Issues with SELinux configuration
If you enable SELinux on systems where it has been previously disabled or if you run a service in a non-standard configuration, then SELinux configurations issues are observed.
SELinux denials are signs of incorrect configuration.
Workaround:
Perform the following:
Check the SELinux audit logs for Snapshot Manager related denials using utility as follows:
# ausearch -m avc -se VRTSflexsnap.process | audit2allow
allow VRTSflexsnap.process container_var_lib_t:dir watch;
allow VRTSflexsnap.process container_var_lib_t:file watch;
Identify the Snapshot Manager related SELinux denials and apply corresponding policy changes using the following command:
# flexsnap_configure updatecil -i
Following are the SELinux policy updates detected for Snapshot Manager:
allow VRTSflexsnap.process default_t:dir create; allow VRTSflexsnap.process default_t:file { create read }; Do you want to update Snapshot Manager's SELinux policy? (y/n): y Updating runtime SELinux policy ...doneFor changes to take effect, run the following command:
flexsnap_configure restart
Validate the policy change by using the following command:
# ausearch -m avc -se VRTSflexsnap.process | audit2allow
For validation the following message must be displayed:
!!!! This avc is allowed in the current policy allow VRTSflexsnap.process container_var_lib_t:dir watch; !!!! This avc is allowed in the current policy allow VRTSflexsnap.process container_var_lib_t:file watch;