Cluster fencing or unfencing with fence_scsi fails in RHEL 6 when SELinux is enforcing
Issue
- Cluster fails to start when
fence_scsi
is configured in theunfencing
section of/etc/cluster/cluster.conf
:
[root@cluster-rhel6-3 ~]# service cman start
Starting cluster:
Checking if cluster has been disabled at boot... [ OK ]
Checking Network Manager... [ OK ]
Global setup... [ OK ]
Loading kernel modules... [ OK ]
Mounting configfs... [ OK ]
Starting cman... [ OK ]
Waiting for quorum... [ OK ]
Starting fenced... [ OK ]
Starting dlm_controld... [ OK ]
Starting gfs_controld... [ OK ]
Unfencing self... unfence cluster-rhel6-3-clust.examplerh.com failed
[FAILED]
Stopping cluster:
Leaving fence domain... [ OK ]
Stopping gfs_controld...
[FAILED]
Jun 19 17:02:03 cluster-rhel6-3 fence_node[9747]: unfence cluster-rhel6-3-clust.examplerh.com failed
- SELinux AVC denials are seen for
fence_scsi
:
Jun 19 17:09:51 cluster-rhel6-3 kernel: type=1400 audit(1371676191.491:107409): avc: denied { getattr } for pid=10128 comm="fence_scsi" path="/var/run/cluster/fence_scsi.dev" dev=dm-13 ino=394888 scontext=unconfined_u:system_r:fenced_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file
Jun 19 17:09:51 cluster-rhel6-3 kernel: type=1400 audit(1371676191.784:107410): avc: denied { unlink } for pid=10128 comm="fence_scsi" name="fence_scsi.dev" dev=dm-13 ino=394888 scontext=unconfined_u:system_r:fenced_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file
Jun 19 17:09:52 cluster-rhel6-3 kernel: type=1400 audit(1371676192.318:107411): avc: denied { dac_override } for pid=10252 comm="sg_persist" capability=1 scontext=unconfined_u:system_r:fenced_t:s0 tcontext=unconfined_u:system_r:fenced_t:s0 tclass=capability
Environment
- Red Hat Enterprise Linux (RHEL) 6 with the High Availability Add On
- One or more nodes configured to use a
fencedevice
withagent="fence_scsi"
in/etc/cluster/cluster.conf
- SELinux in enforcing mode
selinux-policy
package version older than3.7.19-231.el6
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.