[Gluster-users] SELinux is preventing /usr/sbin/glusterfsd from write access on the sock_file

2015-02-19 Thread Nathanaël Blanchet 
On freshly installed el7 hosts, selinux prevents gluster from running. 
Setting selinux to permissive or building the relative .pp module 
resolves the issue.

Does otopi configure selinux for gluster when installing?
___
Gluster-users mailing list
Gluster-users@gluster.org
http://www.gluster.org/mailman/listinfo/gluster-users

Re: [Gluster-users] SELinux is preventing /usr/sbin/glusterfsd from write access on the sock_file

2015-02-19 Thread Nathanaël Blanchet 

Hi all,

Sorry, this question was initially for the ovirt list, but I've been 
said that it was a packaging issue, so I come back to you.

The repository where comes from gluster is ovirt-3.5-glusterfs-epel.
Thank you from your help.

Le 19/02/2015 15:43, Nathanaël Blanchet a écrit :
On freshly installed el7 hosts, selinux prevents gluster from running. 
Setting selinux to permissive or building the relative .pp module 
resolves the issue.

Does otopi configure selinux for gluster when installing?
___
Gluster-users mailing list
Gluster-users@gluster.org
http://www.gluster.org/mailman/listinfo/gluster-users


___
Gluster-users mailing list
Gluster-users@gluster.org
http://www.gluster.org/mailman/listinfo/gluster-users

Re: [Gluster-users] SELinux is preventing /usr/sbin/glusterfsd from write access on the sock_file

2015-02-19 Thread Jeremy Young 
I've had issues with the glusterd and glusterfsd sockets getting labeled
var_run_t instead of glusterd_var_run_t.

To fix your problem:

   1. Update your hosts to the latest SELinux policy
   2. Set SELinux to enforcing
   3. Stop any running glusterd or glusterfsd processes.  (i.e. systemctl
   stop glusterd; pkill -f gluster)
   4. Remove any old socket files from /var/run ( rm -f /var/run/*.socket )
   5. Start gluster ( systemctl start glusterd )
   6. Check that the sockets were created with a context that gluster can
   access. ( ls -Z /var/run/*.socket )  types of glusterd_var_run_t

Gluster is only allowed to write to the following socket types:
sesearch -A -C -s glusterd_t -c sock_file -p write
Found 18 semantic av rules:
   allow domain setrans_var_run_t : sock_file { write getattr append open }
;
   allow glusterd_t dirsrv_var_run_t : sock_file { write getattr append
open } ;
   allow glusterd_t nscd_var_run_t : sock_file { write getattr append open
} ;
   allow glusterd_t nslcd_var_run_t : sock_file { write getattr append open
} ;
   allow glusterd_t avahi_var_run_t : sock_file { write getattr append open
} ;
   allow glusterd_t slapd_var_run_t : sock_file { write getattr append open
} ;
   allow glusterd_t sssd_var_lib_t : sock_file { write getattr append open
} ;
   allow glusterd_t glusterd_var_lib_t : sock_file { ioctl read write
create getattr setattr lock append unlink link rename open } ;
   allow glusterd_t glusterd_var_run_t : sock_file { ioctl read write
create getattr setattr lock append unlink link rename open } ;
   allow glusterd_t winbind_var_run_t : sock_file { write getattr append
open } ;
   allow glusterd_t devlog_t : sock_file { write getattr append open } ;
   allow glusterd_t glusterd_tmp_t : sock_file { ioctl read write create
getattr setattr lock append unlink link rename open } ;
   allow glusterd_t lsassd_var_socket_t : sock_file { write getattr append
open } ;
   allow daemon abrt_var_run_t : sock_file { write getattr append open } ;
DT allow daemon cluster_pid : sock_file { write getattr append open } ; [
daemons_enable_cluster_mode ]
EF allow glusterd_t nscd_var_run_t : sock_file { write getattr append open
} ; [ nscd_use_shm ]
DT allow glusterd_t nscd_var_run_t : sock_file { ioctl read write getattr
lock append open } ; [ nscd_use_shm ]
ET allow glusterd_t pcscd_var_run_t : sock_file { write getattr append open
} ; [ allow_kerberos ]


Even when the sockets are labeled correctly, a user-initiated relabel can
break Gluster.

[root@hostname run]# pwd
/var/run
[root@hostname run]# ls -Z *.socket
srwx--. root root staff_u:object_r:glusterd_var_run_t:s0
30d920e9fce88ae66a86e85c1d9b.socket
srwx--. root root staff_u:object_r:glusterd_var_run_t:s0
8416f5dc522a14421afdf0f100a6947d.socket
srwx--. root root staff_u:object_r:glusterd_var_run_t:s0
85dc678b993d76ebc8ab2fb3f13a7c03.socket
srwx--. root root staff_u:object_r:glusterd_var_run_t:s0 glusterd.socket
[root@hostname run]# restorecon -v *.socket
restorecon reset /var/run/30d920e9fce88ae66a86e85c1d9b.socket context
staff_u:object_r:glusterd_var_run_t:s0-staff_u:object_r:var_run_t:s0
restorecon reset /var/run/8416f5dc522a14421afdf0f100a6947d.socket context
staff_u:object_r:glusterd_var_run_t:s0-staff_u:object_r:var_run_t:s0
restorecon reset /var/run/85dc678b993d76ebc8ab2fb3f13a7c03.socket context
staff_u:object_r:glusterd_var_run_t:s0-staff_u:object_r:var_run_t:s0


On Thu, Feb 19, 2015 at 8:43 AM, Nathanaël Blanchet blanc...@abes.fr
wrote:

 On freshly installed el7 hosts, selinux prevents gluster from running.
 Setting selinux to permissive or building the relative .pp module resolves
 the issue.
 Does otopi configure selinux for gluster when installing?
 ___
 Gluster-users mailing list
 Gluster-users@gluster.org
 http://www.gluster.org/mailman/listinfo/gluster-users




-- 
Jeremy Young jrm16...@gmail.com, M.S., RHCSA
___
Gluster-users mailing list
Gluster-users@gluster.org
http://www.gluster.org/mailman/listinfo/gluster-users