Sorry, problem not solved.
When I restarted my servers, then that problem appeared again. Thus, is it a bug?
Which problem reappeared? Are there any AVC/USER_AVC denials?
On Wednesday, April 7, 2021, 09:40:35 PM GMT+4:30, Jason Long <hack3rcon@yahoo.com> wrote:
Thanks.
The problem was that I forgot to open port 3260/tcp on my node1 and node2. I opened that port on my nodes and result is:
Full List of Resources:
* Resource Group: apache:
* httpd_fs (ocf::heartbeat:Filesystem): Started
* httpd_vip (ocf::heartbeat:IPaddr2): Started
* httpd_ser (ocf::heartbeat:apache): Started
On Wednesday, April 7, 2021, 08:50:33 PM GMT+4:30, Zdenek Pytela <zpytela@redhat.com> wrote:
On Wed, Apr 7, 2021 at 5:39 PM Jason Long <hack3rcon@yahoo.com> wrote:
> Thank you.
> I'm using Fedora Server 33 and the output of your command is:
>
> # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today
> ----
> type=AVC msg=audit(04/07/2021 20:00:30.231:144) : avc: denied { name_bind } for pid=693 comm=unbound-anchor src=61000 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=udp_socket permissive=0
This should be fixed soon:
https://bugzilla.redhat.com/show_bug.cgi?id=1935101
>
>
>
>
>
>
>
>
> On Tuesday, April 6, 2021, 02:37:59 PM GMT+4:30, Zdenek Pytela <zpytela@redhat.com> wrote:
>
>
>
>
>
>
>
> On Sun, Apr 4, 2021 at 12:56 PM Jason Long <hack3rcon@yahoo.com> wrote:
>> Hello,
>> I'm using Fedora Server as an iSCSI Shared Storage. When I rebooted my server then the "iscsi.service" couldn't load:
>>
>> [root@node3 ~]# systemctl status iscsi.service
>> ● iscsi.service - Login and scanning of iSCSI devices
>> Loaded: loaded (/usr/lib/systemd/system/iscsi.service; enabled; vendor preset: enabled)
>> Active: inactive (dead)
>> Condition: start condition failed at Sat 2021-04-03 18:49:08 +0430; 2s ago
>> └─ ConditionDirectoryNotEmpty=/var/lib/iscsi/nodes was not met
>> Docs: man:iscsiadm(8)
>> man:iscsid(8)
>>
>>
>>
>>
>> Apr 03 18:39:17 node3.localhost.localdomain systemd[1]: Condition check resulted in Login and scanning of iSCSI devices being skipped.
>> Apr 03 18:39:17 node3.localhost.localdomain systemd[1]: iscsi.service: Unit cannot be reloaded because it is inactive.
>> Apr 03 18:39:17 node3.localhost.localdomain systemd[1]: iscsi.service: Unit cannot be reloaded because it is inactive.
>> Apr 03 18:49:08 node3.localhost.localdomain systemd[1]: Condition check resulted in Login and scanning of iSCSI devices being skipped.
>>
>>
>> SELinux is enabled on my Fedora Server:
>>
>> # sestatus
>> SELinux status: enabled
>> SELinuxfs mount: /sys/fs/selinux
>> SELinux root directory: /etc/selinux
>> Loaded policy name: targeted
>> Current mode: enforcing
>> Mode from config file: enforcing
>> Policy MLS status: enabled
>> Policy deny_unknown status: allowed
>> Memory protection checking: actual (secure)
>> Max kernel policy version: 33
>>
>> [root@node3 ~]# ps -eZ | grep iscsid_t
>> [root@node3 ~]#
>>
>> And when I looked at the log, then I saw below errors:
>>
>> # dmesg -H -l err
>> [Apr 4 15:05] [drm:vmw_host_log [vmwgfx]] *ERROR* Failed to send host log message.
>> [ +0.000009] [drm:vmw_host_log [vmwgfx]] *ERROR* Failed to send host log message.
>> [ +9.037994] dev[000000004a7f146c]: Unable to change SE Device alua_support: alua_support has fixed value
>> [ +0.000014] dev[000000004a7f146c]: Unable to change SE Device alua_support: alua_support has fixed value
>> [ +0.000798] dev[000000004a7f146c]: Unable to change SE Device pgr_support: pgr_support has fixed value
>> [ +0.000004] dev[000000004a7f146c]: Unable to change SE Device pgr_support: pgr_support has fixed value
>>
>> How can I configure SELinux for an iSCSI Shared Storage?
> Hi,
>
> Do you have any indication it was SELinux blocking some access? Can you look for AVCs in the audit log? Which Fedora version it is?
>
> # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today
>
>
>>
>> Thank you.
>>
>> _______________________________________________
>> selinux mailing list -- selinux@lists.fedoraproject.org
>> To unsubscribe send an email to selinux-leave@lists.fedoraproject.org
>> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives: https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject.org
>> Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
>>
>
>
> --
>
> Zdenek Pytela
> Security SELinux team
>
>
> _______________________________________________
> selinux mailing list -- selinux@lists.fedoraproject.org
> To unsubscribe send an email to selinux-leave@lists.fedoraproject.org
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject.org
> Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
>
>
--
Zdenek Pytela
Security SELinux team
_______________________________________________
selinux mailing list -- selinux@lists.fedoraproject.org
To unsubscribe send an email to selinux-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure