On 08/09/15 09:46 PM, Justin Pryzby wrote:
> In case it helps, I take that to mean:
>
> fence_virsh is a python program, which is attempting to run ssh, but failing.
>
> Can you check:
>
> which ssh # make sure it's not strange ssh in a /usr/local or such;
> ls -Z `which fence_virsh` `which ssh`
====
[root@node1 ~]# ls -Z `which fence_virsh` `which ssh`
-rwxr-xr-x. root root system_u:object_r:ssh_exec_t:s0 /usr/bin/ssh
-rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/sbin/fence_virsh
====
> sudo restorecon -v `which fence_virsh` `which ssh` # restore default selinux
> contexts
> ls -Z `which fence_virsh` `which ssh` # check again..
No change;
====
[root@node1 ~]# restorecon -v `which fence_virsh` `which ssh`
[root@node1 ~]# ls -Z `which fence_virsh` `which ssh`
-rwxr-xr-x. root root system_u:object_r:ssh_exec_t:s0 /usr/bin/ssh
-rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/sbin/fence_virsh
====
Not surprised, as this is a fresh install + OS update.
I wiped audit.log, restarted auditd and then tried to fence manually.
Here is what I saw:
====
[root@node1 ~]# fence_node node2
fence node2 success
====
In messages:
====
Sep 9 02:53:30 node1 fence_node[23468]: fence node2 success
====
A few moments later, you can see in messages that corosync noticed the
loss of the node and tried to fence, but failed:
====
Sep 9 02:53:38 node1 corosync[2792]: [TOTEM ] A processor failed,
forming new configuration.
Sep 9 02:53:40 node1 corosync[2792]: [QUORUM] Members[1]: 1
Sep 9 02:53:40 node1 corosync[2792]: [TOTEM ] A processor joined or
left the membership and a new membership was formed.
Sep 9 02:53:40 node1 corosync[2792]: [CPG ] chosen downlist: sender
r(0) ip(10.20.10.1) r(1) ip(10.10.10.1) ; members(old:2 left:1)
Sep 9 02:53:40 node1 corosync[2792]: [MAIN ] Completed service
synchronization, ready to provide service.
Sep 9 02:53:40 node1 kernel: dlm: closing connection to node 2
Sep 9 02:53:40 node1 fenced[2879]: node_history_fence_external no nodeid -1
Sep 9 02:53:40 node1 fenced[2879]: fencing node node2.ccrs.bcn
Sep 9 02:53:40 node1 fenced[2879]: fence node2.ccrs.bcn dev 0.0 agent
fence_virsh result: error from agent
Sep 9 02:53:40 node1 fenced[2879]: fence node2.ccrs.bcn failed
Sep 9 02:53:43 node1 fenced[2879]: fencing node node2.ccrs.bcn
Sep 9 02:53:43 node1 fenced[2879]: fence node2.ccrs.bcn dev 0.0 agent
fence_virsh result: error from agent
Sep 9 02:53:43 node1 fenced[2879]: fence node2.ccrs.bcn failed
Sep 9 02:53:46 node1 fenced[2879]: fencing node node2.ccrs.bcn
Sep 9 02:53:46 node1 fenced[2879]: fence node2.ccrs.bcn dev 0.0 agent
fence_virsh result: error from agent
Sep 9 02:53:46 node1 fenced[2879]: fence node2.ccrs.bcn failed
====
I set selinux to permissive:
====
[root@node1 ~]# setenforce 1
====
And immediately the fence succeeded:
====
Sep 9 02:53:46 node1 dbus: avc: received setenforce notice (enforcing=0)
Sep 9 02:53:52 node1 fenced[2879]: fence node2.ccrs.bcn success
====
Here is my cluster.conf, in case it matters:
====
[root@node1 ~]# cat /etc/cluster/cluster.conf
<?xml version="1.0"?>
<cluster name="ccrs" config_version="1">
<cman expected_votes="1" two_node="1" />
<clusternodes>
<clusternode name="node1.ccrs.bcn" nodeid="1">
<altname name="node1.sn" />
<fence>
<method name="kvm">
<device name="kvm_host"
port="an-a02n01" delay="15" action="reboot" />
</method>
</fence>
</clusternode>
<clusternode name="node2.ccrs.bcn" nodeid="2">
<altname name="node2.sn" />
<fence>
<method name="kvm">
<device name="kvm_host"
port="an-a02n02" action="reboot" />
</method>
</fence>
</clusternode>
</clusternodes>
<fencedevices>
<fencedevice name="kvm_host" agent="fence_virsh"
ipaddr="192.168.122.1" login="root" passwd="it's a secret" />
</fencedevices>
<fence_daemon post_join_delay="30" />
<totem rrp_mode="active" secauth="off"/>
<rm log_level="5">
<resources>
<script file="/etc/init.d/drbd" name="drbd"/>
<script file="/etc/init.d/wait-for-drbd"
name="wait-for-drbd"/>
<script file="/etc/init.d/clvmd" name="clvmd"/>
<clusterfs device="/dev/node1_vg0/shared"
force_unmount="1"
fstype="gfs2" mountpoint="/shared" name="sharedfs" />
<script file="/etc/init.d/libvirtd" name="libvirtd"/>
</resources>
<failoverdomains>
<failoverdomain name="only_n01" nofailback="1"
ordered="0"
restricted="1">
<failoverdomainnode name="node1.ccrs.bcn"/>
</failoverdomain>
<failoverdomain name="only_n02" nofailback="1"
ordered="0"
restricted="1">
<failoverdomainnode name="node2.ccrs.bcn"/>
</failoverdomain>
<failoverdomain name="primary_n01" nofailback="1"
ordered="1"
restricted="1">
<failoverdomainnode name="node1.ccrs.bcn"
priority="1"/>
<failoverdomainnode name="node2.ccrs.bcn"
priority="2"/>
</failoverdomain>
<failoverdomain name="primary_n02" nofailback="1"
ordered="1"
restricted="1">
<failoverdomainnode name="node1.ccrs.bcn"
priority="2"/>
<failoverdomainnode name="node2.ccrs.bcn"
priority="1"/>
</failoverdomain>
</failoverdomains>
<service name="storage_n01" autostart="1" domain="only_n01"
exclusive="0" recovery="restart">
<script ref="drbd">
<script ref="wait-for-drbd">
<script ref="clvmd">
<clusterfs ref="sharedfs"/>
</script>
</script>
</script>
</service>
<service name="storage_n02" autostart="1" domain="only_n02"
exclusive="0" recovery="restart">
<script ref="drbd">
<script ref="wait-for-drbd">
<script ref="clvmd">
<clusterfs ref="sharedfs"/>
</script>
</script>
</script>
</service>
<service name="libvirtd_n01" autostart="1" domain="only_n01"
exclusive="0" recovery="restart">
<script ref="libvirtd"/>
</service>
<service name="libvirtd_n02" autostart="1" domain="only_n02"
exclusive="0" recovery="restart">
<script ref="libvirtd"/>
</service>
</rm>
</cluster>
====
In /var/log/audit/audit.log:
====
type=DAEMON_END msg=audit(1441767198.316:6153): auditd normal halt,
sending auid=0 pid=23428 subj=unconfined_u:system_r:initrc_t:s0 res=success
type=DAEMON_START msg=audit(1441767198.441:4809): auditd start,
ver=2.3.7 format=raw kernel=2.6.32-573.3.1.el6.x86_64 auid=0 pid=23452
subj=unconfined_u:system_r:auditd_t:s0 res=success
type=CONFIG_CHANGE msg=audit(1441767198.550:9350):
audit_backlog_limit=320 old=320 auid=0 ses=2
subj=unconfined_u:system_r:auditctl_t:s0 res=1
type=AVC msg=audit(1441767220.374:9351): avc: denied { execute } for
pid=23523 comm="fence_virsh" name="ssh" dev=vda2 ino=2103935
scontext=unconfined_u:system_r:fenced_t:s0
tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1441767220.374:9351): arch=c000003e syscall=21
success=no exit=-13 a0=10461a0 a1=1 a2=7f717ce339e8 a3=7fff0c670080
items=0 ppid=2879 pid=23523 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="fence_virsh"
exe="/usr/bin/python" subj=unconfined_u:system_r:fenced_t:s0 key=(null)
type=AVC msg=audit(1441767220.374:9352): avc: denied { execute } for
pid=23523 comm="fence_virsh" name="ssh" dev=vda2 ino=2103935
scontext=unconfined_u:system_r:fenced_t:s0
tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1441767220.374:9352): arch=c000003e syscall=21
success=no exit=-13 a0=10461a0 a1=1 a2=7f717ce339e8 a3=7fff0c6700c8
items=0 ppid=2879 pid=23523 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="fence_virsh"
exe="/usr/bin/python" subj=unconfined_u:system_r:fenced_t:s0 key=(null)
type=AVC msg=audit(1441767220.374:9353): avc: denied { execute } for
pid=23523 comm="fence_virsh" name="ssh" dev=vda2 ino=2103935
scontext=unconfined_u:system_r:fenced_t:s0
tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1441767220.374:9353): arch=c000003e syscall=21
success=no exit=-13 a0=10461a0 a1=1 a2=7f717ce339e8 a3=7fff0c6700c8
items=0 ppid=2879 pid=23523 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="fence_virsh"
exe="/usr/bin/python" subj=unconfined_u:system_r:fenced_t:s0 key=(null)
type=AVC msg=audit(1441767220.374:9354): avc: denied { execute } for
pid=23523 comm="fence_virsh" name="ssh" dev=vda2 ino=2103935
scontext=unconfined_u:system_r:fenced_t:s0
tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1441767220.374:9354): arch=c000003e syscall=21
success=no exit=-13 a0=10461a0 a1=1 a2=7f717ce339e8 a3=7fff0c6700c8
items=0 ppid=2879 pid=23523 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="fence_virsh"
exe="/usr/bin/python" subj=unconfined_u:system_r:fenced_t:s0 key=(null)
type=AVC msg=audit(1441767220.374:9355): avc: denied { execute } for
pid=23523 comm="fence_virsh" name="ssh" dev=vda2 ino=2103935
scontext=unconfined_u:system_r:fenced_t:s0
tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1441767220.374:9355): arch=c000003e syscall=21
success=no exit=-13 a0=10461a0 a1=1 a2=7f717ce339e8 a3=7fff0c6700c8
items=0 ppid=2879 pid=23523 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="fence_virsh"
exe="/usr/bin/python" subj=unconfined_u:system_r:fenced_t:s0 key=(null)
type=AVC msg=audit(1441767223.481:9356): avc: denied { execute } for
pid=23550 comm="fence_virsh" name="ssh" dev=vda2 ino=2103935
scontext=unconfined_u:system_r:fenced_t:s0
tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1441767223.481:9356): arch=c000003e syscall=21
success=no exit=-13 a0=f631a0 a1=1 a2=7f66005349e8 a3=7ffebc634ad0
items=0 ppid=2879 pid=23550 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="fence_virsh"
exe="/usr/bin/python" subj=unconfined_u:system_r:fenced_t:s0 key=(null)
type=AVC msg=audit(1441767223.481:9357): avc: denied { execute } for
pid=23550 comm="fence_virsh" name="ssh" dev=vda2 ino=2103935
scontext=unconfined_u:system_r:fenced_t:s0
tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1441767223.481:9357): arch=c000003e syscall=21
success=no exit=-13 a0=f631a0 a1=1 a2=7f66005349e8 a3=7ffebc634b18
items=0 ppid=2879 pid=23550 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="fence_virsh"
exe="/usr/bin/python" subj=unconfined_u:system_r:fenced_t:s0 key=(null)
type=AVC msg=audit(1441767223.481:9358): avc: denied { execute } for
pid=23550 comm="fence_virsh" name="ssh" dev=vda2 ino=2103935
scontext=unconfined_u:system_r:fenced_t:s0
tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1441767223.481:9358): arch=c000003e syscall=21
success=no exit=-13 a0=f631a0 a1=1 a2=7f66005349e8 a3=7ffebc634b18
items=0 ppid=2879 pid=23550 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="fence_virsh"
exe="/usr/bin/python" subj=unconfined_u:system_r:fenced_t:s0 key=(null)
type=AVC msg=audit(1441767223.481:9359): avc: denied { execute } for
pid=23550 comm="fence_virsh" name="ssh" dev=vda2 ino=2103935
scontext=unconfined_u:system_r:fenced_t:s0
tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1441767223.481:9359): arch=c000003e syscall=21
success=no exit=-13 a0=f631a0 a1=1 a2=7f66005349e8 a3=7ffebc634b18
items=0 ppid=2879 pid=23550 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="fence_virsh"
exe="/usr/bin/python" subj=unconfined_u:system_r:fenced_t:s0 key=(null)
type=AVC msg=audit(1441767223.481:9360): avc: denied { execute } for
pid=23550 comm="fence_virsh" name="ssh" dev=vda2 ino=2103935
scontext=unconfined_u:system_r:fenced_t:s0
tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1441767223.481:9360): arch=c000003e syscall=21
success=no exit=-13 a0=f631a0 a1=1 a2=7f66005349e8 a3=7ffebc634b18
items=0 ppid=2879 pid=23550 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="fence_virsh"
exe="/usr/bin/python" subj=unconfined_u:system_r:fenced_t:s0 key=(null)
type=AVC msg=audit(1441767226.595:9361): avc: denied { execute } for
pid=23575 comm="fence_virsh" name="ssh" dev=vda2 ino=2103935
scontext=unconfined_u:system_r:fenced_t:s0
tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1441767226.595:9361): arch=c000003e syscall=21
success=no exit=-13 a0=df41a0 a1=1 a2=7f604b6d29e8 a3=7ffe8030d6c0
items=0 ppid=2879 pid=23575 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="fence_virsh"
exe="/usr/bin/python" subj=unconfined_u:system_r:fenced_t:s0 key=(null)
type=AVC msg=audit(1441767226.595:9362): avc: denied { execute } for
pid=23575 comm="fence_virsh" name="ssh" dev=vda2 ino=2103935
scontext=unconfined_u:system_r:fenced_t:s0
tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1441767226.595:9362): arch=c000003e syscall=21
success=no exit=-13 a0=df41a0 a1=1 a2=7f604b6d29e8 a3=7ffe8030d708
items=0 ppid=2879 pid=23575 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="fence_virsh"
exe="/usr/bin/python" subj=unconfined_u:system_r:fenced_t:s0 key=(null)
type=AVC msg=audit(1441767226.595:9363): avc: denied { execute } for
pid=23575 comm="fence_virsh" name="ssh" dev=vda2 ino=2103935
scontext=unconfined_u:system_r:fenced_t:s0
tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1441767226.595:9363): arch=c000003e syscall=21
success=no exit=-13 a0=df41a0 a1=1 a2=7f604b6d29e8 a3=7ffe8030d708
items=0 ppid=2879 pid=23575 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="fence_virsh"
exe="/usr/bin/python" subj=unconfined_u:system_r:fenced_t:s0 key=(null)
type=AVC msg=audit(1441767226.595:9364): avc: denied { execute } for
pid=23575 comm="fence_virsh" name="ssh" dev=vda2 ino=2103935
scontext=unconfined_u:system_r:fenced_t:s0
tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1441767226.595:9364): arch=c000003e syscall=21
success=no exit=-13 a0=df41a0 a1=1 a2=7f604b6d29e8 a3=7ffe8030d708
items=0 ppid=2879 pid=23575 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="fence_virsh"
exe="/usr/bin/python" subj=unconfined_u:system_r:fenced_t:s0 key=(null)
type=AVC msg=audit(1441767226.595:9365): avc: denied { execute } for
pid=23575 comm="fence_virsh" name="ssh" dev=vda2 ino=2103935
scontext=unconfined_u:system_r:fenced_t:s0
tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1441767226.595:9365): arch=c000003e syscall=21
success=no exit=-13 a0=df41a0 a1=1 a2=7f604b6d29e8 a3=7ffe8030d708
items=0 ppid=2879 pid=23575 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="fence_virsh"
exe="/usr/bin/python" subj=unconfined_u:system_r:fenced_t:s0 key=(null)
type=MAC_STATUS msg=audit(1441767226.661:9366): enforcing=0
old_enforcing=1 auid=0 ses=2
type=SYSCALL msg=audit(1441767226.661:9366): arch=c000003e syscall=1
success=yes exit=1 a0=3 a1=7ffe514b9f30 a2=1 a3=7ffe514b8cb0 items=0
ppid=2625 pid=23581 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=pts1 ses=2 comm="setenforce"
exe="/usr/sbin/setenforce"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1441767229.702:9367): avc: denied { execute } for
pid=23606 comm="fence_virsh" name="ssh" dev=vda2 ino=2103935
scontext=unconfined_u:system_r:fenced_t:s0
tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1441767229.702:9367): arch=c000003e syscall=21
success=yes exit=0 a0=16a11a0 a1=1 a2=7f81b57009e8 a3=7ffc2776dc10
items=0 ppid=2879 pid=23606 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="fence_virsh"
exe="/usr/bin/python" subj=unconfined_u:system_r:fenced_t:s0 key=(null)
type=AVC msg=audit(1441767229.705:9368): avc: denied { read open } for
pid=23611 comm="fence_virsh" name="ssh" dev=vda2 ino=2103935
scontext=unconfined_u:system_r:fenced_t:s0
tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file
type=AVC msg=audit(1441767229.705:9368): avc: denied {
execute_no_trans } for pid=23611 comm="fence_virsh" path="/usr/bin/ssh"
dev=vda2 ino=2103935 scontext=unconfined_u:system_r:fenced_t:s0
tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1441767229.705:9368): arch=c000003e syscall=59
success=yes exit=0 a0=169f4a0 a1=164ac60 a2=168b620 a3=7ffc2776dd50
items=0 ppid=23606 pid=23611 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=pts2 ses=2 comm="ssh" exe="/usr/bin/ssh"
subj=unconfined_u:system_r:fenced_t:s0 key=(null)
type=AVC msg=audit(1441767229.707:9369): avc: denied { setuid } for
pid=23611 comm="ssh" capability=7
scontext=unconfined_u:system_r:fenced_t:s0
tcontext=unconfined_u:system_r:fenced_t:s0 tclass=capability
type=SYSCALL msg=audit(1441767229.707:9369): arch=c000003e syscall=117
success=yes exit=0 a0=ffffffffffffffff a1=0 a2=ffffffffffffffff a3=3
items=0 ppid=23606 pid=23611 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=pts2 ses=2 comm="ssh" exe="/usr/bin/ssh"
subj=unconfined_u:system_r:fenced_t:s0 key=(null)
type=AVC msg=audit(1441767229.708:9370): avc: denied { search } for
pid=23611 comm="ssh" name=".ssh" dev=vda2 ino=1966197
scontext=unconfined_u:system_r:fenced_t:s0
tcontext=system_u:object_r:ssh_home_t:s0 tclass=dir
type=SYSCALL msg=audit(1441767229.708:9370): arch=c000003e syscall=2
success=no exit=-2 a0=7ffed853ecd0 a1=0 a2=1b6 a3=0 items=0 ppid=23606
pid=23611 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=pts2 ses=2 comm="ssh" exe="/usr/bin/ssh"
subj=unconfined_u:system_r:fenced_t:s0 key=(null)
type=AVC msg=audit(1441767229.709:9371): avc: denied { name_connect }
for pid=23611 comm="ssh" dest=22
scontext=unconfined_u:system_r:fenced_t:s0
tcontext=system_u:object_r:ssh_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1441767229.709:9371): arch=c000003e syscall=42
success=yes exit=0 a0=3 a1=7fa79084eb30 a2=10 a3=fffffffffffffee0
items=0 ppid=23606 pid=23611 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=pts2 ses=2 comm="ssh" exe="/usr/bin/ssh"
subj=unconfined_u:system_r:fenced_t:s0 key=(null)
type=AVC msg=audit(1441767229.710:9372): avc: denied { setgid } for
pid=23611 comm="ssh" capability=6
scontext=unconfined_u:system_r:fenced_t:s0
tcontext=unconfined_u:system_r:fenced_t:s0 tclass=capability
type=SYSCALL msg=audit(1441767229.710:9372): arch=c000003e syscall=119
success=yes exit=0 a0=0 a1=0 a2=0 a3=e items=0 ppid=23606 pid=23611
auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2
ses=2 comm="ssh" exe="/usr/bin/ssh"
subj=unconfined_u:system_r:fenced_t:s0 key=(null)
type=AVC msg=audit(1441767229.710:9373): avc: denied { getattr } for
pid=23611 comm="ssh" path="/root/.ssh" dev=vda2 ino=1966197
scontext=unconfined_u:system_r:fenced_t:s0
tcontext=system_u:object_r:ssh_home_t:s0 tclass=dir
type=SYSCALL msg=audit(1441767229.710:9373): arch=c000003e syscall=4
success=yes exit=0 a0=7ffed853ecd0 a1=7ffed853ec40 a2=7ffed853ec40 a3=0
items=0 ppid=23606 pid=23611 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=pts2 ses=2 comm="ssh" exe="/usr/bin/ssh"
subj=unconfined_u:system_r:fenced_t:s0 key=(null)
type=AVC msg=audit(1441767229.710:9374): avc: denied { read } for
pid=23611 comm="ssh" name="id_rsa" dev=vda2 ino=1966200
scontext=unconfined_u:system_r:fenced_t:s0
tcontext=unconfined_u:object_r:ssh_home_t:s0 tclass=file
type=AVC msg=audit(1441767229.710:9374): avc: denied { open } for
pid=23611 comm="ssh" name="id_rsa" dev=vda2 ino=1966200
scontext=unconfined_u:system_r:fenced_t:s0
tcontext=unconfined_u:object_r:ssh_home_t:s0 tclass=file
type=SYSCALL msg=audit(1441767229.710:9374): arch=c000003e syscall=2
success=yes exit=4 a0=7fa79084e920 a1=0 a2=0 a3=12 items=0 ppid=23606
pid=23611 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=pts2 ses=2 comm="ssh" exe="/usr/bin/ssh"
subj=unconfined_u:system_r:fenced_t:s0 key=(null)
type=AVC msg=audit(1441767229.711:9375): avc: denied { getattr } for
pid=23611 comm="ssh" path="/root/.ssh/id_rsa" dev=vda2 ino=1966200
scontext=unconfined_u:system_r:fenced_t:s0
tcontext=unconfined_u:object_r:ssh_home_t:s0 tclass=file
type=SYSCALL msg=audit(1441767229.711:9375): arch=c000003e syscall=5
success=yes exit=0 a0=4 a1=7ffed853d3d0 a2=7ffed853d3d0 a3=12 items=0
ppid=23606 pid=23611 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=pts2 ses=2 comm="ssh" exe="/usr/bin/ssh"
subj=unconfined_u:system_r:fenced_t:s0 key=(null)
====
Thanks for the help.
digimer
> On Tue, Sep 08, 2015 at 09:18:15PM -0400, Digimer wrote:
>> Hi all,
>>
>> I've been using KVM-based VMs as a testbed for clusters for ages,
>> always using fence_virsh.
>>
>> I noticed today though that fence_virsh is now being blocked by
>> selinux (rhel 6.7, fully updated as of today):
>>
>> type=AVC msg=audit(1441752343.878:3269): avc: denied { execute } for
>> pid=8848 comm="fence_virsh" name="ssh" dev=vda2 ino=2103935
>> scontext=unconfined_u:system_r:fenced_t:s0
>> tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file
>> type=SYSCALL msg=audit(1441752343.878:3269): arch=c000003e syscall=21
>> success=no exit=-13 a0=1a363a0 a1=1 a2=7f02aa7f89e8 a3=7ffdff0dc7c0
>> items=0 ppid=7759 pid=8848 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
>> egid=0 sgid=0 fsgid=0 tty=(none) ses=27 comm="fence_virsh"
>> exe="/usr/bin/python" subj=unconfined_u:system_r:fenced_t:s0 key=(null)
>> t
>>
>> [root@node1 ~]# rpm -q fence-agents cman corosync
>> fence-agents-4.0.15-8.el6.x86_64
>> cman-3.0.12.1-73.el6.1.x86_64
>> corosync-1.4.7-2.el6.x86_64
>>
>> [root@node1 ~]# cat /etc/redhat-release
>> Red Hat Enterprise Linux Server release 6.7 (Santiago)
>>
>> I'll post a follow-up if I can sort out how to fix it. My selinux-fu is
>> weak...
--
Digimer
Papers and Projects: https://alteeve.ca/w/
What if the cure for cancer is trapped in the mind of a person without
access to education?
_______________________________________________
Developers mailing list
Developers@clusterlabs.org
http://clusterlabs.org/mailman/listinfo/developers
