Confined user mapped to sysadm_t cannot perform Pacemaker administration tasks
Issue
-
When a user is mapped onto sysadm_u SELinux user, it's not possible to perform Pacemaker administration commands, as shown in the examples below
$ sudo -i # id -Z sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 # pcs stonith status Error: unable to get cluster status from crm_mon crm_mon: Error: cluster is not available on this node # crm_mon Waiting until cluster is available on this node ...
-
On RHEL7 only, a user mapped onto sysadm_u SELinux user cannot execute
corosync
command$ sudo -i # id -Z sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 # corosync -bash: /sbin/corosync: Permission denied
Environment
- Red Hat Enterprise Linux 7 and 8 (RHEL7 and RHEL8)
- pacemaker
- confined SELinux sysadm_u users
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.