Fencing in RHEL 6 with fence_vmware_soap fails with "error from agent" when done automatically by cluster or using fence_node, but succeeds from command line

Environment

• Red Hat Enterprise Linux (RHEL) 6 with the High Availability Add on
• One or more nodes configured to use fence_vmware_soap in /etc/cluster/cluster.conf
• SELinux in enforcing mode (selinux=enforcing in /etc/sysconfig/selinux)

Issue

• When the cluster tries to fence a node with fence_vmware_soap, or I run fence_node, it fails with "error from agent":

Feb  7 09:14:40 node1 fenced[12763]: fencing node  node3
Feb  7 09:14:40 node1 abrt: detected unhandled Python exception in '/usr/sbin/fence_vmware_soap'
Feb  7 09:14:40 node1 fenced[12763]: fence node3 dev 0.0 agent fence_vmware_soap result: error from agent
Feb  7 09:14:40 node1 fenced[12763]: fence node3 failed

If I run fence_vmware_soap from the command line with the same parameters, it works fine

Resolution

Restore the SELinux context for fence_vmware_soap:

# restorecon /usr/sbin/fence_vmware_soap

Root Cause

It appears as if something had been mislabeled, either fence_vmware_soap or fenced or something one of them was accessing. The default/stock SELinux contexts for these components seem to work fine, so this issue will likely not apply unless contexts have been modified in some way.

Diagnostic Steps

• Run fence_node for a node configured with fence_vmware_soap and observe it fail. Then try running fence_vmware_soap manually and see if it succeeds. If so, check /var/log/audit/audit.log and look for AVC denials

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.