Red Hat Bugzilla – Bug 1013702
Missing SELinux rules to access configuration directory
Last modified: 2013-10-14 13:21:33 EDT
Created attachment 805303 [details]
Excerpt from audit.log after setting setenforce 0, starting htcondor and calling few commands
Description of problem:
Using the latest version of condor for F19 (condor-8.1.1-0.2.fc19.x86_64, but also using 8.1.0-0.2) htcondor daemons can't access the configuration directory (by default /etc/condor). It seems that /etc/condor is now labeled as condor_etc_rw_t, but the daemons can't access it.
The error can be reproduced just starting condor. condor_status returns an error:
CEDAR:6001:Failed to connect to <x.y.z.t:9618>
while condor_status -direct $HOSTNAME works. condor_q works too.
After setting 'setenforce 0' I can see all the errors from the pre-defined daemons (master, collector, negotiator, schedd), and audit2allow suggests:
#============= condor_collector_t ==============
allow condor_collector_t condor_etc_rw_t:dir read;
#============= condor_master_t ==============
allow condor_master_t condor_etc_rw_t:dir read;
#============= condor_negotiator_t ==============
allow condor_negotiator_t condor_etc_rw_t:dir read;
#============= condor_schedd_t ==============
allow condor_schedd_t condor_etc_rw_t:dir read;
Most probably also all the other htcondor daemons which have a specific context (schedd, kbdd?) should get a rule for this as well.
$CondorVersion: 8.1.1 Sep 25 2013 BuildID: RH-8.1.1-0.2.fc19 $
$CondorPlatform: X86_64-Fedora_19 $
c057891eda1df81b566e375c46c62d711cfa3c8e fixes this in git.
selinux-policy-3.12.1-74.9.fc19 has been submitted as an update for Fedora 19.
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-74.9.fc19'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).
selinux-policy-3.12.1-74.9.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.