I recently installed heartbeat on a RHEL5 cluster, for ip-address
failover, and noticed that there might be some issues with selinux
when heartbeat is started from initscript.
All heartbeat processes are running in the domain initrc_t, which
is not fully unconfined like interactive processes are. Some child
processes of the initscript is being transitioned to other domains,
and then I see at least this denial:
type=AVC msg=audit(1210760976.747:24): avc: denied { read write } for
pid=4739 comm="ifconfig" path="socket:[17160]" dev=sockfs ino=17160
scontext=user_u:system_r:ifconfig_t:s0 tcontext=user_u:system_r:initrc_t:s0
tclass=unix_stream_socket
(an ifconfig process is denied read/write access to the unix_stream_socket
socket:[17160])
comming when heartbeat is launched. This could potentially be quite bad,
other stuff might unexpectedly get denied at later points too..
So, are anybody else running heartbeat on rhel5/selinux ? Anybody know
if it's possible to get the initscript to run in the unconfined domain ?
-jf
_______________________________________________
Linux-HA mailing list
[email protected]
http://lists.linux-ha.org/mailman/listinfo/linux-ha
See also: http://linux-ha.org/ReportingProblems
