I've had issues with the glusterd and glusterfsd sockets getting labeled
var_run_t instead of glusterd_var_run_t.
To fix your problem:
1. Update your hosts to the latest SELinux policy
2. Set SELinux to enforcing
3. Stop any running glusterd or glusterfsd processes. (i.e. systemctl
stop glusterd; pkill -f gluster)
4. Remove any old socket files from /var/run ( rm -f /var/run/*.socket )
5. Start gluster ( systemctl start glusterd )
6. Check that the sockets were created with a context that gluster can
access. ( ls -Z /var/run/*.socket ) types of glusterd_var_run_t
Gluster is only allowed to write to the following socket types:
sesearch -A -C -s glusterd_t -c sock_file -p write
Found 18 semantic av rules:
allow domain setrans_var_run_t : sock_file { write getattr append open }
;
allow glusterd_t dirsrv_var_run_t : sock_file { write getattr append
open } ;
allow glusterd_t nscd_var_run_t : sock_file { write getattr append open
} ;
allow glusterd_t nslcd_var_run_t : sock_file { write getattr append open
} ;
allow glusterd_t avahi_var_run_t : sock_file { write getattr append open
} ;
allow glusterd_t slapd_var_run_t : sock_file { write getattr append open
} ;
allow glusterd_t sssd_var_lib_t : sock_file { write getattr append open
} ;
allow glusterd_t glusterd_var_lib_t : sock_file { ioctl read write
create getattr setattr lock append unlink link rename open } ;
allow glusterd_t glusterd_var_run_t : sock_file { ioctl read write
create getattr setattr lock append unlink link rename open } ;
allow glusterd_t winbind_var_run_t : sock_file { write getattr append
open } ;
allow glusterd_t devlog_t : sock_file { write getattr append open } ;
allow glusterd_t glusterd_tmp_t : sock_file { ioctl read write create
getattr setattr lock append unlink link rename open } ;
allow glusterd_t lsassd_var_socket_t : sock_file { write getattr append
open } ;
allow daemon abrt_var_run_t : sock_file { write getattr append open } ;
DT allow daemon cluster_pid : sock_file { write getattr append open } ; [
daemons_enable_cluster_mode ]
EF allow glusterd_t nscd_var_run_t : sock_file { write getattr append open
} ; [ nscd_use_shm ]
DT allow glusterd_t nscd_var_run_t : sock_file { ioctl read write getattr
lock append open } ; [ nscd_use_shm ]
ET allow glusterd_t pcscd_var_run_t : sock_file { write getattr append open
} ; [ allow_kerberos ]
Even when the sockets are labeled correctly, a user-initiated relabel can
break Gluster.
[root@hostname run]# pwd
/var/run
[root@hostname run]# ls -Z *.socket
srwx--. root root staff_u:object_r:glusterd_var_run_t:s0
30d920e9fce88ae66a86e85c1d9b.socket
srwx--. root root staff_u:object_r:glusterd_var_run_t:s0
8416f5dc522a14421afdf0f100a6947d.socket
srwx--. root root staff_u:object_r:glusterd_var_run_t:s0
85dc678b993d76ebc8ab2fb3f13a7c03.socket
srwx--. root root staff_u:object_r:glusterd_var_run_t:s0 glusterd.socket
[root@hostname run]# restorecon -v *.socket
restorecon reset /var/run/30d920e9fce88ae66a86e85c1d9b.socket context
staff_u:object_r:glusterd_var_run_t:s0-staff_u:object_r:var_run_t:s0
restorecon reset /var/run/8416f5dc522a14421afdf0f100a6947d.socket context
staff_u:object_r:glusterd_var_run_t:s0-staff_u:object_r:var_run_t:s0
restorecon reset /var/run/85dc678b993d76ebc8ab2fb3f13a7c03.socket context
staff_u:object_r:glusterd_var_run_t:s0-staff_u:object_r:var_run_t:s0
On Thu, Feb 19, 2015 at 8:43 AM, Nathanaël Blanchet blanc...@abes.fr
wrote:
On freshly installed el7 hosts, selinux prevents gluster from running.
Setting selinux to permissive or building the relative .pp module resolves
the issue.
Does otopi configure selinux for gluster when installing?
___
Gluster-users mailing list
Gluster-users@gluster.org
http://www.gluster.org/mailman/listinfo/gluster-users
--
Jeremy Young jrm16...@gmail.com, M.S., RHCSA
___
Gluster-users mailing list
Gluster-users@gluster.org
http://www.gluster.org/mailman/listinfo/gluster-users