Re: [Users] could not add local storage domain

Sun, 18 Nov 2012 01:45:01 -0800 

Cristian,

This is the link for bug reports:

https://bugzilla.redhat.com/enter_bug.cgi?product=oVirt

Regards,

Jorick

On 11/17/2012 06:16 PM, Cristian Falcas wrote:

Please let me know how to do this, or if it's enough the bellow info.

In the logs I found this when trying to activate the storage:
Nov 17 16:57:58 localhost sanlock[11899]: 2012-11-17 16:57:58+0200 29123 [13385]: open error -13 /rhev/data-center/mnt/_media_ 
ceva2_Ovirt_Storage/f021f6dd-0f88-4d5e-842f-b54e8cb5f846/dom_md/ids
Nov 17 16:57:58 localhost sanlock[11899]: 2012-11-17 16:57:58+0200 29123 [13385]: s1956 open_disk /rhev/data-center/mnt/_media_ceva2_Ovirt_Storage/f021f6dd-0f88-4d5e-842f-b54e8cb5f846/dom_md/ids error -13 Nov 17 16:57:59 localhost setroubleshoot: SELinux is preventing /usr/sbin/sanlock from search access on the directory Storage. For complete SELinux messages. run sealert -l 026bd86b-153c-403a-ab2d-043e381be6cc Nov 17 16:58:01 localhost vdsm TaskManager.Task ERROR Task=`eb4b34ff-04a8-4d12-9338-ebce08f554ca`::Unexpected error 

Running the sealert command :


root@localhost log]# sealert -l 026bd86b-153c-403a-ab2d-043e381be6cc
SELinux is preventing /usr/sbin/sanlock from search access on the directory Storage.
***** Plugin catchall (100. confidence) suggests ***************************
If you believe that sanlock should be allowed search access on the Storage directory by default. 
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep sanlock /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context system_u:system_r:sanlock_t:s0-s0:c0.c1023
Target Context unconfined_u:object_r:public_content_rw_t:s0
Target Objects                Storage [ dir ]
Source                        sanlock
Source Path                   /usr/sbin/sanlock
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           sanlock-2.4-2.fc17.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.10.0-159.fc17.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost.localdomain
Platform Linux localhost.localdomain 3.6.6-1.fc17.x86_64 #1 SMP Mon Nov 5 21:59:35 UTC 2012 x86_64 x86_64 
Alert Count                   1980
First Seen                    2012-11-16 11:03:19 EET
Last Seen                     2012-11-17 16:58:18 EET
Local ID 026bd86b-153c-403a-ab2d-043e381be6cc

Raw Audit Messages
type=AVC msg=audit(1353164298.898:5507): avc: denied { search } for pid=13449 comm="sanlock" name="Storage" dev="dm-12" ino=4456450 scontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:public_content_rw_t:s0 tclass=dir
type=SYSCALL msg=audit(1353164298.898:5507): arch=x86_64 syscall=open success=no exit=EACCES a0=7f50b80009c8 a1=105002 a2=0 a3=0 items=0 ppid=1 pid=13449 auid=4294967295 uid=179 gid=179 euid=179 suid=179 fsuid=179 egid=179 sgid=179 fsgid=179 tty=(none) ses=4294967295 comm=sanlock exe=/usr/sbin/sanlock subj=system_u:system_r:sanlock_t:s0-s0:c0.c1023 key=(null) 

Hash: sanlock,sanlock_t,public_content_rw_t,dir,search

audit2allow

#============= sanlock_t ==============
allow sanlock_t public_content_rw_t:dir search;

audit2allow -R

#============= sanlock_t ==============
allow sanlock_t public_content_rw_t:dir search;
On Fri, Nov 16, 2012 at 7:51 PM, Federico Simoncelli <fsimo...@redhat.com <mailto:fsimo...@redhat.com>> wrote: 

    ----- Original Message -----
    > From: "Cristian Falcas" <cristi.fal...@gmail.com
    <mailto:cristi.fal...@gmail.com>>
    > To: "Federico Simoncelli" <fsimo...@redhat.com
    <mailto:fsimo...@redhat.com>>
    > Cc: "Jorick Astrego" <jor...@netbulae.eu
    <mailto:jor...@netbulae.eu>>, users@ovirt.org <mailto:users@ovirt.org>
    > Sent: Friday, November 16, 2012 6:47:50 PM
    > Subject: Re: [Users] could not add local storage domain
    >
    > it's working for me with the latest files.
    >
    > Current issues:
    > - You need to create the db user as superuser
    > - disable selinux.

    Can you grab the relevant AVC errors and report them in a bug?

    Thanks,
    --
    Federico





--
Met vriendelijke groet,

Jorick Astrego

Netbulae B.V.
Staalsteden 4-13
7547 TA Enschede

Tel. +31 (0)53 - 20 30 270

Email: jor...@netbulae.eu
Site:  http://www.netbulae.eu


_______________________________________________
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Reply via email to