There may be a dontaudit clause in either the base or the ccs modules. Try inserting the enableaudit.pp module and see what happens. I'm not sure if RHEL5.3 supports "semodule -DB" but that would turn off dontaudit also.
On Wed, Aug 12, 2009 at 10:50 AM, de Jong, MarkJan <[email protected]>wrote: > That’s just it. There are no logs being generated in audit.log. I’m > pretty well versed in creating custom SELInux policies. > > > > I’ve reported on issues in the past where SELinux does not generate logs. > It was a while ago and have since forgotten what the resolution was but I > was fixed by the devs.. I’ll be more than happy to file a bug report. > > > > Thx, > > M > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Ian Hayes > *Sent:* Wednesday, August 12, 2009 1:26 PM > *To:* linux clustering > *Subject:* Re: [Linux-cluster] RHEL 5.3: Joining fence domain hangs when > selinux is enabled > > > > I'm assuming that you're running the Targeted policy and not the strict > policy... > > RHEL5 has a module for ccs, but I haven't taken it apart. The files for > fencing may be incorrectly labeled or the policy doesn't allow fenced to run > correctly. > > Look at your /var/log/audit/audit.log files and see what's being denied. > You may want to install sealert and setroubleshootd so you can browse the > messages. First, check the file contexts of the files that are appearing in > your audit logs. Nothing should be default_t. If anything looks out of > whack, try restoring the correct file contexts with restorecon and see if > the file contexts have changed. If you're feeling brave, you can start > writing a custom policy module to permit fenced to start up. > > The audit logs will tell you everything, and where you will need to start. > I managed to knock out a policy for 389Server in about an hour, but I had > the benefit of just coming back from Redhat's SELinux class. > > On Wed, Aug 12, 2009 at 9:15 AM, de Jong, MarkJan <[email protected]> > wrote: > > It seems that with selinux enabled, fencing hangs during ‘service cman > start’. > > > > When selinux is set to enforcing, the cman startup script hangs at > “Starting fencing ….” and never times out. > > There are NO logs related to the event in /var/log/audit/audit.log, nor > anything telling in /var/log/messages. ‘fence_tool dump’ also does not > provide any further details. > > > > After setting selinux to permissive, fencing starts up without incident. > > > > I’m using the following packages: > > > > kernel-xen-2.6.18-128.4.1.el5 > > cman-2.0.98-1.el5_3.4 > > > > Let me know if I can provide any further info. > > > > thanks, > > Mark de Jong > > > > > > > > > > > ------------------------------ > > PRIVILEGED AND CONFIDENTIAL > PLEASE NOTE: The information contained in this message is privileged and > confidential, and is intended only for the use of the individual to whom it > is addressed and others who have been specifically authorized to receive it. > If you are not the intended recipient, you are hereby notified that any > dissemination, distribution or copying of this communication is strictly > prohibited. If you have received this communication in error, or if any > problems occur with transmission, please contact sender. Thank you. > > > -- > Linux-cluster mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/linux-cluster > > > > ------------------------------ > PRIVILEGED AND CONFIDENTIAL > PLEASE NOTE: The information contained in this message is privileged and > confidential, and is intended only for the use of the individual to whom it > is addressed and others who have been specifically authorized to receive it. > If you are not the intended recipient, you are hereby notified that any > dissemination, distribution or copying of this communication is strictly > prohibited. If you have received this communication in error, or if any > problems occur with transmission, please contact sender. Thank you. > > -- > Linux-cluster mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/linux-cluster >
-- Linux-cluster mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-cluster
