The server creates the read only tracking dbs (<some_tdb>.tdb.<nodenuber>.RO) with permissions 0000. This is ok for pure unix/posix, because ctdbd is running as root, but in an selinux-enabled system a subsequent open (after a ctdb restart) of the rottdb fails, since selinux is more strict: A process would need the dac_override to perform this kind of open, even as root.
This leads to a failure to start ctdb (a second time) in Samba/CTDB 4.2 and newer, since Samba enables readonly-copies in the netlogon_creds_cli.tdb.
Created attachment 11545 [details] patch for 4.3 cherry-picked from master
Created attachment 11546 [details] Patch for v4-2-test cherry-picked from master
If I'm clicking on things correctly, I believe the patch for 4.3 is incorrect. It is 64 bytes in length with the contents: "0001-ctdb-open-the-RO-tracking-db-with-perms-0600-instead.patch" I imagine it's similar enough to the v4-2-test patch, but do upload the patch again. :)
Created attachment 11548 [details] updated patch for 4.3 cherry-picked from master Correct patch file ( first time I forgot '--stdout' ... )
Comment on attachment 11548 [details] updated patch for 4.3 cherry-picked from master LGTM
Comment on attachment 11546 [details] Patch for v4-2-test cherry-picked from master LGTM
Pushed to autobuild-v4-[3|2]test.
(In reply to Karolin Seeger from comment #8) Pushed to both branches. Closing out bug report. Thanks!