-targeted-3.7.19-114.el6
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.