[ClusterLabs] [ClusterLabs Developers] Problem with fence_virsh in RHEL 6 - selinux denial

Digimer lists at alteeve.ca
Wed Sep 9 03:04:02 UTC 2015


On 08/09/15 09:46 PM, Justin Pryzby wrote:
> In case it helps, I take that to mean:
> 
> fence_virsh is a python program, which is attempting to run ssh, but failing.
> 
> Can you check:
> 
> which ssh # make sure it's not strange ssh in a /usr/local or such;
> ls -Z `which fence_virsh` `which ssh`

====
[root at node1 ~]# ls -Z `which fence_virsh` `which ssh`
-rwxr-xr-x. root root system_u:object_r:ssh_exec_t:s0  /usr/bin/ssh
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       /usr/sbin/fence_virsh
====

> sudo restorecon -v `which fence_virsh` `which ssh` # restore default selinux contexts
> ls -Z `which fence_virsh` `which ssh` # check again..

No change;

====
[root at node1 ~]# restorecon -v `which fence_virsh` `which ssh`
[root at node1 ~]# ls -Z `which fence_virsh` `which ssh`
-rwxr-xr-x. root root system_u:object_r:ssh_exec_t:s0  /usr/bin/ssh
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       /usr/sbin/fence_virsh
====

Not surprised, as this is a fresh install + OS update.

I wiped audit.log, restarted auditd and then tried to fence manually.
Here is what I saw:

====
[root at node1 ~]# fence_node node2
fence node2 success
====

In messages:

====
Sep  9 02:53:30 node1 fence_node[23468]: fence node2 success
====

A few moments later, you can see in messages that corosync noticed the
loss of the node and tried to fence, but failed:

====
Sep  9 02:53:38 node1 corosync[2792]:   [TOTEM ] A processor failed,
forming new configuration.
Sep  9 02:53:40 node1 corosync[2792]:   [QUORUM] Members[1]: 1
Sep  9 02:53:40 node1 corosync[2792]:   [TOTEM ] A processor joined or
left the membership and a new membership was formed.
Sep  9 02:53:40 node1 corosync[2792]:   [CPG   ] chosen downlist: sender
r(0) ip(10.20.10.1) r(1) ip(10.10.10.1) ; members(old:2 left:1)
Sep  9 02:53:40 node1 corosync[2792]:   [MAIN  ] Completed service
synchronization, ready to provide service.
Sep  9 02:53:40 node1 kernel: dlm: closing connection to node 2
Sep  9 02:53:40 node1 fenced[2879]: node_history_fence_external no nodeid -1
Sep  9 02:53:40 node1 fenced[2879]: fencing node node2.ccrs.bcn
Sep  9 02:53:40 node1 fenced[2879]: fence node2.ccrs.bcn dev 0.0 agent
fence_virsh result: error from agent
Sep  9 02:53:40 node1 fenced[2879]: fence node2.ccrs.bcn failed
Sep  9 02:53:43 node1 fenced[2879]: fencing node node2.ccrs.bcn
Sep  9 02:53:43 node1 fenced[2879]: fence node2.ccrs.bcn dev 0.0 agent
fence_virsh result: error from agent
Sep  9 02:53:43 node1 fenced[2879]: fence node2.ccrs.bcn failed
Sep  9 02:53:46 node1 fenced[2879]: fencing node node2.ccrs.bcn
Sep  9 02:53:46 node1 fenced[2879]: fence node2.ccrs.bcn dev 0.0 agent
fence_virsh result: error from agent
Sep  9 02:53:46 node1 fenced[2879]: fence node2.ccrs.bcn failed
====

I set selinux to permissive:

====
[root at node1 ~]# setenforce 1
====

And immediately the fence succeeded:

====
Sep  9 02:53:46 node1 dbus: avc:  received setenforce notice (enforcing=0)
Sep  9 02:53:52 node1 fenced[2879]: fence node2.ccrs.bcn success
====

Here is my cluster.conf, in case it matters:

====
[root at node1 ~]# cat /etc/cluster/cluster.conf
<?xml version="1.0"?>
<cluster name="ccrs" config_version="1">
	<cman expected_votes="1" two_node="1" />
	<clusternodes>
		<clusternode name="node1.ccrs.bcn" nodeid="1">
			<altname name="node1.sn" />
			<fence>
				<method name="kvm">
					<device name="kvm_host" port="an-a02n01" delay="15" action="reboot" />
				</method>
			</fence>
		</clusternode>
		<clusternode name="node2.ccrs.bcn" nodeid="2">
			<altname name="node2.sn" />
			<fence>
				<method name="kvm">
					<device name="kvm_host" port="an-a02n02" action="reboot" />
				</method>
			</fence>
		</clusternode>
	</clusternodes>
	<fencedevices>
		<fencedevice name="kvm_host" agent="fence_virsh"
ipaddr="192.168.122.1" login="root" passwd="it's a secret" />
	</fencedevices>
	<fence_daemon post_join_delay="30" />
	<totem rrp_mode="active" secauth="off"/>
	<rm log_level="5">
		<resources>
			<script file="/etc/init.d/drbd" name="drbd"/>
			<script file="/etc/init.d/wait-for-drbd" name="wait-for-drbd"/>
			<script file="/etc/init.d/clvmd" name="clvmd"/>
			<clusterfs device="/dev/node1_vg0/shared" force_unmount="1"
fstype="gfs2" mountpoint="/shared" name="sharedfs" />
			<script file="/etc/init.d/libvirtd" name="libvirtd"/>
		</resources>
		<failoverdomains>
			<failoverdomain name="only_n01" nofailback="1" ordered="0"
restricted="1">
				<failoverdomainnode name="node1.ccrs.bcn"/>
			</failoverdomain>
			<failoverdomain name="only_n02" nofailback="1" ordered="0"
restricted="1">
				<failoverdomainnode name="node2.ccrs.bcn"/>
			</failoverdomain>
			<failoverdomain name="primary_n01" nofailback="1" ordered="1"
restricted="1">
				<failoverdomainnode name="node1.ccrs.bcn" priority="1"/>
				<failoverdomainnode name="node2.ccrs.bcn" priority="2"/>
			</failoverdomain>
			<failoverdomain name="primary_n02" nofailback="1" ordered="1"
restricted="1">
				<failoverdomainnode name="node1.ccrs.bcn" priority="2"/>
				<failoverdomainnode name="node2.ccrs.bcn" priority="1"/>
			</failoverdomain>
		</failoverdomains>
		<service name="storage_n01" autostart="1" domain="only_n01"
exclusive="0" recovery="restart">
			<script ref="drbd">
				<script ref="wait-for-drbd">
					<script ref="clvmd">
						<clusterfs ref="sharedfs"/>
					</script>
				</script>
			</script>
		</service>
		<service name="storage_n02" autostart="1" domain="only_n02"
exclusive="0" recovery="restart">
			<script ref="drbd">
				<script ref="wait-for-drbd">
					<script ref="clvmd">
						<clusterfs ref="sharedfs"/>
					</script>
				</script>
			</script>
		</service>
		<service name="libvirtd_n01" autostart="1" domain="only_n01"
exclusive="0" recovery="restart">
			<script ref="libvirtd"/>
		</service>
		<service name="libvirtd_n02" autostart="1" domain="only_n02"
exclusive="0" recovery="restart">
			<script ref="libvirtd"/>
		</service>
	</rm>
</cluster>
====

In /var/log/audit/audit.log:

====
type=DAEMON_END msg=audit(1441767198.316:6153): auditd normal halt,
sending auid=0 pid=23428 subj=unconfined_u:system_r:initrc_t:s0 res=success
type=DAEMON_START msg=audit(1441767198.441:4809): auditd start,
ver=2.3.7 format=raw kernel=2.6.32-573.3.1.el6.x86_64 auid=0 pid=23452
subj=unconfined_u:system_r:auditd_t:s0 res=success
type=CONFIG_CHANGE msg=audit(1441767198.550:9350):
audit_backlog_limit=320 old=320 auid=0 ses=2
subj=unconfined_u:system_r:auditctl_t:s0 res=1
type=AVC msg=audit(1441767220.374:9351): avc:  denied  { execute } for
pid=23523 comm="fence_virsh" name="ssh" dev=vda2 ino=2103935
scontext=unconfined_u:system_r:fenced_t:s0
tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1441767220.374:9351): arch=c000003e syscall=21
success=no exit=-13 a0=10461a0 a1=1 a2=7f717ce339e8 a3=7fff0c670080
items=0 ppid=2879 pid=23523 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="fence_virsh"
exe="/usr/bin/python" subj=unconfined_u:system_r:fenced_t:s0 key=(null)
type=AVC msg=audit(1441767220.374:9352): avc:  denied  { execute } for
pid=23523 comm="fence_virsh" name="ssh" dev=vda2 ino=2103935
scontext=unconfined_u:system_r:fenced_t:s0
tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1441767220.374:9352): arch=c000003e syscall=21
success=no exit=-13 a0=10461a0 a1=1 a2=7f717ce339e8 a3=7fff0c6700c8
items=0 ppid=2879 pid=23523 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="fence_virsh"
exe="/usr/bin/python" subj=unconfined_u:system_r:fenced_t:s0 key=(null)
type=AVC msg=audit(1441767220.374:9353): avc:  denied  { execute } for
pid=23523 comm="fence_virsh" name="ssh" dev=vda2 ino=2103935
scontext=unconfined_u:system_r:fenced_t:s0
tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1441767220.374:9353): arch=c000003e syscall=21
success=no exit=-13 a0=10461a0 a1=1 a2=7f717ce339e8 a3=7fff0c6700c8
items=0 ppid=2879 pid=23523 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="fence_virsh"
exe="/usr/bin/python" subj=unconfined_u:system_r:fenced_t:s0 key=(null)
type=AVC msg=audit(1441767220.374:9354): avc:  denied  { execute } for
pid=23523 comm="fence_virsh" name="ssh" dev=vda2 ino=2103935
scontext=unconfined_u:system_r:fenced_t:s0
tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1441767220.374:9354): arch=c000003e syscall=21
success=no exit=-13 a0=10461a0 a1=1 a2=7f717ce339e8 a3=7fff0c6700c8
items=0 ppid=2879 pid=23523 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="fence_virsh"
exe="/usr/bin/python" subj=unconfined_u:system_r:fenced_t:s0 key=(null)
type=AVC msg=audit(1441767220.374:9355): avc:  denied  { execute } for
pid=23523 comm="fence_virsh" name="ssh" dev=vda2 ino=2103935
scontext=unconfined_u:system_r:fenced_t:s0
tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1441767220.374:9355): arch=c000003e syscall=21
success=no exit=-13 a0=10461a0 a1=1 a2=7f717ce339e8 a3=7fff0c6700c8
items=0 ppid=2879 pid=23523 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="fence_virsh"
exe="/usr/bin/python" subj=unconfined_u:system_r:fenced_t:s0 key=(null)
type=AVC msg=audit(1441767223.481:9356): avc:  denied  { execute } for
pid=23550 comm="fence_virsh" name="ssh" dev=vda2 ino=2103935
scontext=unconfined_u:system_r:fenced_t:s0
tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1441767223.481:9356): arch=c000003e syscall=21
success=no exit=-13 a0=f631a0 a1=1 a2=7f66005349e8 a3=7ffebc634ad0
items=0 ppid=2879 pid=23550 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="fence_virsh"
exe="/usr/bin/python" subj=unconfined_u:system_r:fenced_t:s0 key=(null)
type=AVC msg=audit(1441767223.481:9357): avc:  denied  { execute } for
pid=23550 comm="fence_virsh" name="ssh" dev=vda2 ino=2103935
scontext=unconfined_u:system_r:fenced_t:s0
tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1441767223.481:9357): arch=c000003e syscall=21
success=no exit=-13 a0=f631a0 a1=1 a2=7f66005349e8 a3=7ffebc634b18
items=0 ppid=2879 pid=23550 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="fence_virsh"
exe="/usr/bin/python" subj=unconfined_u:system_r:fenced_t:s0 key=(null)
type=AVC msg=audit(1441767223.481:9358): avc:  denied  { execute } for
pid=23550 comm="fence_virsh" name="ssh" dev=vda2 ino=2103935
scontext=unconfined_u:system_r:fenced_t:s0
tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1441767223.481:9358): arch=c000003e syscall=21
success=no exit=-13 a0=f631a0 a1=1 a2=7f66005349e8 a3=7ffebc634b18
items=0 ppid=2879 pid=23550 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="fence_virsh"
exe="/usr/bin/python" subj=unconfined_u:system_r:fenced_t:s0 key=(null)
type=AVC msg=audit(1441767223.481:9359): avc:  denied  { execute } for
pid=23550 comm="fence_virsh" name="ssh" dev=vda2 ino=2103935
scontext=unconfined_u:system_r:fenced_t:s0
tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1441767223.481:9359): arch=c000003e syscall=21
success=no exit=-13 a0=f631a0 a1=1 a2=7f66005349e8 a3=7ffebc634b18
items=0 ppid=2879 pid=23550 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="fence_virsh"
exe="/usr/bin/python" subj=unconfined_u:system_r:fenced_t:s0 key=(null)
type=AVC msg=audit(1441767223.481:9360): avc:  denied  { execute } for
pid=23550 comm="fence_virsh" name="ssh" dev=vda2 ino=2103935
scontext=unconfined_u:system_r:fenced_t:s0
tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1441767223.481:9360): arch=c000003e syscall=21
success=no exit=-13 a0=f631a0 a1=1 a2=7f66005349e8 a3=7ffebc634b18
items=0 ppid=2879 pid=23550 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="fence_virsh"
exe="/usr/bin/python" subj=unconfined_u:system_r:fenced_t:s0 key=(null)
type=AVC msg=audit(1441767226.595:9361): avc:  denied  { execute } for
pid=23575 comm="fence_virsh" name="ssh" dev=vda2 ino=2103935
scontext=unconfined_u:system_r:fenced_t:s0
tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1441767226.595:9361): arch=c000003e syscall=21
success=no exit=-13 a0=df41a0 a1=1 a2=7f604b6d29e8 a3=7ffe8030d6c0
items=0 ppid=2879 pid=23575 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="fence_virsh"
exe="/usr/bin/python" subj=unconfined_u:system_r:fenced_t:s0 key=(null)
type=AVC msg=audit(1441767226.595:9362): avc:  denied  { execute } for
pid=23575 comm="fence_virsh" name="ssh" dev=vda2 ino=2103935
scontext=unconfined_u:system_r:fenced_t:s0
tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1441767226.595:9362): arch=c000003e syscall=21
success=no exit=-13 a0=df41a0 a1=1 a2=7f604b6d29e8 a3=7ffe8030d708
items=0 ppid=2879 pid=23575 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="fence_virsh"
exe="/usr/bin/python" subj=unconfined_u:system_r:fenced_t:s0 key=(null)
type=AVC msg=audit(1441767226.595:9363): avc:  denied  { execute } for
pid=23575 comm="fence_virsh" name="ssh" dev=vda2 ino=2103935
scontext=unconfined_u:system_r:fenced_t:s0
tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1441767226.595:9363): arch=c000003e syscall=21
success=no exit=-13 a0=df41a0 a1=1 a2=7f604b6d29e8 a3=7ffe8030d708
items=0 ppid=2879 pid=23575 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="fence_virsh"
exe="/usr/bin/python" subj=unconfined_u:system_r:fenced_t:s0 key=(null)
type=AVC msg=audit(1441767226.595:9364): avc:  denied  { execute } for
pid=23575 comm="fence_virsh" name="ssh" dev=vda2 ino=2103935
scontext=unconfined_u:system_r:fenced_t:s0
tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1441767226.595:9364): arch=c000003e syscall=21
success=no exit=-13 a0=df41a0 a1=1 a2=7f604b6d29e8 a3=7ffe8030d708
items=0 ppid=2879 pid=23575 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="fence_virsh"
exe="/usr/bin/python" subj=unconfined_u:system_r:fenced_t:s0 key=(null)
type=AVC msg=audit(1441767226.595:9365): avc:  denied  { execute } for
pid=23575 comm="fence_virsh" name="ssh" dev=vda2 ino=2103935
scontext=unconfined_u:system_r:fenced_t:s0
tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1441767226.595:9365): arch=c000003e syscall=21
success=no exit=-13 a0=df41a0 a1=1 a2=7f604b6d29e8 a3=7ffe8030d708
items=0 ppid=2879 pid=23575 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="fence_virsh"
exe="/usr/bin/python" subj=unconfined_u:system_r:fenced_t:s0 key=(null)
type=MAC_STATUS msg=audit(1441767226.661:9366): enforcing=0
old_enforcing=1 auid=0 ses=2
type=SYSCALL msg=audit(1441767226.661:9366): arch=c000003e syscall=1
success=yes exit=1 a0=3 a1=7ffe514b9f30 a2=1 a3=7ffe514b8cb0 items=0
ppid=2625 pid=23581 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=pts1 ses=2 comm="setenforce"
exe="/usr/sbin/setenforce"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1441767229.702:9367): avc:  denied  { execute } for
pid=23606 comm="fence_virsh" name="ssh" dev=vda2 ino=2103935
scontext=unconfined_u:system_r:fenced_t:s0
tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1441767229.702:9367): arch=c000003e syscall=21
success=yes exit=0 a0=16a11a0 a1=1 a2=7f81b57009e8 a3=7ffc2776dc10
items=0 ppid=2879 pid=23606 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="fence_virsh"
exe="/usr/bin/python" subj=unconfined_u:system_r:fenced_t:s0 key=(null)
type=AVC msg=audit(1441767229.705:9368): avc:  denied  { read open } for
 pid=23611 comm="fence_virsh" name="ssh" dev=vda2 ino=2103935
scontext=unconfined_u:system_r:fenced_t:s0
tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file
type=AVC msg=audit(1441767229.705:9368): avc:  denied  {
execute_no_trans } for  pid=23611 comm="fence_virsh" path="/usr/bin/ssh"
dev=vda2 ino=2103935 scontext=unconfined_u:system_r:fenced_t:s0
tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1441767229.705:9368): arch=c000003e syscall=59
success=yes exit=0 a0=169f4a0 a1=164ac60 a2=168b620 a3=7ffc2776dd50
items=0 ppid=23606 pid=23611 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=pts2 ses=2 comm="ssh" exe="/usr/bin/ssh"
subj=unconfined_u:system_r:fenced_t:s0 key=(null)
type=AVC msg=audit(1441767229.707:9369): avc:  denied  { setuid } for
pid=23611 comm="ssh" capability=7
scontext=unconfined_u:system_r:fenced_t:s0
tcontext=unconfined_u:system_r:fenced_t:s0 tclass=capability
type=SYSCALL msg=audit(1441767229.707:9369): arch=c000003e syscall=117
success=yes exit=0 a0=ffffffffffffffff a1=0 a2=ffffffffffffffff a3=3
items=0 ppid=23606 pid=23611 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=pts2 ses=2 comm="ssh" exe="/usr/bin/ssh"
subj=unconfined_u:system_r:fenced_t:s0 key=(null)
type=AVC msg=audit(1441767229.708:9370): avc:  denied  { search } for
pid=23611 comm="ssh" name=".ssh" dev=vda2 ino=1966197
scontext=unconfined_u:system_r:fenced_t:s0
tcontext=system_u:object_r:ssh_home_t:s0 tclass=dir
type=SYSCALL msg=audit(1441767229.708:9370): arch=c000003e syscall=2
success=no exit=-2 a0=7ffed853ecd0 a1=0 a2=1b6 a3=0 items=0 ppid=23606
pid=23611 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=pts2 ses=2 comm="ssh" exe="/usr/bin/ssh"
subj=unconfined_u:system_r:fenced_t:s0 key=(null)
type=AVC msg=audit(1441767229.709:9371): avc:  denied  { name_connect }
for  pid=23611 comm="ssh" dest=22
scontext=unconfined_u:system_r:fenced_t:s0
tcontext=system_u:object_r:ssh_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1441767229.709:9371): arch=c000003e syscall=42
success=yes exit=0 a0=3 a1=7fa79084eb30 a2=10 a3=fffffffffffffee0
items=0 ppid=23606 pid=23611 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=pts2 ses=2 comm="ssh" exe="/usr/bin/ssh"
subj=unconfined_u:system_r:fenced_t:s0 key=(null)
type=AVC msg=audit(1441767229.710:9372): avc:  denied  { setgid } for
pid=23611 comm="ssh" capability=6
scontext=unconfined_u:system_r:fenced_t:s0
tcontext=unconfined_u:system_r:fenced_t:s0 tclass=capability
type=SYSCALL msg=audit(1441767229.710:9372): arch=c000003e syscall=119
success=yes exit=0 a0=0 a1=0 a2=0 a3=e items=0 ppid=23606 pid=23611
auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2
ses=2 comm="ssh" exe="/usr/bin/ssh"
subj=unconfined_u:system_r:fenced_t:s0 key=(null)
type=AVC msg=audit(1441767229.710:9373): avc:  denied  { getattr } for
pid=23611 comm="ssh" path="/root/.ssh" dev=vda2 ino=1966197
scontext=unconfined_u:system_r:fenced_t:s0
tcontext=system_u:object_r:ssh_home_t:s0 tclass=dir
type=SYSCALL msg=audit(1441767229.710:9373): arch=c000003e syscall=4
success=yes exit=0 a0=7ffed853ecd0 a1=7ffed853ec40 a2=7ffed853ec40 a3=0
items=0 ppid=23606 pid=23611 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=pts2 ses=2 comm="ssh" exe="/usr/bin/ssh"
subj=unconfined_u:system_r:fenced_t:s0 key=(null)
type=AVC msg=audit(1441767229.710:9374): avc:  denied  { read } for
pid=23611 comm="ssh" name="id_rsa" dev=vda2 ino=1966200
scontext=unconfined_u:system_r:fenced_t:s0
tcontext=unconfined_u:object_r:ssh_home_t:s0 tclass=file
type=AVC msg=audit(1441767229.710:9374): avc:  denied  { open } for
pid=23611 comm="ssh" name="id_rsa" dev=vda2 ino=1966200
scontext=unconfined_u:system_r:fenced_t:s0
tcontext=unconfined_u:object_r:ssh_home_t:s0 tclass=file
type=SYSCALL msg=audit(1441767229.710:9374): arch=c000003e syscall=2
success=yes exit=4 a0=7fa79084e920 a1=0 a2=0 a3=12 items=0 ppid=23606
pid=23611 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=pts2 ses=2 comm="ssh" exe="/usr/bin/ssh"
subj=unconfined_u:system_r:fenced_t:s0 key=(null)
type=AVC msg=audit(1441767229.711:9375): avc:  denied  { getattr } for
pid=23611 comm="ssh" path="/root/.ssh/id_rsa" dev=vda2 ino=1966200
scontext=unconfined_u:system_r:fenced_t:s0
tcontext=unconfined_u:object_r:ssh_home_t:s0 tclass=file
type=SYSCALL msg=audit(1441767229.711:9375): arch=c000003e syscall=5
success=yes exit=0 a0=4 a1=7ffed853d3d0 a2=7ffed853d3d0 a3=12 items=0
ppid=23606 pid=23611 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=pts2 ses=2 comm="ssh" exe="/usr/bin/ssh"
subj=unconfined_u:system_r:fenced_t:s0 key=(null)
====

Thanks for the help.

digimer

> On Tue, Sep 08, 2015 at 09:18:15PM -0400, Digimer wrote:
>> Hi all,
>>
>>   I've been using KVM-based VMs as a testbed for clusters for ages,
>> always using fence_virsh.
>>
>>   I noticed today though that fence_virsh is now being blocked by
>> selinux (rhel 6.7, fully updated as of today):
>>
>> type=AVC msg=audit(1441752343.878:3269): avc:  denied  { execute } for
>> pid=8848 comm="fence_virsh" name="ssh" dev=vda2 ino=2103935
>> scontext=unconfined_u:system_r:fenced_t:s0
>> tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file
>> type=SYSCALL msg=audit(1441752343.878:3269): arch=c000003e syscall=21
>> success=no exit=-13 a0=1a363a0 a1=1 a2=7f02aa7f89e8 a3=7ffdff0dc7c0
>> items=0 ppid=7759 pid=8848 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
>> egid=0 sgid=0 fsgid=0 tty=(none) ses=27 comm="fence_virsh"
>> exe="/usr/bin/python" subj=unconfined_u:system_r:fenced_t:s0 key=(null)
>> t
>>
>> [root at node1 ~]# rpm -q fence-agents cman corosync
>> fence-agents-4.0.15-8.el6.x86_64
>> cman-3.0.12.1-73.el6.1.x86_64
>> corosync-1.4.7-2.el6.x86_64
>>
>> [root at node1 ~]# cat /etc/redhat-release
>> Red Hat Enterprise Linux Server release 6.7 (Santiago)
>>
>> I'll post a follow-up if I can sort out how to fix it. My selinux-fu is
>> weak...


-- 
Digimer
Papers and Projects: https://alteeve.ca/w/
What if the cure for cancer is trapped in the mind of a person without
access to education?




More information about the Users mailing list