Bug 1032721

Summary: Condor doesn't start with selinux enabled
Product: [Fedora] Fedora Reporter: Stanislav Graf <sgraf>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 19CC: bbockelm, dominick.grift, dwalsh, ltoscano, lvrabec, matt, mgrepl, sgraf, tmckay, tomspur, tstclair
Target Milestone: ---Keywords: SELinux
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.12.1-74.14.fc19 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-12-03 10:33:31 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
condor avc messages none

Description Stanislav Graf 2013-11-20 16:31:35 UTC 
Description of problem:
# getenforce
Enforcing
# service condor restart
Redirecting to /bin/systemctl restart  condor.service

-> condor_schedd and condor_negotiator use 100% of CPU

# condor_status
# echo $?
0

# tail /var/log/condor/NegotiatorLog 
11/20/13 16:25:51 ---------- Started Negotiation Cycle ----------
11/20/13 16:25:51 Phase 1:  Obtaining ads from collector ...
11/20/13 16:25:51   Getting Scheduler, Submitter and Machine ads ...
11/20/13 16:25:51 Couldn't fetch ads: can't find collector
11/20/13 16:25:51 Aborting negotiation cycle
11/20/13 16:26:51 ---------- Started Negotiation Cycle ----------
11/20/13 16:26:51 Phase 1:  Obtaining ads from collector ...
11/20/13 16:26:51   Getting Scheduler, Submitter and Machine ads ...
11/20/13 16:26:51 Couldn't fetch ads: can't find collector
11/20/13 16:26:51 Aborting negotiation cycle

# ausearch -m avc -ts recent -sv no
<no matches>
# setenforce 0
# getenforce 
Permissive
# service condor restart
Redirecting to /bin/systemctl restart  condor.service

# condor_status 
Name               OpSys      Arch   State     Activity LoadAv Mem   ActvtyTime

localhost.localdom LINUX      X86_64 Unclaimed Benchmar  1.950  995  0+00:00:04
                     Machines Owner Claimed Unclaimed Matched Preempting

        X86_64/LINUX        1     0       0         1       0          0

               Total        1     0       0         1       0          0

-> condor_schedd and condor_negotiator DOESN'T use 100% of CPU

Version-Release number of selected component (if applicable):
# rpm -qa '*condor*' | sort
condor-8.1.1-0.3.fc19.x86_64
condor-classads-8.1.1-0.3.fc19.x86_64
condor-procd-8.1.1-0.3.fc19.x86_64

How reproducible:
100%

Steps to Reproduce:
1. service condor restart
2. watch negotiator and scheduler in top
3. condor_status

Actual results:
condor_schedd and condor_negotiator use 100% of CPU
Couldn't fetch ads: can't find collector

Expected results:
condor_schedd and condor_negotiator DOESN'T use 100% of CPU
condor_status works

Additional info:
Comment 1 Stanislav Graf 2013-11-20 16:43:13 UTC 
I have latest F19 with latest packages:
selinux-policy-3.12.1-74.11.fc19.noarch
selinux-policy-targeted-3.12.1-74.11.fc19.noarch
Comment 2 Stanislav Graf 2013-11-20 16:49:00 UTC 
# service auditd stop
Stopping logging:                                          [  OK  ]
# rm -f /var/log/audit/audit.log 
# service auditd start
Redirecting to /bin/systemctl start  auditd.service
# ls -l /var/log/audit/audit.log 
-rw-------. 1 root root 187 Nov 20 16:44 /var/log/audit/audit.log
# service condor restart
Redirecting to /bin/systemctl restart  condor.service

wait and then cat logfile:

# cat /var/log/audit/audit.log
type=DAEMON_START msg=audit(1384965888.280:3108): auditd start, ver=2.3.2 format=raw kernel=3.11.8-200.fc19.x86_64 auid=4294967295 pid=1552 subj=system_u:system_r:auditd_t:s0 res=success
type=SERVICE_STOP msg=audit(1384965897.679:546): pid=1 uid=0 auid=4294967295 ses=4294967295  subj=system_u:system_r:init_t:s0 msg=' comm="condor" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_START msg=audit(1384965897.685:547): pid=1 uid=0 auid=4294967295 ses=4294967295  subj=system_u:system_r:init_t:s0 msg=' comm="condor" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Comment 3 Daniel Walsh 2013-11-20 20:15:59 UTC 
Those are not avc messages?  Are you still seeing failures?
Comment 4 Miroslav Grepl 2013-11-20 22:20:03 UTC 
If yes, just re-test it and run

# ausearch -m avc,user_avc -ts recent
Comment 5 Stanislav Graf 2013-11-21 08:05:00 UTC 
(1) I've started machine
condor broken
# ausearch -m avc,user_avc -ts recent
<no matches>

(2) restart condor
# service condor restart
Redirecting to /bin/systemctl restart  condor.service

condor broken
# ausearch -m avc,user_avc -ts recent
<no matches>

(3) disable selinux
# setenforce 0
# getenforce 
Permissive

(4) repeat (2)

condor works

# ausearch -m avc,user_avc -ts recent
----
time->Thu Nov 21 08:00:03 2013
type=USER_AVC msg=audit(1385020803.567:537): pid=1 uid=0 auid=4294967295 ses=4294967295  subj=system_u:system_r:init_t:s0 msg='avc:  received setenforce notice (enforcing=0)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'

(5) enable again selinux
# setenforce 1
# getenforce 
Enforcing

(6) repeat (2)

condor broken

# ausearch -m avc,user_avc -ts recent
----
time->Thu Nov 21 08:00:03 2013
type=USER_AVC msg=audit(1385020803.567:537): pid=1 uid=0 auid=4294967295 ses=4294967295  subj=system_u:system_r:init_t:s0 msg='avc:  received setenforce notice (enforcing=0)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
----
time->Thu Nov 21 08:02:02 2013
type=USER_AVC msg=audit(1385020922.632:548): pid=1 uid=0 auid=4294967295 ses=4294967295  subj=system_u:system_r:init_t:s0 msg='avc:  received setenforce notice (enforcing=1)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'


---> I think this is selinux issue if it can be fixed by Permissive mode and triggered back by Enforcing mode.
Comment 6 Miroslav Grepl 2013-11-21 08:37:45 UTC 
It works for me on F20. 

Lukas,
could you test it on F19?


Stanislav,
could you try to run

# semodule -DB
re-test
# ausearch -m avc,user_avc -ts recent
Comment 7 Stanislav Graf 2013-11-21 08:51:45 UTC 
Created attachment 827063 [details]
condor avc messages
Comment 8 Miroslav Grepl 2013-11-21 09:17:25 UTC 
If you execute

# grep udp_socket condor-avc.txt | audit2allow -M mypol
# semodule -i mypol.pp

does it help?
Comment 9 Stanislav Graf 2013-11-21 09:40:30 UTC 
(In reply to Miroslav Grepl from comment #8)

Yes, this fixed my issue.
Comment 10 Miroslav Grepl 2013-11-21 09:53:27 UTC 
Thank you for testing.

Please run

# semodule -B

to enabled "dontaudit" rules.

commit ef59b516687408aa6c9a55659741f7449676e4b0
Author: Miroslav Grepl <mgrepl>
Date:   Thu Nov 21 10:52:05 2013 +0100

    Allow condor domains to read/write condor_master udp_socket
Comment 11 Fedora Update System 2013-11-26 14:23:10 UTC 
selinux-policy-3.12.1-74.14.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-74.14.fc19
Comment 12 Fedora Update System 2013-11-27 04:30:26 UTC 
Package selinux-policy-3.12.1-74.14.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-74.14.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-22197/selinux-policy-3.12.1-74.14.fc19
then log in and leave karma (feedback).
Comment 13 Fedora Update System 2013-12-03 10:33:31 UTC 
selinux-policy-3.12.1-74.14.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.