Nathanaƫl Blanchet
2015-Feb-19 14:43 UTC
[Gluster-users] SELinux is preventing /usr/sbin/glusterfsd from write access on the sock_file
On freshly installed el7 hosts, selinux prevents gluster from running. Setting selinux to permissive or building the relative .pp module resolves the issue. Does otopi configure selinux for gluster when installing?
Nathanaƫl Blanchet
2015-Feb-19 14:52 UTC
[Gluster-users] SELinux is preventing /usr/sbin/glusterfsd from write access on the sock_file
Hi all, Sorry, this question was initially for the ovirt list, but I've been said that it was a packaging issue, so I come back to you. The repository where comes from gluster is ovirt-3.5-glusterfs-epel. Thank you from your help. Le 19/02/2015 15:43, Nathana?l Blanchet a ?crit :> On freshly installed el7 hosts, selinux prevents gluster from running. > Setting selinux to permissive or building the relative .pp module > resolves the issue. > Does otopi configure selinux for gluster when installing? > _______________________________________________ > Gluster-users mailing list > Gluster-users at gluster.org > http://www.gluster.org/mailman/listinfo/gluster-users
Jeremy Young
2015-Feb-19 15:09 UTC
[Gluster-users] SELinux is preventing /usr/sbin/glusterfsd from write access on the sock_file
I've had issues with the glusterd and glusterfsd sockets getting labeled
var_run_t instead of glusterd_var_run_t.
To fix your problem:
1. Update your hosts to the latest SELinux policy
2. Set SELinux to enforcing
3. Stop any running glusterd or glusterfsd processes. (i.e. systemctl
stop glusterd; pkill -f gluster)
4. Remove any old socket files from /var/run ( rm -f /var/run/*.socket )
5. Start gluster ( systemctl start glusterd )
6. Check that the sockets were created with a context that gluster can
access. ( ls -Z /var/run/*.socket ) types of glusterd_var_run_t
Gluster is only allowed to write to the following socket types:
sesearch -A -C -s glusterd_t -c sock_file -p write
Found 18 semantic av rules:
allow domain setrans_var_run_t : sock_file { write getattr append open }
;
allow glusterd_t dirsrv_var_run_t : sock_file { write getattr append
open } ;
allow glusterd_t nscd_var_run_t : sock_file { write getattr append open
} ;
allow glusterd_t nslcd_var_run_t : sock_file { write getattr append open
} ;
allow glusterd_t avahi_var_run_t : sock_file { write getattr append open
} ;
allow glusterd_t slapd_var_run_t : sock_file { write getattr append open
} ;
allow glusterd_t sssd_var_lib_t : sock_file { write getattr append open
} ;
allow glusterd_t glusterd_var_lib_t : sock_file { ioctl read write
create getattr setattr lock append unlink link rename open } ;
allow glusterd_t glusterd_var_run_t : sock_file { ioctl read write
create getattr setattr lock append unlink link rename open } ;
allow glusterd_t winbind_var_run_t : sock_file { write getattr append
open } ;
allow glusterd_t devlog_t : sock_file { write getattr append open } ;
allow glusterd_t glusterd_tmp_t : sock_file { ioctl read write create
getattr setattr lock append unlink link rename open } ;
allow glusterd_t lsassd_var_socket_t : sock_file { write getattr append
open } ;
allow daemon abrt_var_run_t : sock_file { write getattr append open } ;
DT allow daemon cluster_pid : sock_file { write getattr append open } ; [
daemons_enable_cluster_mode ]
EF allow glusterd_t nscd_var_run_t : sock_file { write getattr append open
} ; [ nscd_use_shm ]
DT allow glusterd_t nscd_var_run_t : sock_file { ioctl read write getattr
lock append open } ; [ nscd_use_shm ]
ET allow glusterd_t pcscd_var_run_t : sock_file { write getattr append open
} ; [ allow_kerberos ]
Even when the sockets are labeled correctly, a user-initiated relabel can
break Gluster.
[root at hostname run]# pwd
/var/run
[root at hostname run]# ls -Z *.socket
srwx------. root root staff_u:object_r:glusterd_var_run_t:s0
30d920e9fce88a5555e66a86e85c1d9b.socket
srwx------. root root staff_u:object_r:glusterd_var_run_t:s0
8416f5dc522a14421afdf0f100a6947d.socket
srwx------. root root staff_u:object_r:glusterd_var_run_t:s0
85dc678b993d76ebc8ab2fb3f13a7c03.socket
srwx------. root root staff_u:object_r:glusterd_var_run_t:s0 glusterd.socket
[root at hostname run]# restorecon -v *.socket
restorecon reset /var/run/30d920e9fce88a5555e66a86e85c1d9b.socket context
staff_u:object_r:glusterd_var_run_t:s0->staff_u:object_r:var_run_t:s0
restorecon reset /var/run/8416f5dc522a14421afdf0f100a6947d.socket context
staff_u:object_r:glusterd_var_run_t:s0->staff_u:object_r:var_run_t:s0
restorecon reset /var/run/85dc678b993d76ebc8ab2fb3f13a7c03.socket context
staff_u:object_r:glusterd_var_run_t:s0->staff_u:object_r:var_run_t:s0
On Thu, Feb 19, 2015 at 8:43 AM, Nathana?l Blanchet <blanchet at abes.fr>
wrote:
> On freshly installed el7 hosts, selinux prevents gluster from running.
> Setting selinux to permissive or building the relative .pp module resolves
> the issue.
> Does otopi configure selinux for gluster when installing?
> _______________________________________________
> Gluster-users mailing list
> Gluster-users at gluster.org
> http://www.gluster.org/mailman/listinfo/gluster-users
>
--
Jeremy Young <jrm16020 at gmail.com>, M.S., RHCSA
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://www.gluster.org/pipermail/gluster-users/attachments/20150219/1e76eff2/attachment.html>