Confined user mapped to sysadm_t cannot perform Pacemaker administration tasks

Solution Verified - Updated -

Issue

  • When a user is mapped onto sysadm_u SELinux user, it's not possible to perform Pacemaker administration commands, as shown in the examples below

    $ sudo -i
# id -Z
sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023

# pcs stonith status
Error: unable to get cluster status from crm_mon
crm_mon: Error: cluster is not available on this node

# crm_mon
Waiting until cluster is available on this node ...

  • On RHEL7 only, a user mapped onto sysadm_u SELinux user cannot execute corosync command

    $ sudo -i
# id -Z
sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023

# corosync
-bash: /sbin/corosync: Permission denied

Environment

  • Red Hat Enterprise Linux 7 and 8 (RHEL7 and RHEL8)
    • pacemaker
    • confined SELinux sysadm_u users

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content