Bug 1032721
Summary: | Condor doesn't start with selinux enabled | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Stanislav Graf <sgraf> | ||||
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> | ||||
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | unspecified | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 19 | CC: | bbockelm, dominick.grift, dwalsh, ltoscano, lvrabec, matt, mgrepl, sgraf, tmckay, tomspur, tstclair | ||||
Target Milestone: | --- | Keywords: | SELinux | ||||
Target Release: | --- | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | selinux-policy-3.12.1-74.14.fc19 | Doc Type: | Bug Fix | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2013-12-03 10:33:31 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Stanislav Graf
2013-11-20 16:31:35 UTC
I have latest F19 with latest packages: selinux-policy-3.12.1-74.11.fc19.noarch selinux-policy-targeted-3.12.1-74.11.fc19.noarch # service auditd stop Stopping logging: [ OK ] # rm -f /var/log/audit/audit.log # service auditd start Redirecting to /bin/systemctl start auditd.service # ls -l /var/log/audit/audit.log -rw-------. 1 root root 187 Nov 20 16:44 /var/log/audit/audit.log # service condor restart Redirecting to /bin/systemctl restart condor.service wait and then cat logfile: # cat /var/log/audit/audit.log type=DAEMON_START msg=audit(1384965888.280:3108): auditd start, ver=2.3.2 format=raw kernel=3.11.8-200.fc19.x86_64 auid=4294967295 pid=1552 subj=system_u:system_r:auditd_t:s0 res=success type=SERVICE_STOP msg=audit(1384965897.679:546): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="condor" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' type=SERVICE_START msg=audit(1384965897.685:547): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="condor" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Those are not avc messages? Are you still seeing failures? If yes, just re-test it and run # ausearch -m avc,user_avc -ts recent (1) I've started machine condor broken # ausearch -m avc,user_avc -ts recent <no matches> (2) restart condor # service condor restart Redirecting to /bin/systemctl restart condor.service condor broken # ausearch -m avc,user_avc -ts recent <no matches> (3) disable selinux # setenforce 0 # getenforce Permissive (4) repeat (2) condor works # ausearch -m avc,user_avc -ts recent ---- time->Thu Nov 21 08:00:03 2013 type=USER_AVC msg=audit(1385020803.567:537): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received setenforce notice (enforcing=0) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' (5) enable again selinux # setenforce 1 # getenforce Enforcing (6) repeat (2) condor broken # ausearch -m avc,user_avc -ts recent ---- time->Thu Nov 21 08:00:03 2013 type=USER_AVC msg=audit(1385020803.567:537): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received setenforce notice (enforcing=0) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' ---- time->Thu Nov 21 08:02:02 2013 type=USER_AVC msg=audit(1385020922.632:548): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received setenforce notice (enforcing=1) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' ---> I think this is selinux issue if it can be fixed by Permissive mode and triggered back by Enforcing mode. It works for me on F20. Lukas, could you test it on F19? Stanislav, could you try to run # semodule -DB re-test # ausearch -m avc,user_avc -ts recent Created attachment 827063 [details]
condor avc messages
If you execute # grep udp_socket condor-avc.txt | audit2allow -M mypol # semodule -i mypol.pp does it help? (In reply to Miroslav Grepl from comment #8) Yes, this fixed my issue. Thank you for testing. Please run # semodule -B to enabled "dontaudit" rules. commit ef59b516687408aa6c9a55659741f7449676e4b0 Author: Miroslav Grepl <mgrepl> Date: Thu Nov 21 10:52:05 2013 +0100 Allow condor domains to read/write condor_master udp_socket selinux-policy-3.12.1-74.14.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-74.14.fc19 Package selinux-policy-3.12.1-74.14.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-74.14.fc19' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-22197/selinux-policy-3.12.1-74.14.fc19 then log in and leave karma (feedback). selinux-policy-3.12.1-74.14.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. |