Cluster fencing or unfencing with fence_scsi fails in RHEL 6 when SELinux is enforcing

Solution Unverified - Updated -

Issue

  • Cluster fails to start when fence_scsi is configured in the unfencing section of /etc/cluster/cluster.conf:
[root@cluster-rhel6-3 ~]# service cman start
Starting cluster: 
   Checking if cluster has been disabled at boot...        [  OK  ]
   Checking Network Manager...                             [  OK  ]
   Global setup...                                         [  OK  ]
   Loading kernel modules...                               [  OK  ]
   Mounting configfs...                                    [  OK  ]
   Starting cman...                                        [  OK  ]
   Waiting for quorum...                                   [  OK  ]
   Starting fenced...                                      [  OK  ]
   Starting dlm_controld...                                [  OK  ]
   Starting gfs_controld...                                [  OK  ]
   Unfencing self... unfence cluster-rhel6-3-clust.examplerh.com failed
                                                           [FAILED]
Stopping cluster: 
   Leaving fence domain...                                 [  OK  ]
   Stopping gfs_controld... 
                                                           [FAILED]

Jun 19 17:02:03 cluster-rhel6-3 fence_node[9747]: unfence cluster-rhel6-3-clust.examplerh.com failed
  • SELinux AVC denials are seen for fence_scsi:
Jun 19 17:09:51 cluster-rhel6-3 kernel: type=1400 audit(1371676191.491:107409): avc:  denied  { getattr } for  pid=10128 comm="fence_scsi" path="/var/run/cluster/fence_scsi.dev" dev=dm-13 ino=394888 scontext=unconfined_u:system_r:fenced_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file
Jun 19 17:09:51 cluster-rhel6-3 kernel: type=1400 audit(1371676191.784:107410): avc:  denied  { unlink } for  pid=10128 comm="fence_scsi" name="fence_scsi.dev" dev=dm-13 ino=394888 scontext=unconfined_u:system_r:fenced_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file
Jun 19 17:09:52 cluster-rhel6-3 kernel: type=1400 audit(1371676192.318:107411): avc:  denied  { dac_override } for  pid=10252 comm="sg_persist" capability=1  scontext=unconfined_u:system_r:fenced_t:s0 tcontext=unconfined_u:system_r:fenced_t:s0 tclass=capability

Environment

  • Red Hat Enterprise Linux (RHEL) 6 with the High Availability Add On
  • One or more nodes configured to use a fencedevice with agent="fence_scsi" in /etc/cluster/cluster.conf
  • SELinux in enforcing mode
  • selinux-policy package version older than 3.7.19-231.el6

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content