CentOS 6.4 With SELinux Enforcing Denies Mount Action to glusterd

Update: As of March 13, 2013 there is an updated SELinux policy package which fixes this error. The versions are: selinux-policy-3.7.19-195.el6_4.3.noarch and selinux-policy-targeted-3.7.19-195.el6_4.3.noarch

Everything’s going great deploying a new GlusterFS-based NAS at work, when all of a sudden we hit a snag: I updated one of my client machines from CentOS 6.3 → 6.4, and now SELinux is causing my gluster mounts to fail at boot. It’s no consolation, but it seems I’m not alone

Mounting manually à la mount -a as root worked, but automatic mounting during boot, either by /etc/fstab or via the netfs service fail with the following in dmesg:

type=1400 audit(1363076375.665:4): avc:  denied  { execute } for  pid=1226 comm="mount.glusterfs" name="glusterfsd" dev=sdb1 ino=266629 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:glusterd_exec_t:s0 tclass=file

A few years ago I would have just disabled SELinux and got on with my work, but we live in a dangerous world, so I figured it’s probably in my best long-term interests to fix this the “right” way.

The Right Way*

The “right” way is to create a SELinux module which allows this action. It isn’t as daunting as it sounds, watch me!

Create a working space:

$ mkdir ~/selinux_gluster
$ cd ~/selinux_gluster

Turn SELinux enforcing mode off for now, and reload the policy so we have a clean slate of access violations:

$ setenforce 0
$ load_policy

Whatever it was that was getting denied, do it again! In this case the system was trying to mount the gluster volumes from fstab during boot, but we can achieve the same thing with:

$ service netfs start

Generate a module for this action using audit2allow, feeding it the system audit log:

$ audit2allow -M glusterd_centos64 -l -i /var/log/audit/audit.log

You can name it anything, but try to be a bit specific so you know what it is without having to go to too much trouble. It will be saved to the local directory (hopefully you created a working space?).

Turn SELinux enforcing back on and load the new module:

$ setenforce 1
$ semodule -i glusterd_centos64.pp

Now, unmount your volumes and then try to mount them again using

$ service netfs start

If you did everything right you should be good to go. Now we’ve fixed a problem and learned an important lesson: SELinux isn’t that hard after all! BTW, the module you loaded will persist across reboots; just check in /etc/selinux/targeted/modules/active/modules/.

*Ok, so the “right” way would actually be that Redhat ships an updated policy file for glusterd (selinux-policy-targeted-3.7.19-195.el6_4.1.noarch) at the time of this writing.

3 thoughts on “CentOS 6.4 With SELinux Enforcing Denies Mount Action to glusterd

  1. Wow. Yet to wrap SELinux around my head, every time shit hit the fan, I’d just disable it. Great read.
    It convinces me that the reason many people don’t bother learning SELinux (me included) is simply because we’re plain lazy.

Comments are closed.