Hide Forgot
Description of problem: Selinux policy is currently blocking proper scsi fencing cluster setup. Version-Release number of selected component (if applicable): selinux-policy-3.7.19-195.el6.noarch How reproducible: always Steps to Reproduce: 1. setup cluster with scsi fencing 2. make sure you have at least one clustered VG 3. service cman start Actual results: denials Expected results: smooth operation, no denials Additional info: ---- time->Tue Mar 19 15:13:46 2013 type=SYSCALL msg=audit(1363702426.879:1046): arch=c000003e syscall=21 success=yes exit=0 a0=205d820 a1=1 a2=0 a3=14 items=0 ppid=5135 pid=5144 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=163 comm="sh" exe="/bin/bash" subj=unconfined_u:system_r:fenced_t:s0 key=(null) type=AVC msg=audit(1363702426.879:1046): avc: denied { execute } for pid=5144 comm="sh" name="cman_tool" dev=dm-0 ino=3024602 scontext=unconfined_u:system_r:fenced_t:s0 tcontext=system_u:object_r:rgmanager_exec_t:s0 tclass=file ---- time->Tue Mar 19 15:13:46 2013 type=SYSCALL msg=audit(1363702426.879:1045): arch=c000003e syscall=4 success=yes exit=0 a0=205d820 a1=7fff7237b0b0 a2=7fff7237b0b0 a3=14 items=0 ppid=5135 pid=5144 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=163 comm="sh" exe="/bin/bash" subj=unconfined_u:system_r:fenced_t:s0 key=(null) type=AVC msg=audit(1363702426.879:1045): avc: denied { getattr } for pid=5144 comm="sh" path="/usr/sbin/cman_tool" dev=dm-0 ino=3024602 scontext=unconfined_u:system_r:fenced_t:s0 tcontext=system_u:object_r:rgmanager_exec_t:s0 tclass=file ---- time->Tue Mar 19 15:13:46 2013 type=SYSCALL msg=audit(1363702426.879:1047): arch=c000003e syscall=21 success=yes exit=0 a0=205d820 a1=4 a2=0 a3=14 items=0 ppid=5135 pid=5144 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=163 comm="sh" exe="/bin/bash" subj=unconfined_u:system_r:fenced_t:s0 key=(null) type=AVC msg=audit(1363702426.879:1047): avc: denied { read } for pid=5144 comm="sh" name="cman_tool" dev=dm-0 ino=3024602 scontext=unconfined_u:system_r:fenced_t:s0 tcontext=system_u:object_r:rgmanager_exec_t:s0 tclass=file ---- time->Tue Mar 19 15:13:46 2013 type=SYSCALL msg=audit(1363702426.880:1048): arch=c000003e syscall=59 success=yes exit=0 a0=205d820 a1=205ce30 a2=205cae0 a3=18 items=0 ppid=5144 pid=5145 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=163 comm="cman_tool" exe="/usr/sbin/cman_tool" subj=unconfined_u:system_r:fenced_t:s0 key=(null) type=AVC msg=audit(1363702426.880:1048): avc: denied { execute_no_trans } for pid=5145 comm="sh" path="/usr/sbin/cman_tool" dev=dm-0 ino=3024602 scontext=unconfined_u:system_r:fenced_t:s0 tcontext=system_u:object_r:rgmanager_exec_t:s0 tclass=file type=AVC msg=audit(1363702426.880:1048): avc: denied { open } for pid=5145 comm="sh" name="cman_tool" dev=dm-0 ino=3024602 scontext=unconfined_u:system_r:fenced_t:s0 tcontext=system_u:object_r:rgmanager_exec_t:s0 tclass=file ---- time->Tue Mar 19 15:13:47 2013 type=SYSCALL msg=audit(1363702427.044:1049): arch=c000003e syscall=2 success=yes exit=3 a0=1da8ef0 a1=241 a2=1b6 a3=3491f1dc10 items=0 ppid=5108 pid=5135 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=163 comm="fence_scsi" exe="/usr/bin/perl" subj=unconfined_u:system_r:fenced_t:s0 key=(null) type=AVC msg=audit(1363702427.044:1049): avc: denied { open } for pid=5135 comm="fence_scsi" name="fence_scsi.key" dev=dm-0 ino=2623229 scontext=unconfined_u:system_r:fenced_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file type=AVC msg=audit(1363702427.044:1049): avc: denied { write } for pid=5135 comm="fence_scsi" name="fence_scsi.key" dev=dm-0 ino=2623229 scontext=unconfined_u:system_r:fenced_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file ---- time->Tue Mar 19 15:13:47 2013 type=SYSCALL msg=audit(1363702427.044:1050): arch=c000003e syscall=16 success=no exit=-25 a0=3 a1=5401 a2=7fffdbe370a0 a3=48 items=0 ppid=5108 pid=5135 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=163 comm="fence_scsi" exe="/usr/bin/perl" subj=unconfined_u:system_r:fenced_t:s0 key=(null) type=AVC msg=audit(1363702427.044:1050): avc: denied { ioctl } for pid=5135 comm="fence_scsi" path="/var/run/cluster/fence_scsi.key" dev=dm-0 ino=2623229 scontext=unconfined_u:system_r:fenced_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file ---- time->Tue Mar 19 15:13:47 2013 type=SYSCALL msg=audit(1363702427.044:1051): arch=c000003e syscall=5 success=yes exit=0 a0=3 a1=1d810a0 a2=1d810a0 a3=0 items=0 ppid=5108 pid=5135 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=163 comm="fence_scsi" exe="/usr/bin/perl" subj=unconfined_u:system_r:fenced_t:s0 key=(null) type=AVC msg=audit(1363702427.044:1051): avc: denied { getattr } for pid=5135 comm="fence_scsi" path="/var/run/cluster/fence_scsi.key" dev=dm-0 ino=2623229 scontext=unconfined_u:system_r:fenced_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file ---- time->Tue Mar 19 15:13:47 2013 type=SYSCALL msg=audit(1363702427.127:1052): arch=c000003e syscall=2 success=yes exit=3 a0=1da76d0 a1=442 a2=1b6 a3=3491f1dc10 items=0 ppid=5108 pid=5135 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=163 comm="fence_scsi" exe="/usr/bin/perl" subj=unconfined_u:system_r:fenced_t:s0 key=(null) type=AVC msg=audit(1363702427.127:1052): avc: denied { read append } for pid=5135 comm="fence_scsi" name="fence_scsi.dev" dev=dm-0 ino=2623231 scontext=unconfined_u:system_r:fenced_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file ---- time->Tue Mar 19 15:14:07 2013 type=SYSCALL msg=audit(1363702447.672:1054): arch=c000003e syscall=21 success=yes exit=0 a0=1703820 a1=1 a2=0 a3=14 items=0 ppid=5544 pid=5548 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=163 comm="sh" exe="/bin/bash" subj=unconfined_u:system_r:fenced_t:s0 key=(null) type=AVC msg=audit(1363702447.672:1054): avc: denied { execute } for pid=5548 comm="sh" name="cman_tool" dev=dm-0 ino=3024602 scontext=unconfined_u:system_r:fenced_t:s0 tcontext=system_u:object_r:rgmanager_exec_t:s0 tclass=file ---- time->Tue Mar 19 15:14:07 2013 type=SYSCALL msg=audit(1363702447.672:1055): arch=c000003e syscall=21 success=yes exit=0 a0=1703820 a1=4 a2=0 a3=14 items=0 ppid=5544 pid=5548 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=163 comm="sh" exe="/bin/bash" subj=unconfined_u:system_r:fenced_t:s0 key=(null) type=AVC msg=audit(1363702447.672:1055): avc: denied { read } for pid=5548 comm="sh" name="cman_tool" dev=dm-0 ino=3024602 scontext=unconfined_u:system_r:fenced_t:s0 tcontext=system_u:object_r:rgmanager_exec_t:s0 tclass=file ---- time->Tue Mar 19 15:14:07 2013 type=SYSCALL msg=audit(1363702447.673:1056): arch=c000003e syscall=59 success=yes exit=0 a0=1703820 a1=1702e30 a2=1702ae0 a3=18 items=0 ppid=5548 pid=5549 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=163 comm="cman_tool" exe="/usr/sbin/cman_tool" subj=unconfined_u:system_r:fenced_t:s0 key=(null) type=AVC msg=audit(1363702447.673:1056): avc: denied { execute_no_trans } for pid=5549 comm="sh" path="/usr/sbin/cman_tool" dev=dm-0 ino=3024602 scontext=unconfined_u:system_r:fenced_t:s0 tcontext=system_u:object_r:rgmanager_exec_t:s0 tclass=file type=AVC msg=audit(1363702447.673:1056): avc: denied { open } for pid=5549 comm="sh" name="cman_tool" dev=dm-0 ino=3024602 scontext=unconfined_u:system_r:fenced_t:s0 tcontext=system_u:object_r:rgmanager_exec_t:s0 tclass=file ---- time->Tue Mar 19 15:14:07 2013 type=SYSCALL msg=audit(1363702447.832:1057): arch=c000003e syscall=2 success=yes exit=3 a0=1d84ef0 a1=241 a2=1b6 a3=3491f1dc10 items=0 ppid=5508 pid=5544 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=163 comm="fence_scsi" exe="/usr/bin/perl" subj=unconfined_u:system_r:fenced_t:s0 key=(null) type=AVC msg=audit(1363702447.832:1057): avc: denied { open } for pid=5544 comm="fence_scsi" name="fence_scsi.key" dev=dm-0 ino=2623229 scontext=unconfined_u:system_r:fenced_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file type=AVC msg=audit(1363702447.832:1057): avc: denied { write } for pid=5544 comm="fence_scsi" name="fence_scsi.key" dev=dm-0 ino=2623229 scontext=unconfined_u:system_r:fenced_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file ---- time->Tue Mar 19 15:14:07 2013 type=SYSCALL msg=audit(1363702447.832:1058): arch=c000003e syscall=16 success=no exit=-25 a0=3 a1=5401 a2=7fff8bc9d5c0 a3=48 items=0 ppid=5508 pid=5544 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=163 comm="fence_scsi" exe="/usr/bin/perl" subj=unconfined_u:system_r:fenced_t:s0 key=(null) type=AVC msg=audit(1363702447.832:1058): avc: denied { ioctl } for pid=5544 comm="fence_scsi" path="/var/run/cluster/fence_scsi.key" dev=dm-0 ino=2623229 scontext=unconfined_u:system_r:fenced_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file ---- time->Tue Mar 19 15:14:07 2013 type=SYSCALL msg=audit(1363702447.832:1059): arch=c000003e syscall=5 success=yes exit=0 a0=3 a1=1d5d0a0 a2=1d5d0a0 a3=0 items=0 ppid=5508 pid=5544 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=163 comm="fence_scsi" exe="/usr/bin/perl" subj=unconfined_u:system_r:fenced_t:s0 key=(null) type=AVC msg=audit(1363702447.832:1059): avc: denied { getattr } for pid=5544 comm="fence_scsi" path="/var/run/cluster/fence_scsi.key" dev=dm-0 ino=2623229 scontext=unconfined_u:system_r:fenced_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file ---- time->Tue Mar 19 15:14:07 2013 type=SYSCALL msg=audit(1363702447.914:1060): arch=c000003e syscall=2 success=yes exit=3 a0=1d836d0 a1=442 a2=1b6 a3=3491f1dc10 items=0 ppid=5508 pid=5544 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=163 comm="fence_scsi" exe="/usr/bin/perl" subj=unconfined_u:system_r:fenced_t:s0 key=(null) type=AVC msg=audit(1363702447.914:1060): avc: denied { read append } for pid=5544 comm="fence_scsi" name="fence_scsi.dev" dev=dm-0 ino=2623231 scontext=unconfined_u:system_r:fenced_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file ---- time->Tue Mar 19 15:14:07 2013 type=SYSCALL msg=audit(1363702447.671:1053): arch=c000003e syscall=4 success=yes exit=0 a0=1703820 a1=7fff069ff320 a2=7fff069ff320 a3=14 items=0 ppid=5544 pid=5548 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=163 comm="sh" exe="/bin/bash" subj=unconfined_u:system_r:fenced_t:s0 key=(null) type=AVC msg=audit(1363702447.671:1053): avc: denied { getattr } for pid=5548 comm="sh" path="/usr/sbin/cman_tool" dev=dm-0 ino=3024602 scontext=unconfined_u:system_r:fenced_t:s0 tcontext=system_u:object_r:rgmanager_exec_t:s0 tclass=file
It will be needed to re-test it with selinux-policy-3.7.19-208.el6.
Jaroslav, thank you for testing. Please use -209 release.
# ausearch -m AVC ---- time->Wed Jul 24 16:47:54 2013 type=SYSCALL msg=audit(1374677274.236:47): arch=c000003e syscall=4 success=no exit=-13 a0=265f820 a1=7fffd15b47c0 a2=7fffd15b47c0 a3=14 items=0 ppid=7689 pid=7696 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="sh" exe="/bin/bash" subj=unconfined_u:system_r:fenced_t:s0 key=(null) type=AVC msg=audit(1374677274.236:47): avc: denied { getattr } for pid=7696 comm="sh" path="/usr/sbin/cman_tool" dev=dm-0 ino=2631495 scontext=unconfined_u:system_r:fenced_t:s0 tcontext=system_u:object_r:rgmanager_exec_t:s0 tclass=file ---- time->Wed Jul 24 16:48:33 2013 type=SYSCALL msg=audit(1374677313.338:50): arch=c000003e syscall=21 success=yes exit=0 a0=1fbc820 a1=1 a2=0 a3=14 items=0 ppid=8072 pid=8079 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="sh" exe="/bin/bash" subj=unconfined_u:system_r:fenced_t:s0 key=(null) type=AVC msg=audit(1374677313.338:50): avc: denied { execute } for pid=8079 comm="sh" name="cman_tool" dev=dm-0 ino=2631495 scontext=unconfined_u:system_r:fenced_t:s0 tcontext=system_u:object_r:rgmanager_exec_t:s0 tclass=file ---- time->Wed Jul 24 16:48:33 2013 type=SYSCALL msg=audit(1374677313.338:49): arch=c000003e syscall=4 success=yes exit=0 a0=1fbc820 a1=7fff4614fad0 a2=7fff4614fad0 a3=14 items=0 ppid=8072 pid=8079 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="sh" exe="/bin/bash" subj=unconfined_u:system_r:fenced_t:s0 key=(null) type=AVC msg=audit(1374677313.338:49): avc: denied { getattr } for pid=8079 comm="sh" path="/usr/sbin/cman_tool" dev=dm-0 ino=2631495 scontext=unconfined_u:system_r:fenced_t:s0 tcontext=system_u:object_r:rgmanager_exec_t:s0 tclass=file ---- time->Wed Jul 24 16:48:33 2013 type=SYSCALL msg=audit(1374677313.338:51): arch=c000003e syscall=21 success=yes exit=0 a0=1fbc820 a1=4 a2=0 a3=14 items=0 ppid=8072 pid=8079 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="sh" exe="/bin/bash" subj=unconfined_u:system_r:fenced_t:s0 key=(null) type=AVC msg=audit(1374677313.338:51): avc: denied { read } for pid=8079 comm="sh" name="cman_tool" dev=dm-0 ino=2631495 scontext=unconfined_u:system_r:fenced_t:s0 tcontext=system_u:object_r:rgmanager_exec_t:s0 tclass=file ---- time->Wed Jul 24 16:48:33 2013 type=SYSCALL msg=audit(1374677313.339:52): arch=c000003e syscall=59 success=yes exit=0 a0=1fbc820 a1=1fbbe30 a2=1fbbae0 a3=18 items=0 ppid=8079 pid=8080 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="cman_tool" exe="/usr/sbin/cman_tool" subj=unconfined_u:system_r:fenced_t:s0 key=(null) type=AVC msg=audit(1374677313.339:52): avc: denied { execute_no_trans } for pid=8080 comm="sh" path="/usr/sbin/cman_tool" dev=dm-0 ino=2631495 scontext=unconfined_u:system_r:fenced_t:s0 tcontext=system_u:object_r:rgmanager_exec_t:s0 tclass=file type=AVC msg=audit(1374677313.339:52): avc: denied { open } for pid=8080 comm="sh" name="cman_tool" dev=dm-0 ino=2631495 scontext=unconfined_u:system_r:fenced_t:s0 tcontext=system_u:object_r:rgmanager_exec_t:s0 tclass=file [root@light-02 audit]# rpm -q selinux-policy selinux-policy-3.7.19-209.el6.noarch
Should be fixes in the lastest policy.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-1598.html