<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
All,<br>
<br>
I just learned how to create a new module to allow this request. In
a nutshell, use audit2allow to check the audit log and create a new
module, see [1] and [2]. My exact steps:<br>
<blockquote>mkdir ~/selinux_gluster<br>
cd ~/selinux_gluster<br>
setenforce 0<br>
load_policy<br>
service netfs start<br>
audit2allow -M glusterd_centos64 -l -i /var/log/audit/audit.log<br>
setenforce 1<br>
semodule -i glusterd_centos64.pp<br>
service netfs start<br>
</blockquote>
More precisely, what you are doing is:<br>
<ol>
<li>setting selinux to permissive mode</li>
<li>re-loading the policy to get a clean "starting point"</li>
<li>performing the actions which are being denied</li>
<li>creating a module<br>
</li>
<li>re-enabling selinux enforcing mode</li>
<li>loading the new selinux module (which, after loading, is
copied into /etc/selinux/targeted/modules/active/modules/ and
will persist after reboot)<br>
</li>
<li>gluster should now be able to mount via /etc/fstab on boot, or
via the netfs service, etc (ie, not manually as root).<br>
</li>
</ol>
Hope this helps some future traveler,<br>
<br>
Alan<br>
<br>
[1]
<a class="moz-txt-link-freetext" href="http://fedorasolved.org/security-solutions/selinux-module-building">http://fedorasolved.org/security-solutions/selinux-module-building</a><br>
[2] man audit2allow<br>
<br>
<div class="moz-cite-prefix">On 03/12/2013 11:32 AM, Alan Orth
wrote:<br>
</div>
<blockquote cite="mid:513EE81E.6090106@gmail.com" type="cite">All,
<br>
<br>
I've updated one of my GlusterFS clients from CentOS 6.3 to CentOS
6.4 and now my gluster volumes fail to mount at boot. dmesg
shows:
<br>
<br>
type=1400 audit(1363004014.209:4): avc: denied { execute } for
pid=1150 comm="mount.glusterfs" name="glusterfsd" dev=sda1
ino=1315297 scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:glusterd_exec_t:s0 tclass=file
<br>
<br>
Mounting manually as root works, but obviously isn't optimal.
<br>
<br>
Does anyone know how to fix this?
<br>
<br>
Thanks!
<br>
<br>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Alan Orth
<a class="moz-txt-link-abbreviated" href="mailto:alan.orth@gmail.com">alan.orth@gmail.com</a>
<a class="moz-txt-link-freetext" href="http://alaninkenya.org">http://alaninkenya.org</a>
<a class="moz-txt-link-freetext" href="http://mjanja.co.ke">http://mjanja.co.ke</a>
"I have always wished for my computer to be as easy to use as my telephone; my wish has come true because I can no longer figure out how to use my telephone." -Bjarne Stroustrup, inventor of C++
</pre>
</body>
</html>