Bug 1297048

Summary: SELinux is preventing condor_master from using the chown capability.
Product: [Fedora] Fedora Reporter: Sam Tygier <samtygier>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: 23CC: dominick.grift, dwalsh, lvrabec, mgrepl, plautrba
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-158.3.fc23 selinux-policy-3.13.1-158.2.fc23 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-01-22 02:21:16 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
auseach output none

Description Sam Tygier 2016-01-08 21:12:04 UTC 
Description of problem:
After installing and starting condor I get the SELinux denial.

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-158.fc23.noarch
condor.x86_64 8.5.1-1.fc23

How reproducible:
Happened on my machine, I was able to reproduce on a clean install in a VM.

Steps to Reproduce:
1. dnf install condor
2. systemctl start condor

Additional info:
SELinux is preventing condor_master from using the chown capability.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that condor_master should have the chown capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep condor_master /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:condor_master_t:s0
Target Context                system_u:system_r:condor_master_t:s0
Target Objects                Unknown [ capability ]
Source                        condor_master
Source Path                   condor_master
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-158.fc23.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 4.2.8-300.fc23.x86_64
                              #1 SMP Tue Dec 15 16:49:06 UTC 2015 x86_64 x86_64
Alert Count                   1
First Seen                    2016-01-08 21:03:46 GMT
Last Seen                     2016-01-08 21:03:46 GMT
Local ID                      83391fd3-40ee-442c-998a-a2d717b3c213

Raw Audit Messages
type=AVC msg=audit(1452287026.112:646): avc:  denied  { chown } for  pid=3421 comm="condor_master" capability=0  scontext=system_u:system_r:condor_master_t:s0 tcontext=system_u:system_r:condor_master_t:s0 tclass=capability permissive=0


Hash: condor_master,condor_master_t,condor_master_t,capability,chown
Comment 1 Lukas Vrabec 2016-01-12 15:41:15 UTC 
commit a665711f5fdf24b5202c65dc17de41eefdf13b6a
Author: Lukas Vrabec <lvrabec>
Date:   Tue Jan 12 16:40:18 2016 +0100

    Allow condor_master_t domain capability chown. BZ(1297048)
Comment 2 Fedora Update System 2016-01-14 13:15:23 UTC 
selinux-policy-3.13.1-158.2.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-7cb7ac5cb9
Comment 3 Fedora Update System 2016-01-15 18:53:25 UTC 
selinux-policy-3.13.1-158.2.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-7cb7ac5cb9
Comment 4 Sam Tygier 2016-01-17 16:02:11 UTC 
Thanks, I think that is getting me further. But now I get a bunch more denials after starting condor. (I made a clean virtual machine, installed selinux-policy-3.13.1-158.2.fc23 and then installed condor).

Jan 17 15:48:37 localhost.localdomain setroubleshoot[3565]: SELinux is preventing cat from search access on the directory fs. For complete SELinux messages. run sealert -l dad96dcb-1c63-4a88-9294-dc4218b9982f
Jan 17 15:48:38 localhost.localdomain setroubleshoot[3565]: SELinux is preventing linux_kernel_tu from write access on the file pid_max. For complete SELinux messages. run sealert -l de162d98-cd82-445f-9dac-afa97b6089e3
Jan 17 15:48:38 localhost.localdomain setroubleshoot[3565]: SELinux is preventing linux_kernel_tu from write access on the file pid_max. For complete SELinux messages. run sealert -l de162d98-cd82-445f-9dac-afa97b6089e3
Jan 17 15:48:38 localhost.localdomain setroubleshoot[3565]: SELinux is preventing cat from search access on the directory net. For complete SELinux messages. run sealert -l 178146aa-c3d9-4389-8133-ed978e662324
Jan 17 15:48:38 localhost.localdomain setroubleshoot[3565]: SELinux is preventing cat from search access on the directory net. For complete SELinux messages. run sealert -l 178146aa-c3d9-4389-8133-ed978e662324
Jan 17 15:48:38 localhost.localdomain setroubleshoot[3565]: SELinux is preventing cat from search access on the directory net. For complete SELinux messages. run sealert -l 178146aa-c3d9-4389-8133-ed978e662324
Jan 17 15:48:38 localhost.localdomain setroubleshoot[3565]: SELinux is preventing cat from search access on the directory net. For complete SELinux messages. run sealert -l 178146aa-c3d9-4389-8133-ed978e662324
Jan 17 15:48:38 localhost.localdomain setroubleshoot[3565]: SELinux is preventing cat from search access on the directory net. For complete SELinux messages. run sealert -l 178146aa-c3d9-4389-8133-ed978e662324
Jan 17 15:48:39 localhost.localdomain setroubleshoot[3565]: SELinux is preventing condor_shared_p from name_connect access on the tcp_socket port 34198. For complete SELinux messages. run sealert -l a2a99dfa-1362-44d5-a3d2-1430c065a498
Jan 17 15:48:39 localhost.localdomain setroubleshoot[3565]: SELinux is preventing condor_shared_p from name_connect access on the tcp_socket port 34198. For complete SELinux messages. run sealert -l a2a99dfa-1362-44d5-a3d2-1430c065a498
Jan 17 15:48:39 localhost.localdomain setroubleshoot[3565]: SELinux is preventing condor_shared_p from name_connect access on the tcp_socket port 34198. For complete SELinux messages. run sealert -l a2a99dfa-1362-44d5-a3d2-1430c065a498
Jan 17 15:48:39 localhost.localdomain setroubleshoot[3565]: SELinux is preventing condor_shared_p from name_connect access on the tcp_socket port 34198. For complete SELinux messages. run sealert -l a2a99dfa-1362-44d5-a3d2-1430c065a498

Should I open a new bug report? Do I need a separate bug for each of these?
Comment 5 Lukas Vrabec 2016-01-18 12:06:12 UTC 
Hi, 
Could you attach:
# ausearch -m AVC 

Thank you.
Comment 6 Sam Tygier 2016-01-18 12:31:33 UTC 
Created attachment 1115829 [details]
auseach output

Here is the output from
sudo ausearch -m AVC
Comment 7 Fedora Update System 2016-01-22 02:20:35 UTC 
selinux-policy-3.13.1-158.2.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.