<div dir="ltr">I've had issues with the glusterd and glusterfsd sockets getting labeled var_run_t instead of glusterd_var_run_t.<div><br></div><div><div>To fix your problem:</div><div><ol><li>Update your hosts to the latest SELinux policy</li><li>Set SELinux to enforcing</li><li>Stop any running glusterd or glusterfsd processes. (i.e. systemctl stop glusterd; pkill -f gluster)</li><li>Remove any old socket files from /var/run ( rm -f /var/run/*.socket )</li><li>Start gluster ( systemctl start glusterd )</li><li>Check that the sockets were created with a context that gluster can access. ( ls -Z /var/run/*.socket ) types of glusterd_var_run_t</li></ol><div>Gluster is only allowed to write to the following socket types:</div></div><div><div>sesearch -A -C -s glusterd_t -c sock_file -p write</div><div>Found 18 semantic av rules:</div><div> allow domain setrans_var_run_t : sock_file { write getattr append open } ; </div><div> allow glusterd_t dirsrv_var_run_t : sock_file { write getattr append open } ; </div><div> allow glusterd_t nscd_var_run_t : sock_file { write getattr append open } ; </div><div> allow glusterd_t nslcd_var_run_t : sock_file { write getattr append open } ; </div><div> allow glusterd_t avahi_var_run_t : sock_file { write getattr append open } ; </div><div> allow glusterd_t slapd_var_run_t : sock_file { write getattr append open } ; </div><div> allow glusterd_t sssd_var_lib_t : sock_file { write getattr append open } ; </div><div> allow glusterd_t glusterd_var_lib_t : sock_file { ioctl read write create getattr setattr lock append unlink link rename open } ; </div><div> allow glusterd_t glusterd_var_run_t : sock_file { ioctl read write create getattr setattr lock append unlink link rename open } ; </div><div> allow glusterd_t winbind_var_run_t : sock_file { write getattr append open } ; </div><div> allow glusterd_t devlog_t : sock_file { write getattr append open } ; </div><div> allow glusterd_t glusterd_tmp_t : sock_file { ioctl read write create getattr setattr lock append unlink link rename open } ; </div><div> allow glusterd_t lsassd_var_socket_t : sock_file { write getattr append open } ; </div><div> allow daemon abrt_var_run_t : sock_file { write getattr append open } ; </div><div>DT allow daemon cluster_pid : sock_file { write getattr append open } ; [ daemons_enable_cluster_mode ]</div><div>EF allow glusterd_t nscd_var_run_t : sock_file { write getattr append open } ; [ nscd_use_shm ]</div><div>DT allow glusterd_t nscd_var_run_t : sock_file { ioctl read write getattr lock append open } ; [ nscd_use_shm ]</div><div>ET allow glusterd_t pcscd_var_run_t : sock_file { write getattr append open } ; [ allow_kerberos ]</div></div><div><br></div><div><br></div><div>Even when the sockets are labeled correctly, a user-initiated relabel can break Gluster.<br></div><div><br></div><div><div>[root@hostname run]# pwd</div><div>/var/run</div><div>[root@hostname run]# ls -Z *.socket</div><div>srwx------. root root staff_u:object_r:glusterd_var_run_t:s0 30d920e9fce88a5555e66a86e85c1d9b.socket</div><div>srwx------. root root staff_u:object_r:glusterd_var_run_t:s0 8416f5dc522a14421afdf0f100a6947d.socket</div><div>srwx------. root root staff_u:object_r:glusterd_var_run_t:s0 85dc678b993d76ebc8ab2fb3f13a7c03.socket</div><div>srwx------. root root staff_u:object_r:glusterd_var_run_t:s0 glusterd.socket</div><div>[root@hostname run]# restorecon -v *.socket</div><div>restorecon reset /var/run/30d920e9fce88a5555e66a86e85c1d9b.socket context staff_u:object_r:glusterd_var_run_t:s0->staff_u:object_r:var_run_t:s0</div><div>restorecon reset /var/run/8416f5dc522a14421afdf0f100a6947d.socket context staff_u:object_r:glusterd_var_run_t:s0->staff_u:object_r:var_run_t:s0</div><div>restorecon reset /var/run/85dc678b993d76ebc8ab2fb3f13a7c03.socket context staff_u:object_r:glusterd_var_run_t:s0->staff_u:object_r:var_run_t:s0</div></div><div><br></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Feb 19, 2015 at 8:43 AM, Nathanaël Blanchet <span dir="ltr"><<a href="mailto:blanchet@abes.fr" target="_blank">blanchet@abes.fr</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On freshly installed el7 hosts, selinux prevents gluster from running. Setting selinux to permissive or building the relative .pp module resolves the issue.<br>
Does otopi configure selinux for gluster when installing?<br>
______________________________<u></u>_________________<br>
Gluster-users mailing list<br>
<a href="mailto:Gluster-users@gluster.org" target="_blank">Gluster-users@gluster.org</a><br>
<a href="http://www.gluster.org/mailman/listinfo/gluster-users" target="_blank">http://www.gluster.org/<u></u>mailman/listinfo/gluster-users</a><br>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature"><div dir="ltr"><font><a href="mailto:jrm16020@gmail.com" target="_blank">Jeremy Young</a>, M.S., RHCSA</font><blockquote style="margin:0 0 0 40px;border:none;padding:0px"><div><font size="4"></font></div></blockquote></div></div>
</div>