While setting up GFS2 on f17, I got some SELinux denials: SELinux is preventing /usr/sbin/dlm_controld from 'read, write' accesses on the file qb-cfg-request-1344-1564-16-header. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that dlm_controld should be allowed read write access on the qb-cfg-request-1344-1564-16-header file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep dlm_controld /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:dlm_controld_t:s0 Target Context system_u:object_r:corosync_tmpfs_t:s0 Target Objects qb-cfg-request-1344-1564-16-header [ file ] Source dlm_controld Source Path /usr/sbin/dlm_controld Port <Unknown> Host gnode1.example.com Source RPM Packages dlm-3.99.5-1.fc17.x86_64 Target RPM Packages Policy RPM selinux-policy-3.10.0-145.fc17.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name gnode1.example.com Platform Linux gnode1.example.com 3.5.1-1.fc17.x86_64 #1 SMP Thu Aug 9 17:50:43 UTC 2012 x86_64 x86_64 Alert Count 2 First Seen 2012-08-17 11:00:09 EDT Last Seen 2012-08-17 11:00:59 EDT Local ID 2bf1bba5-2330-4698-a353-245cbf4b58bf Raw Audit Messages type=AVC msg=audit(1345215659.222:123): avc: denied { read write } for pid=1564 comm="dlm_controld" name="qb-cfg-request-1344-1564-16-header" dev="tmpfs" ino=20970 scontext=system_u:system_r:dlm_controld_t:s0 tcontext=system_u:object_r:corosync_tmpfs_t:s0 tclass=file type=AVC msg=audit(1345215659.222:123): avc: denied { open } for pid=1564 comm="dlm_controld" path="/dev/shm/qb-cfg-request-1344-1564-16-header" dev="tmpfs" ino=20970 scontext=system_u:system_r:dlm_controld_t:s0 tcontext=system_u:object_r:corosync_tmpfs_t:s0 tclass=file type=SYSCALL msg=audit(1345215659.222:123): arch=x86_64 syscall=open success=yes exit=EBADF a0=7fff43a39270 a1=2 a2=180 a3=7fff43a38e80 items=0 ppid=1 pid=1564 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=dlm_controld exe=/usr/sbin/dlm_controld subj=system_u:system_r:dlm_controld_t:s0 key=(null) Hash: dlm_controld,dlm_controld_t,corosync_tmpfs_t,file,read,write audit2allow #============= dlm_controld_t ============== #!!!! The source type 'dlm_controld_t' can write to a 'file' of the following types: # sysfs_t, dlm_controld_tmpfs_t, sysctl_net_t, configfs_t, dlm_controld_var_log_t, dlm_controld_var_run_t, cluster_var_lib_t, initrc_tmp_t, root_t allow dlm_controld_t corosync_tmpfs_t:file { read write open }; audit2allow -R #============= dlm_controld_t ============== #!!!! The source type 'dlm_controld_t' can write to a 'file' of the following types: # sysfs_t, dlm_controld_tmpfs_t, sysctl_net_t, configfs_t, dlm_controld_var_log_t, dlm_controld_var_run_t, cluster_var_lib_t, initrc_tmp_t, root_t allow dlm_controld_t corosync_tmpfs_t:file { read write open }; ----------------------[snip]------------------- Here's a dump of the audit.log. I tried it several times so there may be some duplicates in there: type=AVC msg=audit(1345215444.775:113): avc: denied { create } for pid=1437 comm="dlm_controld" name="dlm" scontext=system_u:system_r:dlm_controld_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir type=SYSCALL msg=audit(1345215444.775:113): arch=c000003e syscall=83 success=no exit=-13 a0=7fee6f1e08c6 a1=1ff a2=a0 a3=3 items=0 ppid=1 pid=1437 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="dlm_controld" exe="/usr/sbin/dlm_controld" subj=system_u:system_r:dlm_controld_t:s0 key=(null) type=AVC msg=audit(1345215521.537:116): avc: denied { create } for pid=1463 comm="dlm_controld" name="dlm" scontext=system_u:system_r:dlm_controld_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir type=SYSCALL msg=audit(1345215521.537:116): arch=c000003e syscall=83 success=no exit=-13 a0=7f56b77128c6 a1=1ff a2=a0 a3=3 items=0 ppid=1 pid=1463 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="dlm_controld" exe="/usr/sbin/dlm_controld" subj=system_u:system_r:dlm_controld_t:s0 key=(null) type=AVC msg=audit(1345215609.390:119): avc: denied { read write } for pid=1534 comm="dlm_controld" name="qb-cfg-request-1344-1534-16-header" dev="tmpfs" ino=20001 scontext=system_u:system_r:dlm_controld_t:s0 tcontext=system_u:object_r:corosync_tmpfs_t:s0 tclass=file type=SYSCALL msg=audit(1345215609.390:119): arch=c000003e syscall=2 success=no exit=-13 a0=7fff3590e1e0 a1=2 a2=180 a3=7fff3590ddf0 items=0 ppid=1 pid=1534 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="dlm_controld" exe="/usr/sbin/dlm_controld" subj=system_u:system_r:dlm_controld_t:s0 key=(null) type=AVC msg=audit(1345215659.222:123): avc: denied { read write } for pid=1564 comm="dlm_controld" name="qb-cfg-request-1344-1564-16-header" dev="tmpfs" ino=20970 scontext=system_u:system_r:dlm_controld_t:s0 tcontext=system_u:object_r:corosync_tmpfs_t:s0 tclass=file type=AVC msg=audit(1345215659.222:123): avc: denied { open } for pid=1564 comm="dlm_controld" path="/dev/shm/qb-cfg-request-1344-1564-16-header" dev="tmpfs" ino=20970 scontext=system_u:system_r:dlm_controld_t:s0 tcontext=system_u:object_r:corosync_tmpfs_t:s0 tclass=file type=SYSCALL msg=audit(1345215659.222:123): arch=c000003e syscall=2 success=yes exit=9 a0=7fff43a39270 a1=2 a2=180 a3=7fff43a38e80 items=0 ppid=1 pid=1564 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="dlm_controld" exe="/usr/sbin/dlm_controld" subj=system_u:system_r:dlm_controld_t:s0 key=(null) type=AVC msg=audit(1345215689.346:131): avc: denied { execute } for pid=1606 comm="dlm_controld" name="dlm_stonith" dev="dm-1" ino=400854 scontext=system_u:system_r:dlm_controld_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file type=AVC msg=audit(1345215689.346:131): avc: denied { read open } for pid=1606 comm="dlm_controld" path="/usr/sbin/dlm_stonith" dev="dm-1" ino=400854 scontext=system_u:system_r:dlm_controld_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file type=AVC msg=audit(1345215689.346:131): avc: denied { execute_no_trans } for pid=1606 comm="dlm_controld" path="/usr/sbin/dlm_stonith" dev="dm-1" ino=400854 scontext=system_u:system_r:dlm_controld_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file type=SYSCALL msg=audit(1345215689.346:131): arch=c000003e syscall=59 success=yes exit=0 a0=7fff43a3b098 a1=7fff43a3b190 a2=7fff43a3e648 a3=7f6975f46850 items=0 ppid=1564 pid=1606 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="dlm_stonith" exe="/usr/sbin/dlm_stonith" subj=system_u:system_r:dlm_controld_t:s0 key=(null)
Fixed in selinux-policy-3.10.0-146.fc17.noarch
selinux-policy-3.10.0-146.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-146.fc17
Package selinux-policy-3.10.0-146.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-146.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-12355/selinux-policy-3.10.0-146.fc17 then log in and leave karma (feedback).
selinux-policy-3.10.0-146.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.