0008725: SElinux prevents fence_virtd from accepting network connections (works from commmandline)

When you start fence_virtd from the command line it works perfectly but when you run it as a service it starts but network connections are denied<br /> <br /> Setting SELinix to permissive mode allows it to work. Running sealert produces the following output:<br /> <br /> [<a href="mailto:root@iscsi2">root@iscsi2</a> ~]# sealert -a /var/log/audit/audit.log<br /> 24% done'list' object has no attribute 'split'<br /> 100% done<br /> found 1 alerts in /var/log/audit/audit.log<br /> --------------------------------------------------------------------------------<br /> <br /> SELinux is preventing /usr/sbin/fence_virtd from name_connect access on the tcp_socket port 16514.<br /> <br /> ***** Plugin catchall_boolean (89.3 confidence) suggests ******************<br /> <br /> If you want to allow fenced to can network connect<br /> Then you must tell SELinux about this by enabling the 'fenced_can_network_connect' boolean.<br /> <br /> Do<br /> setsebool -P fenced_can_network_connect 1<br /> <br /> ***** Plugin catchall (11.6 confidence) suggests **************************<br /> <br /> If you believe that fence_virtd should be allowed name_connect access on the port 16514 tcp_socket by default.<br /> Then you should report this as a bug.<br /> You can generate a local policy module to allow this access.<br /> Do<br /> allow this access for now by executing:<br /> # grep fence_virtd /var/log/audit/audit.log | audit2allow -M mypol<br /> # semodule -i mypol.pp<br /> <br /> <br /> <br /> Additional Information:<br /> Source Context system_u:system_r:fenced_t:s0<br /> Target Context system_u:object_r:virt_port_t:s0<br /> Target Objects port 16514 [ tcp_socket ]<br /> Source fence_virtd<br /> Source Path /usr/sbin/fence_virtd<br /> Port 16514<br /> Host <Unknown><br /> Source RPM Packages fence-virtd-0.3.2-1.el7.x86_64<br /> Target RPM Packages<br /> Policy RPM selinux-policy-3.13.1-23.el7.noarch<br /> Selinux Enabled True<br /> Policy Type targeted<br /> Enforcing Mode Permissive<br /> Host Name iscsi2.house<br /> Platform Linux iscsi2.house 3.10.0-229.el7.x86_64 #1 SMP<br /> Fri Mar 6 11:36:42 UTC 2015 x86_64 x86_64<br /> Alert Count 93<br /> First Seen 2015-05-20 09:43:18 BST<br /> Last Seen 2015-05-20 12:28:09 BST<br /> Local ID b922aa6e-e7d5-46f9-aba4-5bf28f5fe442<br /> <br /> Raw Audit Messages<br /> type=AVC msg=audit(1432121289.631:409): avc: denied { name_connect } for pid=2522 comm="fence_virtd" dest=16514 scontext=system_u:s socket<br /> <br /> <br /> type=SYSCALL msg=audit(1432121289.631:409): arch=x86_64 syscall=connect success=no exit=EACCES a0=5 a1=1b449b0 a2=10 a3=7ffff5eb1834 i egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=fence_virtd exe=/usr/sbin/fence_virtd subj=system_u:system_r:fenced_t:s0 key=(nul<br /> <br /> Hash: fence_virtd,fenced_t,virt_port_t,tcp_socket,name_connect