The Following are the steps necessary to get Corosync UPD networking to work with SELinux enabled.
Update: If you use port numbers 5404 and 5405, you will not need to perform any of the steps listed below.  These are the ports used by RedHat’s Cluster Suite and are configured in the latest selinux-policy packages (as of 2013/05/23) to allow heartbeat and corosync to bind to them.
The Setup:

  • CentOS 6.3
  • SElinux is enabled
  • Corosync is configured to use UDP port 5000

1. Install the semanage tool.

yum install policycoreutils-python

2. Determine the ports to allow.

Corosync uses two UPD ports, one for sending and a second for receiving.  In the corosync.conf file you only specify one of the two.  The second port is the specified port -1.  So if you’re using port 5000, the second port is 4999.

3. Add the two ports to the netsupport_port_t SELinux type.

semanage port -a -t netsupport_port_t -p udp 4999
semanage port -a -t netsupport_port_t -p udp 5000

4. Restart corosync

Even though we updated SELinux, a running corosync process is still running under the old rules.  Restarting corosync will create a new corosync process running with the updated SELinux rules.


Edit 2012.7.20 Fixed port numbers.