I've had issues with the glusterd and glusterfsd sockets getting labeled var_run_t instead of glusterd_var_run_t.
To fix your problem: 1. Update your hosts to the latest SELinux policy 2. Set SELinux to enforcing 3. Stop any running glusterd or glusterfsd processes. (i.e. systemctl stop glusterd; pkill -f gluster) 4. Remove any old socket files from /var/run ( rm -f /var/run/*.socket ) 5. Start gluster ( systemctl start glusterd ) 6. Check that the sockets were created with a context that gluster can access. ( ls -Z /var/run/*.socket ) types of glusterd_var_run_t Gluster is only allowed to write to the following socket types: sesearch -A -C -s glusterd_t -c sock_file -p write Found 18 semantic av rules: allow domain setrans_var_run_t : sock_file { write getattr append open } ; allow glusterd_t dirsrv_var_run_t : sock_file { write getattr append open } ; allow glusterd_t nscd_var_run_t : sock_file { write getattr append open } ; allow glusterd_t nslcd_var_run_t : sock_file { write getattr append open } ; allow glusterd_t avahi_var_run_t : sock_file { write getattr append open } ; allow glusterd_t slapd_var_run_t : sock_file { write getattr append open } ; allow glusterd_t sssd_var_lib_t : sock_file { write getattr append open } ; allow glusterd_t glusterd_var_lib_t : sock_file { ioctl read write create getattr setattr lock append unlink link rename open } ; allow glusterd_t glusterd_var_run_t : sock_file { ioctl read write create getattr setattr lock append unlink link rename open } ; allow glusterd_t winbind_var_run_t : sock_file { write getattr append open } ; allow glusterd_t devlog_t : sock_file { write getattr append open } ; allow glusterd_t glusterd_tmp_t : sock_file { ioctl read write create getattr setattr lock append unlink link rename open } ; allow glusterd_t lsassd_var_socket_t : sock_file { write getattr append open } ; allow daemon abrt_var_run_t : sock_file { write getattr append open } ; DT allow daemon cluster_pid : sock_file { write getattr append open } ; [ daemons_enable_cluster_mode ] EF allow glusterd_t nscd_var_run_t : sock_file { write getattr append open } ; [ nscd_use_shm ] DT allow glusterd_t nscd_var_run_t : sock_file { ioctl read write getattr lock append open } ; [ nscd_use_shm ] ET allow glusterd_t pcscd_var_run_t : sock_file { write getattr append open } ; [ allow_kerberos ] Even when the sockets are labeled correctly, a user-initiated relabel can break Gluster. [root@hostname run]# pwd /var/run [root@hostname run]# ls -Z *.socket srwx------. root root staff_u:object_r:glusterd_var_run_t:s0 30d920e9fce88a5555e66a86e85c1d9b.socket srwx------. root root staff_u:object_r:glusterd_var_run_t:s0 8416f5dc522a14421afdf0f100a6947d.socket srwx------. root root staff_u:object_r:glusterd_var_run_t:s0 85dc678b993d76ebc8ab2fb3f13a7c03.socket srwx------. root root staff_u:object_r:glusterd_var_run_t:s0 glusterd.socket [root@hostname run]# restorecon -v *.socket restorecon reset /var/run/30d920e9fce88a5555e66a86e85c1d9b.socket context staff_u:object_r:glusterd_var_run_t:s0->staff_u:object_r:var_run_t:s0 restorecon reset /var/run/8416f5dc522a14421afdf0f100a6947d.socket context staff_u:object_r:glusterd_var_run_t:s0->staff_u:object_r:var_run_t:s0 restorecon reset /var/run/85dc678b993d76ebc8ab2fb3f13a7c03.socket context staff_u:object_r:glusterd_var_run_t:s0->staff_u:object_r:var_run_t:s0 On Thu, Feb 19, 2015 at 8:43 AM, Nathanaël Blanchet <blanc...@abes.fr> wrote: > On freshly installed el7 hosts, selinux prevents gluster from running. > Setting selinux to permissive or building the relative .pp module resolves > the issue. > Does otopi configure selinux for gluster when installing? > _______________________________________________ > Gluster-users mailing list > Gluster-users@gluster.org > http://www.gluster.org/mailman/listinfo/gluster-users > -- Jeremy Young <jrm16...@gmail.com>, M.S., RHCSA
_______________________________________________ Gluster-users mailing list Gluster-users@gluster.org http://www.gluster.org/mailman/listinfo/gluster-users