Bug 827063 - dlm_controld does not start with selinux, when executed from init script
dlm_controld does not start with selinux, when executed from init script
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy (Show other bugs)
6.2
Unspecified Linux
urgent Severity urgent
: rc
: 6.2
Assigned To: Miroslav Grepl
BaseOS QE Security Team
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-05-31 10:29 EDT by mick
Modified: 2012-07-17 06:59 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-07-17 06:59:26 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description mick 2012-05-31 10:29:04 EDT
I made this urgent/urgent only to attract attention.  More knowledgeable person please reset as appropriate.


Fabbione discovered this when he was helping me diagnose my 2-node cluster problem.
When I forgot to disable selinux, I would get this error message, repeating every ten seconds:

  May 31 06:10:05 dlm_controld cpg_join error retrying
  May 31 06:10:15 dlm_controld cpg_join error retrying


Here is my cluster.conf, in case it's meaningful:


<?xml version="1.0" ?>
<cluster config_version="43" name="micks_cman_1">
  <logging debug="on"/>
  <cman two_node="1" expected_votes="1"/>
  <uidgid uid="qpidd" gid="qpidd" />
  <fence_daemon post_join_delay="60"/>
  <clusternodes>
    <clusternode name="mrg26" nodeid="1" votes="1">
      <fence>
        <method name="single">
          <device name="fifty-nine" port="14"/>
        </method>
      </fence>
    </clusternode>
    <clusternode name="mrg25" nodeid="2" votes="1">
      <fence>
        <method name="single">
          <device name="fifty-nine" port="10" delay="30"/>
        </method>
      </fence>
    </clusternode>
  </clusternodes>
  <fencedevices>
    <fencedevice agent="fence_apc_snmp" ipaddr="10.16.128.59" login="mrg" name="fifty-nine" passwd="mrg"/>
  </fencedevices>
  <rm>
    <failoverdomains>
      <failoverdomain name="only_broker1" restricted="1">
        <failoverdomainnode name="mrg26"/>
      </failoverdomain>
      <failoverdomain name="only_broker2" restricted="1">
        <failoverdomainnode name="mrg25"/>
      </failoverdomain>
    </failoverdomains>
    <resources>
      <script name="qpidd" file="/home/mick/qpidd_cluster"/>
    </resources>
    <service name="qpidd_broker1" domain="only_broker1">
      <script ref="qpidd" />
    </service>
    <service name="qpidd_broker2" domain="only_broker2">
      <script ref="qpidd" />
    </service>
  </rm>
</cluster>
Comment 1 David Teigland 2012-05-31 10:34:44 EDT
The selinux errors are what will be most meaningful.
Comment 2 Fabio Massimo Di Nitto 2012-05-31 10:35:08 EDT
Reassigning to selinux-policy.

selinux enable in enforcing mode:
dlm_controld executed from cman init script does not start.
clustat cannot connect to rgmanager (socket issue mostlikely).

selinux disable, everything works as expected.

I cross checked with our QE people and they do test with selinux enabled.

We suspect a recent update to -policy might have gone wrong.
Comment 3 Fabio Massimo Di Nitto 2012-05-31 10:35:56 EDT
(In reply to comment #2)
> Reassigning to selinux-policy.
> 
> selinux enable in enforcing mode:
> dlm_controld executed from cman init script does not start.

dlm_controld started manually from login shell works.
Comment 5 Daniel Walsh 2012-05-31 13:42:08 EDT
Please attach the AVC error messages

ausearch -m avc -ts recent
Comment 6 Milos Malik 2012-05-31 13:42:08 EDT
Do you see any AVCs?

# ausearch -m avc -ts today
Comment 7 Miroslav Grepl 2012-05-31 15:36:02 EDT
Also 

# rpm -q selinux-policy

and not sure if you mean "disabled" == "permissive"?
Comment 8 mick 2012-06-01 07:25:30 EDT
(In reply to comment #5)
> Please attach the AVC error messages
> 
> ausearch -m avc -ts recent

(In reply to comment #6)
> Do you see any AVCs?
> 
> # ausearch -m avc -ts today


Here they are -- sorry for delay -- it was my machines that we saw the problem on.


type=AVC msg=audit(1338470280.298:123): avc:  denied  { write } for  pid=3093 comm="cman_tool" name="cman_client" dev=dm-0 ino=395137 scontext=unconfined_u:system_r:corosync_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1338471602.288:140): avc:  denied  { write } for  pid=4108 comm="dlm_controld" name="dlm_controld.pid" dev=dm-0 ino=395148 scontext=unconfined_u:system_r:dlm_controld_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file
type=AVC msg=audit(1338471687.954:143): avc:  denied  { write } for  pid=4467 comm="dlm_controld" name="dlm_controld.pid" dev=dm-0 ino=395148 scontext=unconfined_u:system_r:dlm_controld_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file
type=AVC msg=audit(1338471795.382:144): avc:  denied  { write } for  pid=4863 comm="dlm_controld" name="dlm_controld.pid" dev=dm-0 ino=395148 scontext=unconfined_u:system_r:dlm_controld_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file
type=AVC msg=audit(1338471879.088:145): avc:  denied  { write } for  pid=5252 comm="dlm_controld" name="dlm_controld.pid" dev=dm-0 ino=395148 scontext=unconfined_u:system_r:dlm_controld_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file
type=AVC msg=audit(1338533351.768:9): avc:  denied  { write } for  pid=2735 comm="snmpwalk" name="lib" dev=dm-0 ino=393218 scontext=system_u:system_r:fenced_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir
Comment 9 mick 2012-06-01 07:27:11 EDT
(In reply to comment #7)
> Also 
> 
> # rpm -q selinux-policy
> 
> and not sure if you mean "disabled" == "permissive"?

[root@mrg25 ~]# rpm -q selinux-policy
selinux-policy-3.7.19-126.el6.noarch


Yes -- we never set selinux to "disabled" -- only "permissive".
Comment 10 mick 2012-06-01 07:30:20 EDT
I own the box that we saw this problem on.  I expect we could easily restore it to the problem-producing state, and then I could give you developers access to it.

If that would be interesting / desirable please let me know.
Comment 11 Miroslav Grepl 2012-06-01 07:31:57 EDT
Ok, please update to the latest set of packages. 

type=AVC msg=audit(1338533351.768:9): avc:  denied  { write } for  pid=2735 comm="snmpwalk" name="lib" dev=dm-0 ino=393218 scontext=system_u:system_r:fenced_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir

is fixed. I believe this is a test issue

$ restorecon -Rv /var/run/dlm* /var/run/cman*

and try it again.
Comment 13 Miroslav Grepl 2012-07-17 06:59:26 EDT
I am going to close this bug now. If this still persists, please reopen. Thank you.

Note You need to log in before you can comment on or make changes to this bug.