[Gluster-users] CentOS 6.4 + selinux enforcing + mount.glusterfs == bad?

Rejy M Cyriac rcyriac at redhat.com
Tue Mar 12 13:19:51 UTC 2013 

On 03/12/2013 02:57 PM, Alan Orth wrote:
> All,
> 
> I just learned how to create a new module to allow this request.  In a
> nutshell, use audit2allow to check the audit log and create a new
> module, see [1] and [2].  My exact steps:
> 
>     mkdir ~/selinux_gluster
>     cd ~/selinux_gluster
>     setenforce 0
>     load_policy
>     service netfs start
>     audit2allow -M glusterd_centos64 -l -i /var/log/audit/audit.log
>     setenforce 1
>     semodule -i glusterd_centos64.pp
>     service netfs start
> 
> More precisely, what you are doing is:
> 
>  1. setting selinux to permissive mode
>  2. re-loading the policy to get a clean "starting point"
>  3. performing the actions which are being denied
>  4. creating a module
>  5. re-enabling selinux enforcing mode
>  6. loading the new selinux module (which, after loading, is copied into
>     /etc/selinux/targeted/modules/active/modules/ and will persist after
>     reboot)
>  7. gluster should now be able to mount via /etc/fstab on boot, or via
>     the netfs service, etc (ie, not manually as root).
> 
> Hope this helps some future traveler,
> 
> Alan
> 
> [1] http://fedorasolved.org/security-solutions/selinux-module-building
> [2] man audit2allow
> 
> On 03/12/2013 11:32 AM, Alan Orth wrote:
>> All,
>>
>> I've updated one of my GlusterFS clients from CentOS 6.3 to CentOS 6.4
>> and now my gluster volumes fail to mount at boot.  dmesg shows:
>>
>> type=1400 audit(1363004014.209:4): avc:  denied  { execute } for
>> pid=1150 comm="mount.glusterfs" name="glusterfsd" dev=sda1 ino=1315297
>> scontext=system_u:system_r:mount_t:s0
>> tcontext=system_u:object_r:glusterd_exec_t:s0 tclass=file
>>
>> Mounting manually as root works, but obviously isn't optimal.
>>
>> Does anyone know how to fix this?
>>
>> Thanks!
>>
> 
> -- 
> Alan Orth
> alan.orth at gmail.com
> http://alaninkenya.org
> http://mjanja.co.ke
> "I have always wished for my computer to be as easy to use as my telephone; my wish has come true because I can no longer figure out how to use my telephone." -Bjarne Stroustrup, inventor of C++
> 
> 
> 
> _______________________________________________
> Gluster-users mailing list
> Gluster-users at gluster.org
> http://supercolony.gluster.org/mailman/listinfo/gluster-users
> 
This should be fixed with the latest SELinux policy update, which was
out for Red Hat Enterprise Linux today -
selinux-policy-targeted-3.7.19-195.el6_4.3.noarch,
selinux-policy-3.7.19-195.el6_4.3.noarch .


-- 
Regards,

Rejy M Cyriac (rmc)

More information about the Gluster-users mailing list