[Pacemaker] None of the standard agents in ocf:heartbeat are working in centos 6

Vladislav Bogdanov bubble at hoster-ok.com
Tue Jul 24 14:30:37 UTC 2012


24.07.2012 14:23, Vadym Chepkov wrote:
> 
> On Jul 24, 2012, at 12:25 AM, Vladislav Bogdanov wrote:
> 
>> 24.07.2012 04:50, Andrew Beekhof wrote:
>>> On Tue, Jul 24, 2012 at 5:38 AM, David Barchas <dave at barchas.com> wrote:
>>>>
>>>> On Monday, July 23, 2012 at 7:48 AM, David Barchas wrote:
>>>>
>>>>
>>>> Date: Mon, 23 Jul 2012 14:15:27 +0300
>>>> From: Vladislav Bogdanov
>>>>
>>>> 23.07.2012 08:06, David Barchas wrote:
>>>>
>>>> Hello.
>>>>
>>>> I have been working on this for 3 days now, and must be so stressed out
>>>> that I am being blinded to what is probably an obvious cause of this. In
>>>> a word, HELP.
>>>>
>>>>
>>>> setenforce 0 ?
>>>>
>>>> i am familiar with it but have never had to disable it. I would be surprised
>>>> for packages in standard repos.
>>>
>>> No-one has written an selinux policy for pacemaker yet.
>>> I would imagine that will come in the next month or so.
>>>
>>
>> Highly appreciated. However lrmd part may be not as easy to implement
>> properly as it seems at the first glance.
> 
> 
> You can add runcon -t unconfined_t into /etc/init.d/pacemaker for now if you don't want to totally turn selinux off

Yeah, that's great no know. But services running from within pacemaker
will still be unprotected, won't they? And whole system will have a
security breach if service running in unconfined_t context is
compromised (iirc how unconfined_t is handled and nothing changed in
that area for last few years). So it is much better to have "well-done"
policy module for pacemaker, so all (selinux-aware) services start
protected.

Thanks for pointer!

Vladislav





More information about the Pacemaker mailing list