24.07.2012 14:23, Vadym Chepkov wrote: > > On Jul 24, 2012, at 12:25 AM, Vladislav Bogdanov wrote: > >> 24.07.2012 04:50, Andrew Beekhof wrote: >>> On Tue, Jul 24, 2012 at 5:38 AM, David Barchas <d...@barchas.com> wrote: >>>> >>>> On Monday, July 23, 2012 at 7:48 AM, David Barchas wrote: >>>> >>>> >>>> Date: Mon, 23 Jul 2012 14:15:27 +0300 >>>> From: Vladislav Bogdanov >>>> >>>> 23.07.2012 08:06, David Barchas wrote: >>>> >>>> Hello. >>>> >>>> I have been working on this for 3 days now, and must be so stressed out >>>> that I am being blinded to what is probably an obvious cause of this. In >>>> a word, HELP. >>>> >>>> >>>> setenforce 0 ? >>>> >>>> i am familiar with it but have never had to disable it. I would be >>>> surprised >>>> for packages in standard repos. >>> >>> No-one has written an selinux policy for pacemaker yet. >>> I would imagine that will come in the next month or so. >>> >> >> Highly appreciated. However lrmd part may be not as easy to implement >> properly as it seems at the first glance. > > > You can add runcon -t unconfined_t into /etc/init.d/pacemaker for now if you > don't want to totally turn selinux off
Yeah, that's great no know. But services running from within pacemaker will still be unprotected, won't they? And whole system will have a security breach if service running in unconfined_t context is compromised (iirc how unconfined_t is handled and nothing changed in that area for last few years). So it is much better to have "well-done" policy module for pacemaker, so all (selinux-aware) services start protected. Thanks for pointer! Vladislav _______________________________________________ Pacemaker mailing list: Pacemaker@oss.clusterlabs.org http://oss.clusterlabs.org/mailman/listinfo/pacemaker Project Home: http://www.clusterlabs.org Getting started: http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf Bugs: http://bugs.clusterlabs.org
