Wednesday, September 17, 2014

No Write Permission on ACFS Mount Point



Last night, I managed to create the ACFS Mount Point after resolving the issue "ACFS-9459: ASVM/ACFS is not supported on this os version". But, after creating the ACFS Mount Point, I'm unable to create or touch any files under this ACFS Mount Point.

Though, I tried to touch a file to create files under this ACFS Mount Point using OS User Oracle and Root, it's failing with the following error:

"touch: cannot touch `x': Permission denied"

Here are the steps I tried and got the error:

The ACFS Mount Point "/oracle/prd"  has been created on Linux 6.5 server using Oracle ASMCA tool, and this "/oracle/prd" mount point has 775 permission.

As Oracle User:

[oracle@Linux01 ~]# df -m|grep -i asm
/dev/asm/oracle_prd-77   35840    148     35693   1% /oracle/prd
[oracle@Linux01 ~]# cd /oracle/prd
[oracle@Linux01 prd]# pwd
/oracle/prd
[oracle@Linux01 prd]# ls -ld /oracle/prd
drwxrwxr-x. 4 oracle dba 4096 Sep 15 19:29 /oracle/prd
[oracle@Linux01 prd]# ls
lost+found
[oracle@Linux01 prd]# touch abc
touch: cannot touch `abc': Permission denied
[oracle@Linux01 prd]#

As Root user:

[root@Linux01 ~]# df -m|grep -i asm
/dev/asm/oracle_prd-77   35840    148     35693   1% /oracle/prd
[root@Linux01 ~]# cd /oracle/prd
[root@Linux01 prd]# pwd
/oracle/prd
[root@Linux01 prd]# ls -ld /oracle/prd
drwxrwxr-x. 4 oracle dba 4096 Sep 15 19:29 /oracle/prd
[root@Linux01 prd]# ls
lost+found
[root@Linux01 prd]# touch abc
touch: cannot touch `abc': Permission denied
[root@Linux01 prd]#

The problem was the SELinux is enabled on the Linux System.

To check, if SELinux is enable/disable on the system, cat the file "/etc/selinux/config"
Note: Used the root login to do the following steps:

[root@Linux01]# cat /etc/selinux/config

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these two values:
#     targeted - Targeted processes are protected,
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

Or use the sestatus command to check the status.

[root@geprdb850 prd]# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          disabled
Policy version:                 28
Policy from config file:        targeted

Here is how to disable SElinux:

Method 1- Edit "/etc/selinux/config" and set the SELINUX variable to 'disabled'
Method 2- Use the setenforce command to disable on-the-fly

If you go with Method 1, then your changes are permanent but only effective if you reboot the machine.

If you go with Method 2, then your changes are NOT permanent but effective immediately.

Method 1: (Permanent Change)

Take the backup of "/etc/selinux/config" file.

[root@Linux01]# cp /etc/selinux/config /etc/selinux/config.bkp

Then edit "/etc/selinux/config" the file and set the SELinux variable to 'disabled'

[root@Linux01]# cat /etc/selinux/config

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
#     targeted - Targeted processes are protected,
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

Then reboot the server!!

Method 2: (On-the-fly)

[root@Linux01]# getenforce
Enforcing

[root@Linux01]# setenforce
usage:  setenforce [ Enforcing | Permissive | 1 | 0 ]

[root@Linux01 prd]# setenforce 0

[root@Linux01 prd]# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   permissive
Mode from config file:          disabled
Policy version:                 28
Policy from config file:        targeted

[root@Linux01]# getenforce
Disabled

After the SELinux is disabled, then creating the files under ACFS Mount Point is succeeded.

Note: The above commands have to be completed by root user and do this under system admin supervision.

Regards,
Sabdar Syed.

http://sabdarsyed.blogspot.com

No comments: