fence_virtd cannot fence VMs and produces SELinux denials in RHEL 7
Issue
- Whenever I start
fence_virtdI seesetroubleshootmessages in/var/log/messages:
Jan 14 10:16:05 node1 setroubleshoot: SELinux is preventing /usr/sbin/fence_virtd from name_bind access on the udp_socket . For complete SELinux messages. run sealert -l 1d5e47a5-56c7-4256-af85-4ef839abdecb
# sealert -l 1d5e47a5-56c7-4256-af85-4ef839abdecb
SELinux is preventing /usr/sbin/fence_virtd from name_bind access on the udp_socket .
***** Plugin catchall (100. confidence) suggests **************************
If you believe that fence_virtd should be allowed name_bind access on the udp_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep fence_virtd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:fenced_t:s0
Target Context system_u:object_r:zented_port_t:s0
Target Objects [ udp_socket ]
Source fence_virtd
Source Path /usr/sbin/fence_virtd
Port 1229
Host node1.example.com
Source RPM Packages fence-virtd-0.3.0-14.el7.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.12.1-114.el7.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name node1.example.com
Platform Linux node1.example.com
3.10.0-67.el7.x86_64 #1 SMP Tue Jan 7 18:01:25 EST
2014 x86_64 x86_64
Alert Count 404
First Seen 2014-01-14 09:44:00 EST
Last Seen 2014-01-14 10:17:35 EST
Local ID 1d5e47a5-56c7-4256-af85-4ef839abdecb
Raw Audit Messages
type=AVC msg=audit(1389712655.674:4740): avc: denied { name_bind } for pid=4761 comm="fence_virtd" src=1229 scontext=system_u:system_r:fenced_t:s0 tcontext=system_u:object_r:zented_port_t:s0 tclass=udp_socket
type=SYSCALL msg=audit(1389712655.674:4740): arch=x86_64 syscall=bind success=no exit=EACCES a0=8 a1=7fff424406c0 a2=10 a3=1 items=0 ppid=1 pid=4761 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=fence_virtd exe=/usr/sbin/fence_virtd subj=system_u:system_r:fenced_t:s0 key=(null)
Hash: fence_virtd,fenced_t,zented_port_t,udp_socket,name_bind
Environment
- Red Hat Enterprise Linux (RHEL) 7 Beta with the High Availability Add On
fence_virtdrunning on a virtualization host using themulticastlistener- SELinux in Enforcing or Permissive mode
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
