Description of problem:
fence_xvm not working with selinux enforcing (even though fenced_can_network_connect is on).

Related denial:
type=AVC msg=audit(1373880998.461:141): avc:  denied  { name_bind } for  pid=4664 comm="fence_xvm" src=1229 scontext=root:system_r:fenced_t:s0-s0:c0.c1023 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1373880998.461:141): arch=c000003e syscall=49 success=no exit=-13 a0=5 a1=7fffae64de70 a2=10 a3=7fffae64de6c items=0 ppid=5681 pid=4664 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="fence_xvm" exe="/sbin/fence_xvm" subj=root:system_r:fenced_t:s0-s0:c0.c1023 key=(null)

Jul 15 11:36:38 virt-061 fenced[5681]: agent "fence_xvm" reports: Failed to listen: Permission denied

The agent binds to port 1229/tcp to get the connection from fence_virtd. This is denied, therefore the action itself fails.

I suggest following modifications:
1. put a label on 1229 port so it's not prot_t (inspire by rhel6 here where it's zented_port_t)
2. put binding to this port tunable for fenced_t by fenced_can_network_connect
3. allow transitions to fenced_t from unconfined_t so that "runcon -t fenced_t bash" does not fail on transition denial (helps debugging in different contexts)



Version-Release number of selected component (if applicable):
selinux-policy-2.4.6-344.el5

How reproducible:
100%

Steps to Reproduce:
1. set up cluster with virtual fencing (fence_virtd+fence_xvm)
2. enable fenced_can_network_connect
3. kill one node

Actual results:
The node cannot be fenced due to selinux denial

Expected results:
Node fenced, fence_xvm able to bind to 1229/tcp port in fenced_t context

Additional info: