Bug 963305

Summary: SELinux prevents sge_execd from running
Product: [Fedora] Fedora Reporter: Orion Poplawski <orion>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 18CC: dominick.grift, dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-08-06 17:12:55 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Orion Poplawski 2013-05-15 15:44:52 UTC
Description of problem:

sge_execd is prevented from running because of:

type=AVC msg=audit(1368632202.579:264): avc:  denied  { name_bind } for  pid=3981 comm="sge_execd" src=6445 scontext=system_u:system_r:sge_execd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket


In permissive mode I also see:

type=AVC msg=audit(1368632408.874:279): avc:  denied  { name_connect } for  pid=4287 comm="sge_execd" dest=6444 scontext=system_u:system_r:sge_execd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1368632410.923:281): avc:  denied  { search } for  pid=4287 comm="sge_execd" name="/" dev="tmpfs" ino=7011 scontext=system_u:system_r:sge_execd_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir
type=AVC msg=audit(1368632410.923:281): avc:  denied  { read } for  pid=4287 comm="sge_execd" name="cpuset.cpus" dev="cgroup" ino=7041 scontext=system_u:system_r:sge_execd_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=file
type=AVC msg=audit(1368632410.923:281): avc:  denied  { open } for  pid=4287 comm="sge_execd" path="/sys/fs/cgroup/cpuset/cpuset.cpus" dev="cgroup" ino=7041 scontext=system_u:system_r:sge_execd_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=file
type=AVC msg=audit(1368632410.923:282): avc:  denied  { getattr } for  pid=4287 comm="sge_execd" path="/sys/fs/cgroup/cpuset/cpuset.cpus" dev="cgroup" ino=7041 scontext=system_u:system_r:sge_execd_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=file
type=AVC msg=audit(1368632411.203:283): avc:  denied  { kill } for  pid=4302 comm="who" capability=5  scontext=system_u:system_r:sge_execd_t:s0 tcontext=system_u:system_r:sge_execd_t:s0 tclass=capability

Version-Release number of selected component (if applicable):
selinux-policy-3.11.1-92.fc18.noarch

Comment 1 Miroslav Grepl 2013-05-16 11:48:36 UTC
Is 6445/tcp a default port?

Comment 2 Orion Poplawski 2013-05-16 13:17:52 UTC
Yes, from /etc/services:

sge_qmaster     6444/tcp  sge-qmaster   # Grid Engine Qmaster Service
sge_execd       6445/tcp  sge-execd     # Grid Engine Execution Service

Comment 3 Miroslav Grepl 2013-05-16 13:25:14 UTC
Ah, yes. I missed it.

Comment 4 Miroslav Grepl 2013-05-16 13:33:51 UTC
commit 92b34f461695df146f0c216c9e4bea64f3e2d4dd
Author: Miroslav Grepl <mgrepl>
Date:   Thu May 16 15:33:33 2013 +0200

    Allow sge_execd to bind sge ports. Allow kill capability and reads cgroup files

Comment 5 Orion Poplawski 2013-05-16 16:06:44 UTC
What git repo is that commit for?  I'd like to follow along.

Comment 6 Daniel Walsh 2013-05-16 17:32:29 UTC
git.fedorahosted.org/git/selinux-policy.git

Comment 7 Miroslav Grepl 2013-05-16 19:44:22 UTC
A new F18 build will have done by Friday.

Comment 8 Orion Poplawski 2013-05-16 19:56:26 UTC
(In reply to comment #6)
> git.fedorahosted.org/git/selinux-policy.git

Thanks.  This isn't mentioned in the selinux-policy.spec file.  The Url instead is: http://oss.tresys.com/repos/refpolicy/.  Perhaps that should be updated?

Comment 9 Orion Poplawski 2013-05-16 21:56:00 UTC
I don't really understand SELinux port stuff, but FWIW sge_execd will bind locally to port 6445 and connect remotely to port 6444.  sge_qmaster (and sge_shadowd) will bind locally to port 6444.  It probably connects to the execd sometimes as well.

Comment 10 Miroslav Grepl 2013-05-17 06:54:57 UTC
Ah, I missed

type=AVC msg=audit(1368632408.874:279): avc:  denied  { name_connect } for  pid=4287 comm="sge_execd" dest=6444 scontext=system_u:system_r:sge_execd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket

I treat these ports as sge_port_t. The point is sge_* processes run as sge_execd_t.

What does 

# ps -eZ |grep sge

on your system.

Comment 11 Orion Poplawski 2013-05-17 15:11:54 UTC
Okay, I wasn't sure if you had a sge_execd_port_t and sge_master_port_t.

In permissive to allow it to start:
system_u:system_r:sge_execd_t:s0 12648 ?       00:00:00 sge_execd
system_u:system_r:sge_execd_t:s0 12657 ?       00:00:00 cora.sh

cora.sh is my locally defined load monitor script that sge_execd starts.

Comment 12 Miroslav Grepl 2013-05-20 09:33:10 UTC
Ok. PLease try to test the latest f18 policy.

# yum update --enablerepo=updates-testing selinux-policy-targeted

Comment 13 Orion Poplawski 2013-05-20 14:58:30 UTC
That works, thanks.