Bug 852456

Summary: OpenMPI problem with SELinux (Grid - parallel universe)
Product: Red Hat Enterprise Linux 6 Reporter: RHEL Program Management <pm-rhel>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Daniel Horák <dahorak>
Severity: high Docs Contact:
Priority: urgent    
Version: 6.3CC: cww, dahorak, dwalsh, iboverma, matt, mgrepl, mkudlej, mmalik, pm-eus
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-155.el6_3.4 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-09-11 08:11:00 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 835923    
Bug Blocks: 435010    

Description RHEL Program Management 2012-08-28 14:21:55 UTC 
This bug has been copied from bug #835923 and has been proposed
to be backported to 6.3 z-stream (EUS).
Comment 4 Miroslav Grepl 2012-08-29 07:42:14 UTC 
Fixed in selinux-policy-3.7.19-155.el6_3.3
Comment 6 Daniel Horák 2012-08-30 10:07:15 UTC 
At least part of the problem is still here - OpenMPI job still fail:

# rpm -q condor -q selinux-policy
  condor-7.6.5-0.19.el6.i686
  selinux-policy-3.7.19-155.el6_3.3.noarch

With SELinux in Enforcing mode on one machine appear following AVC error:
# ausearch -m AVC -m USER_AVC -m SELINUX_ERR -ts ${START_DATE_TIME}
  ----
  time->Thu Aug 30 12:00:33 2012
  type=SYSCALL msg=audit(1346320833.196:22644): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bf81a380 a2=4005d964 a3=41148650 items=0 ppid=30288 pid=30303 auid=0 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=2 comm="ssh" exe="/usr/bin/ssh" subj=unconfined_u:system_r:condor_startd_ssh_t:s0 key=(null)
  type=AVC msg=audit(1346320833.196:22644): avc:  denied  { name_connect } for  pid=30303 comm="ssh" dest=4444 scontext=unconfined_u:system_r:condor_startd_ssh_t:s0 tcontext=system_u:object_r:kerberos_master_port_t:s0 tclass=tcp_socket

With SELinux in Permissive mode there is one more AVC message:
# ausearch -m AVC -m USER_AVC -m SELINUX_ERR -ts ${START_DATE_TIME}
  ----
  time->Thu Aug 30 12:05:25 2012
  type=SYSCALL msg=audit(1346321125.925:22653): arch=40000003 syscall=39 success=yes exit=0 a0=bfb8046b a1=1c0 a2=4005d964 a3=bfb8046b items=0 ppid=31430 pid=31445 auid=0 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=2 comm="ssh" exe="/usr/bin/ssh" subj=unconfined_u:system_r:condor_startd_ssh_t:s0 key=(null)
  type=AVC msg=audit(1346321125.925:22653): avc:  denied  { create } for  pid=31445 comm="ssh" name=".ssh" scontext=unconfined_u:system_r:condor_startd_ssh_t:s0 tcontext=unconfined_u:object_r:ssh_home_t:s0 tclass=dir
  type=AVC msg=audit(1346321125.925:22653): avc:  denied  { add_name } for  pid=31445 comm="ssh" name=".ssh" scontext=unconfined_u:system_r:condor_startd_ssh_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
  type=AVC msg=audit(1346321125.925:22653): avc:  denied  { write } for  pid=31445 comm="ssh" name="test" dev=vda2 ino=17065 scontext=unconfined_u:system_r:condor_startd_ssh_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
  ----
  time->Thu Aug 30 12:05:25 2012
  type=SYSCALL msg=audit(1346321125.799:22652): arch=40000003 syscall=102 success=yes exit=0 a0=3 a1=bfb7fdf0 a2=4005d964 a3=40c4f650 items=0 ppid=31430 pid=31445 auid=0 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=2 comm="ssh" exe="/usr/bin/ssh" subj=unconfined_u:system_r:condor_startd_ssh_t:s0 key=(null)
  type=AVC msg=audit(1346321125.799:22652): avc:  denied  { name_connect } for  pid=31445 comm="ssh" dest=4444 scontext=unconfined_u:system_r:condor_startd_ssh_t:s0 tcontext=system_u:object_r:kerberos_master_port_t:s0 tclass=tcp_socket
  

>> ASSIGNED
Comment 7 Daniel Horák 2012-08-30 10:20:26 UTC 
I retested it also with new version of condor condor-7.6.5-0.21.el6 (currently yet not in errata for MRG2.2) and there is change in AVC messages in Permissive mode (one message is missing):

Enforcing mode:
# ausearch -m AVC -m USER_AVC -m SELINUX_ERR -ts ${START_DATE_TIME}
  ----
  time->Thu Aug 30 12:14:14 2012
  type=SYSCALL msg=audit(1346321654.631:22662): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bf9302e0 a2=4005d964 a3=41d99650 items=0 ppid=1241 pid=1256 auid=0 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=4 comm="ssh" exe="/usr/bin/ssh" subj=unconfined_u:system_r:condor_startd_ssh_t:s0 key=(null)
  type=AVC msg=audit(1346321654.631:22662): avc:  denied  { name_connect } for  pid=1256 comm="ssh" dest=4444 scontext=unconfined_u:system_r:condor_startd_ssh_t:s0 tcontext=system_u:object_r:kerberos_master_port_t:s0 tclass=tcp_socket


Permissive mode:
# ausearch -m AVC -m USER_AVC -m SELINUX_ERR -ts ${START_DATE_TIME}
  ----
  time->Thu Aug 30 12:16:19 2012
  type=SYSCALL msg=audit(1346321779.675:22664): arch=40000003 syscall=102 success=yes exit=0 a0=3 a1=bfd5ee60 a2=4005d964 a3=41620650 items=0 ppid=1877 pid=1892 auid=0 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=4 comm="ssh" exe="/usr/bin/ssh" subj=unconfined_u:system_r:condor_startd_ssh_t:s0 key=(null)
  type=AVC msg=audit(1346321779.675:22664): avc:  denied  { name_connect } for  pid=1892 comm="ssh" dest=4444 scontext=unconfined_u:system_r:condor_startd_ssh_t:s0 tcontext=system_u:object_r:kerberos_master_port_t:s0 tclass=tcp_socket
Comment 8 Miroslav Grepl 2012-08-31 13:13:32 UTC 
Ok, this is a new issue.
Comment 9 Miroslav Grepl 2012-09-03 06:43:53 UTC 
Fixed in selinux-policy-3.7.19-155.el6_3.4
Comment 10 Daniel Horák 2012-09-03 11:29:42 UTC 
Tested via automatic test on RHEL 6.3 i386 and x86_64.
Related packages: 
  condor-7.6.5-0.22.el6.i686
  condor-classads-7.6.5-0.22.el6.i686
  condor-debuginfo-7.6.5-0.22.el6.i686
  openmpi-1.5.4-1.el6.i686
  openmpi-devel-1.5.4-1.el6.i686
  python-condorutils-1.5-4.el6.noarch
  selinux-policy-3.7.19-155.el6_3.4.noarch
  selinux-policy-targeted-3.7.19-155.el6_3.4.noarch

All tests pass and no AVC error appear.

>> VERIFIED
Comment 13 errata-xmlrpc 2012-09-11 08:11:00 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-1252.html