[ClusterLabs] Problem with fence_virsh in RHEL 6 - selinux denial

Digimer lists at alteeve.ca
Tue Sep 8 21:18:15 EDT 2015


Hi all,

  I've been using KVM-based VMs as a testbed for clusters for ages,
always using fence_virsh.

  I noticed today though that fence_virsh is now being blocked by
selinux (rhel 6.7, fully updated as of today):

type=AVC msg=audit(1441752343.878:3269): avc:  denied  { execute } for
pid=8848 comm="fence_virsh" name="ssh" dev=vda2 ino=2103935
scontext=unconfined_u:system_r:fenced_t:s0
tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1441752343.878:3269): arch=c000003e syscall=21
success=no exit=-13 a0=1a363a0 a1=1 a2=7f02aa7f89e8 a3=7ffdff0dc7c0
items=0 ppid=7759 pid=8848 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=27 comm="fence_virsh"
exe="/usr/bin/python" subj=unconfined_u:system_r:fenced_t:s0 key=(null)
t

[root at node1 ~]# rpm -q fence-agents cman corosync
fence-agents-4.0.15-8.el6.x86_64
cman-3.0.12.1-73.el6.1.x86_64
corosync-1.4.7-2.el6.x86_64

[root at node1 ~]# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 6.7 (Santiago)

I'll post a follow-up if I can sort out how to fix it. My selinux-fu is
weak...

-- 
Digimer
Papers and Projects: https://alteeve.ca/w/
What if the cure for cancer is trapped in the mind of a person without
access to education?




More information about the Users mailing list