Bug 1032721 - Condor doesn't start with selinux enabled
Condor doesn't start with selinux enabled
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
19
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Lukas Vrabec
Fedora Extras Quality Assurance
: SELinux
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-11-20 11:31 EST by Stanislav Graf
Modified: 2013-12-03 05:33 EST (History)
11 users (show)

See Also:
Fixed In Version: selinux-policy-3.12.1-74.14.fc19
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-12-03 05:33:31 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
condor avc messages (17.25 KB, text/plain)
2013-11-21 03:51 EST, Stanislav Graf
no flags Details

  None (edit)
Description Stanislav Graf 2013-11-20 11:31:35 EST
Description of problem:
# getenforce
Enforcing
# service condor restart
Redirecting to /bin/systemctl restart  condor.service

-> condor_schedd and condor_negotiator use 100% of CPU

# condor_status
# echo $?
0

# tail /var/log/condor/NegotiatorLog 
11/20/13 16:25:51 ---------- Started Negotiation Cycle ----------
11/20/13 16:25:51 Phase 1:  Obtaining ads from collector ...
11/20/13 16:25:51   Getting Scheduler, Submitter and Machine ads ...
11/20/13 16:25:51 Couldn't fetch ads: can't find collector
11/20/13 16:25:51 Aborting negotiation cycle
11/20/13 16:26:51 ---------- Started Negotiation Cycle ----------
11/20/13 16:26:51 Phase 1:  Obtaining ads from collector ...
11/20/13 16:26:51   Getting Scheduler, Submitter and Machine ads ...
11/20/13 16:26:51 Couldn't fetch ads: can't find collector
11/20/13 16:26:51 Aborting negotiation cycle

# ausearch -m avc -ts recent -sv no
<no matches>
# setenforce 0
# getenforce 
Permissive
# service condor restart
Redirecting to /bin/systemctl restart  condor.service

# condor_status 
Name               OpSys      Arch   State     Activity LoadAv Mem   ActvtyTime

localhost.localdom LINUX      X86_64 Unclaimed Benchmar  1.950  995  0+00:00:04
                     Machines Owner Claimed Unclaimed Matched Preempting

        X86_64/LINUX        1     0       0         1       0          0

               Total        1     0       0         1       0          0

-> condor_schedd and condor_negotiator DOESN'T use 100% of CPU

Version-Release number of selected component (if applicable):
# rpm -qa '*condor*' | sort
condor-8.1.1-0.3.fc19.x86_64
condor-classads-8.1.1-0.3.fc19.x86_64
condor-procd-8.1.1-0.3.fc19.x86_64

How reproducible:
100%

Steps to Reproduce:
1. service condor restart
2. watch negotiator and scheduler in top
3. condor_status

Actual results:
condor_schedd and condor_negotiator use 100% of CPU
Couldn't fetch ads: can't find collector

Expected results:
condor_schedd and condor_negotiator DOESN'T use 100% of CPU
condor_status works

Additional info:
Comment 1 Stanislav Graf 2013-11-20 11:43:13 EST
I have latest F19 with latest packages:
selinux-policy-3.12.1-74.11.fc19.noarch
selinux-policy-targeted-3.12.1-74.11.fc19.noarch
Comment 2 Stanislav Graf 2013-11-20 11:49:00 EST
# service auditd stop
Stopping logging:                                          [  OK  ]
# rm -f /var/log/audit/audit.log 
# service auditd start
Redirecting to /bin/systemctl start  auditd.service
# ls -l /var/log/audit/audit.log 
-rw-------. 1 root root 187 Nov 20 16:44 /var/log/audit/audit.log
# service condor restart
Redirecting to /bin/systemctl restart  condor.service

wait and then cat logfile:

# cat /var/log/audit/audit.log
type=DAEMON_START msg=audit(1384965888.280:3108): auditd start, ver=2.3.2 format=raw kernel=3.11.8-200.fc19.x86_64 auid=4294967295 pid=1552 subj=system_u:system_r:auditd_t:s0 res=success
type=SERVICE_STOP msg=audit(1384965897.679:546): pid=1 uid=0 auid=4294967295 ses=4294967295  subj=system_u:system_r:init_t:s0 msg=' comm="condor" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_START msg=audit(1384965897.685:547): pid=1 uid=0 auid=4294967295 ses=4294967295  subj=system_u:system_r:init_t:s0 msg=' comm="condor" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Comment 3 Daniel Walsh 2013-11-20 15:15:59 EST
Those are not avc messages?  Are you still seeing failures?
Comment 4 Miroslav Grepl 2013-11-20 17:20:03 EST
If yes, just re-test it and run

# ausearch -m avc,user_avc -ts recent
Comment 5 Stanislav Graf 2013-11-21 03:05:00 EST
(1) I've started machine
condor broken
# ausearch -m avc,user_avc -ts recent
<no matches>

(2) restart condor
# service condor restart
Redirecting to /bin/systemctl restart  condor.service

condor broken
# ausearch -m avc,user_avc -ts recent
<no matches>

(3) disable selinux
# setenforce 0
# getenforce 
Permissive

(4) repeat (2)

condor works

# ausearch -m avc,user_avc -ts recent
----
time->Thu Nov 21 08:00:03 2013
type=USER_AVC msg=audit(1385020803.567:537): pid=1 uid=0 auid=4294967295 ses=4294967295  subj=system_u:system_r:init_t:s0 msg='avc:  received setenforce notice (enforcing=0)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'

(5) enable again selinux
# setenforce 1
# getenforce 
Enforcing

(6) repeat (2)

condor broken

# ausearch -m avc,user_avc -ts recent
----
time->Thu Nov 21 08:00:03 2013
type=USER_AVC msg=audit(1385020803.567:537): pid=1 uid=0 auid=4294967295 ses=4294967295  subj=system_u:system_r:init_t:s0 msg='avc:  received setenforce notice (enforcing=0)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
----
time->Thu Nov 21 08:02:02 2013
type=USER_AVC msg=audit(1385020922.632:548): pid=1 uid=0 auid=4294967295 ses=4294967295  subj=system_u:system_r:init_t:s0 msg='avc:  received setenforce notice (enforcing=1)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'


---> I think this is selinux issue if it can be fixed by Permissive mode and triggered back by Enforcing mode.
Comment 6 Miroslav Grepl 2013-11-21 03:37:45 EST
It works for me on F20. 

Lukas,
could you test it on F19?


Stanislav,
could you try to run

# semodule -DB
re-test
# ausearch -m avc,user_avc -ts recent
Comment 7 Stanislav Graf 2013-11-21 03:51:45 EST
Created attachment 827063 [details]
condor avc messages
Comment 8 Miroslav Grepl 2013-11-21 04:17:25 EST
If you execute

# grep udp_socket condor-avc.txt | audit2allow -M mypol
# semodule -i mypol.pp

does it help?
Comment 9 Stanislav Graf 2013-11-21 04:40:30 EST
(In reply to Miroslav Grepl from comment #8)

Yes, this fixed my issue.
Comment 10 Miroslav Grepl 2013-11-21 04:53:27 EST
Thank you for testing.

Please run

# semodule -B

to enabled "dontaudit" rules.

commit ef59b516687408aa6c9a55659741f7449676e4b0
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Thu Nov 21 10:52:05 2013 +0100

    Allow condor domains to read/write condor_master udp_socket
Comment 11 Fedora Update System 2013-11-26 09:23:10 EST
selinux-policy-3.12.1-74.14.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-74.14.fc19
Comment 12 Fedora Update System 2013-11-26 23:30:26 EST
Package selinux-policy-3.12.1-74.14.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-74.14.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-22197/selinux-policy-3.12.1-74.14.fc19
then log in and leave karma (feedback).
Comment 13 Fedora Update System 2013-12-03 05:33:31 EST
selinux-policy-3.12.1-74.14.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.