fence_virtd cannot fence VMs and produces SELinux denials in RHEL 7

Solution In Progress - Updated -

Issue

  • Whenever I start fence_virtd I see setroubleshoot messages in /var/log/messages:
Jan 14 10:16:05 node1 setroubleshoot: SELinux is preventing /usr/sbin/fence_virtd from name_bind access on the udp_socket . For complete SELinux messages. run sealert -l 1d5e47a5-56c7-4256-af85-4ef839abdecb

# sealert -l 1d5e47a5-56c7-4256-af85-4ef839abdecb

SELinux is preventing /usr/sbin/fence_virtd from name_bind access on the udp_socket .

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that fence_virtd should be allowed name_bind access on the  udp_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep fence_virtd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:fenced_t:s0
Target Context                system_u:object_r:zented_port_t:s0
Target Objects                 [ udp_socket ]
Source                        fence_virtd
Source Path                   /usr/sbin/fence_virtd
Port                          1229
Host                          node1.example.com
Source RPM Packages           fence-virtd-0.3.0-14.el7.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-114.el7.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     node1.example.com
Platform                      Linux node1.example.com
                              3.10.0-67.el7.x86_64 #1 SMP Tue Jan 7 18:01:25 EST
                              2014 x86_64 x86_64
Alert Count                   404
First Seen                    2014-01-14 09:44:00 EST
Last Seen                     2014-01-14 10:17:35 EST
Local ID                      1d5e47a5-56c7-4256-af85-4ef839abdecb

Raw Audit Messages
type=AVC msg=audit(1389712655.674:4740): avc:  denied  { name_bind } for  pid=4761 comm="fence_virtd" src=1229 scontext=system_u:system_r:fenced_t:s0 tcontext=system_u:object_r:zented_port_t:s0 tclass=udp_socket


type=SYSCALL msg=audit(1389712655.674:4740): arch=x86_64 syscall=bind success=no exit=EACCES a0=8 a1=7fff424406c0 a2=10 a3=1 items=0 ppid=1 pid=4761 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=fence_virtd exe=/usr/sbin/fence_virtd subj=system_u:system_r:fenced_t:s0 key=(null)

Hash: fence_virtd,fenced_t,zented_port_t,udp_socket,name_bind

Environment

  • Red Hat Enterprise Linux (RHEL) 7 Beta with the High Availability Add On
  • fence_virtd running on a virtualization host using the multicast listener
  • SELinux in Enforcing or Permissive mode

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.