[Pacemaker] None of the standard agents in ocf:heartbeat are working in centos 6
Andrew Beekhof
andrew at beekhof.net
Mon Jul 30 02:30:40 EDT 2012
On Mon, Jul 30, 2012 at 2:21 PM, Vladislav Bogdanov
<bubble at hoster-ok.com> wrote:
> 30.07.2012 02:39, Andrew Beekhof wrote:
>> On Tue, Jul 24, 2012 at 2:25 PM, Vladislav Bogdanov
>> <bubble at hoster-ok.com> wrote:
>>> 24.07.2012 04:50, Andrew Beekhof wrote:
>>>> On Tue, Jul 24, 2012 at 5:38 AM, David Barchas <dave at barchas.com> wrote:
>>>>>
>>>>> On Monday, July 23, 2012 at 7:48 AM, David Barchas wrote:
>>>>>
>>>>>
>>>>> Date: Mon, 23 Jul 2012 14:15:27 +0300
>>>>> From: Vladislav Bogdanov
>>>>>
>>>>> 23.07.2012 08:06, David Barchas wrote:
>>>>>
>>>>> Hello.
>>>>>
>>>>> I have been working on this for 3 days now, and must be so stressed out
>>>>> that I am being blinded to what is probably an obvious cause of this. In
>>>>> a word, HELP.
>>>>>
>>>>>
>>>>> setenforce 0 ?
>>>>>
>>>>> i am familiar with it but have never had to disable it. I would be surprised
>>>>> for packages in standard repos.
>>>>
>>>> No-one has written an selinux policy for pacemaker yet.
>>>> I would imagine that will come in the next month or so.
>>>>
>>>
>>> Highly appreciated. However lrmd part may be not as easy to implement
>>> properly as it seems at the first glance.
>>>
>>
>> You basically have to let the lrmd run unconfined.
>> I don't think there is any sensible way to constraint something that,
>> by design, needs to be able to perform arbitrary actions as root.
>> To do otherwise you would need to enumerate every possible service +
>> agent that anyone would ever want to write.
>
> Will it (kernel and policy engine) make transition from unconfined_t to
> appropriate selinux roles when services are stared?
One would hope so, I don't have enough selinux knowledge to know for sure.
More information about the Pacemaker
mailing list