NFS Ganesha (Storage SIG) node fails to boot after fencing - SELINUX

[hunter86bg]

It seems that when a Ganesha node is fenced it fails to boot due to the following SELINUX denial (visiable after 'enforcing=0' in the grub menu):

[root@glustere ~]# dmesg | grep -e type=1300 -e type=1400
[   14.414782] audit: type=1400 audit(1605994499.985:3): avc:  denied  { getattr } for  pid=1 comm="systemd" path="/var/lib/nfs" dev="dm-0" ino=33596932 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_lib_nfs_t:s0 tclass=lnk_file permissive=1

Generating the following policy fixes the issue:

[root@glustere ~]# dmesg | grep -e type=1300 -e type=1400 | audit2allow -M my-systemd
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i my-systemd.pp

[root@glustere ~]# cat my-systemd.te 

module my-systemd 1.0;

require {
        type var_lib_nfs_t;
        type init_t;
        class lnk_file getattr;
}

#============= init_t ==============
allow init_t var_lib_nfs_t:lnk_file getattr;

[oalbrigt]

We dont do SELinux rules policies in the fence-agents spec file, so I think you should report this to the selinux-policy team/repo of the distro you're using.

[hunter86bg]

True, but it's nice to have it here too. Just to be sure that any user won't be confused why their machine is not coming back after being fenced.

[hunter86bg]

Based on the discussion in CentOS-Devel, the necessary policy is included in EL 8.3 ,as a workaround anyone can use the policy from above.

[oalbrigt]

Perfect. Thank you for the update.