[Gluster-users] CentOS 6.4 + selinux enforcing + mount.glusterfs == bad?

Alan Orth alan.orth at gmail.com
Tue Mar 12 09:27:40 UTC 2013 

All,

I just learned how to create a new module to allow this request.  In a 
nutshell, use audit2allow to check the audit log and create a new 
module, see [1] and [2].  My exact steps:

    mkdir ~/selinux_gluster
    cd ~/selinux_gluster
    setenforce 0
    load_policy
    service netfs start
    audit2allow -M glusterd_centos64 -l -i /var/log/audit/audit.log
    setenforce 1
    semodule -i glusterd_centos64.pp
    service netfs start

More precisely, what you are doing is:

 1. setting selinux to permissive mode
 2. re-loading the policy to get a clean "starting point"
 3. performing the actions which are being denied
 4. creating a module
 5. re-enabling selinux enforcing mode
 6. loading the new selinux module (which, after loading, is copied into
    /etc/selinux/targeted/modules/active/modules/ and will persist after
    reboot)
 7. gluster should now be able to mount via /etc/fstab on boot, or via
    the netfs service, etc (ie, not manually as root).

Hope this helps some future traveler,

Alan

[1] http://fedorasolved.org/security-solutions/selinux-module-building
[2] man audit2allow

On 03/12/2013 11:32 AM, Alan Orth wrote:
> All,
>
> I've updated one of my GlusterFS clients from CentOS 6.3 to CentOS 6.4 
> and now my gluster volumes fail to mount at boot.  dmesg shows:
>
> type=1400 audit(1363004014.209:4): avc:  denied  { execute } for 
> pid=1150 comm="mount.glusterfs" name="glusterfsd" dev=sda1 ino=1315297 
> scontext=system_u:system_r:mount_t:s0 
> tcontext=system_u:object_r:glusterd_exec_t:s0 tclass=file
>
> Mounting manually as root works, but obviously isn't optimal.
>
> Does anyone know how to fix this?
>
> Thanks!
>

-- 
Alan Orth
alan.orth at gmail.com
http://alaninkenya.org
http://mjanja.co.ke
"I have always wished for my computer to be as easy to use as my telephone; my wish has come true because I can no longer figure out how to use my telephone." -Bjarne Stroustrup, inventor of C++

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://supercolony.gluster.org/pipermail/gluster-users/attachments/20130312/a7e2c417/attachment.html>

More information about the Gluster-users mailing list