| Summary: | Missing SELinux rules to access configuration directory | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Luigi Toscano <ltoscano> | ||||
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | 19 | CC: | bbockelm, dominick.grift, dwalsh, eerlands, lvrabec, matt, mgrepl, mkudlej, tomspur, tstclair | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | selinux-policy-3.12.1-74.9.fc19 | Doc Type: | Bug Fix | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2013-10-14 06:59:23 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Attachments: |
|
||||||
c057891eda1df81b566e375c46c62d711cfa3c8e fixes this in git. backported. selinux-policy-3.12.1-74.9.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-74.9.fc19 Package selinux-policy-3.12.1-74.9.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-74.9.fc19' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-18701/selinux-policy-3.12.1-74.9.fc19 then log in and leave karma (feedback). selinux-policy-3.12.1-74.9.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. selinux-policy-3.12.1-74.9.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. |
Created attachment 805303 [details] Excerpt from audit.log after setting setenforce 0, starting htcondor and calling few commands Description of problem: Using the latest version of condor for F19 (condor-8.1.1-0.2.fc19.x86_64, but also using 8.1.0-0.2) htcondor daemons can't access the configuration directory (by default /etc/condor). It seems that /etc/condor is now labeled as condor_etc_rw_t, but the daemons can't access it. The error can be reproduced just starting condor. condor_status returns an error: CEDAR:6001:Failed to connect to <x.y.z.t:9618> while condor_status -direct $HOSTNAME works. condor_q works too. After setting 'setenforce 0' I can see all the errors from the pre-defined daemons (master, collector, negotiator, schedd), and audit2allow suggests: #============= condor_collector_t ============== allow condor_collector_t condor_etc_rw_t:dir read; #============= condor_master_t ============== allow condor_master_t condor_etc_rw_t:dir read; #============= condor_negotiator_t ============== allow condor_negotiator_t condor_etc_rw_t:dir read; #============= condor_schedd_t ============== allow condor_schedd_t condor_etc_rw_t:dir read; Most probably also all the other htcondor daemons which have a specific context (schedd, kbdd?) should get a rule for this as well. # condor_version $CondorVersion: 8.1.1 Sep 25 2013 BuildID: RH-8.1.1-0.2.fc19 $ $CondorPlatform: X86_64-Fedora_19 $