Description of problem: # getenforce Enforcing # service condor restart Redirecting to /bin/systemctl restart condor.service -> condor_schedd and condor_negotiator use 100% of CPU # condor_status # echo $? 0 # tail /var/log/condor/NegotiatorLog 11/20/13 16:25:51 ---------- Started Negotiation Cycle ---------- 11/20/13 16:25:51 Phase 1: Obtaining ads from collector ... 11/20/13 16:25:51 Getting Scheduler, Submitter and Machine ads ... 11/20/13 16:25:51 Couldn't fetch ads: can't find collector 11/20/13 16:25:51 Aborting negotiation cycle 11/20/13 16:26:51 ---------- Started Negotiation Cycle ---------- 11/20/13 16:26:51 Phase 1: Obtaining ads from collector ... 11/20/13 16:26:51 Getting Scheduler, Submitter and Machine ads ... 11/20/13 16:26:51 Couldn't fetch ads: can't find collector 11/20/13 16:26:51 Aborting negotiation cycle # ausearch -m avc -ts recent -sv no <no matches> # setenforce 0 # getenforce Permissive # service condor restart Redirecting to /bin/systemctl restart condor.service # condor_status Name OpSys Arch State Activity LoadAv Mem ActvtyTime localhost.localdom LINUX X86_64 Unclaimed Benchmar 1.950 995 0+00:00:04 Machines Owner Claimed Unclaimed Matched Preempting X86_64/LINUX 1 0 0 1 0 0 Total 1 0 0 1 0 0 -> condor_schedd and condor_negotiator DOESN'T use 100% of CPU Version-Release number of selected component (if applicable): # rpm -qa '*condor*' | sort condor-8.1.1-0.3.fc19.x86_64 condor-classads-8.1.1-0.3.fc19.x86_64 condor-procd-8.1.1-0.3.fc19.x86_64 How reproducible: 100% Steps to Reproduce: 1. service condor restart 2. watch negotiator and scheduler in top 3. condor_status Actual results: condor_schedd and condor_negotiator use 100% of CPU Couldn't fetch ads: can't find collector Expected results: condor_schedd and condor_negotiator DOESN'T use 100% of CPU condor_status works Additional info:
I have latest F19 with latest packages: selinux-policy-3.12.1-74.11.fc19.noarch selinux-policy-targeted-3.12.1-74.11.fc19.noarch
# service auditd stop Stopping logging: [ OK ] # rm -f /var/log/audit/audit.log # service auditd start Redirecting to /bin/systemctl start auditd.service # ls -l /var/log/audit/audit.log -rw-------. 1 root root 187 Nov 20 16:44 /var/log/audit/audit.log # service condor restart Redirecting to /bin/systemctl restart condor.service wait and then cat logfile: # cat /var/log/audit/audit.log type=DAEMON_START msg=audit(1384965888.280:3108): auditd start, ver=2.3.2 format=raw kernel=3.11.8-200.fc19.x86_64 auid=4294967295 pid=1552 subj=system_u:system_r:auditd_t:s0 res=success type=SERVICE_STOP msg=audit(1384965897.679:546): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="condor" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' type=SERVICE_START msg=audit(1384965897.685:547): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="condor" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Those are not avc messages? Are you still seeing failures?
If yes, just re-test it and run # ausearch -m avc,user_avc -ts recent
(1) I've started machine condor broken # ausearch -m avc,user_avc -ts recent <no matches> (2) restart condor # service condor restart Redirecting to /bin/systemctl restart condor.service condor broken # ausearch -m avc,user_avc -ts recent <no matches> (3) disable selinux # setenforce 0 # getenforce Permissive (4) repeat (2) condor works # ausearch -m avc,user_avc -ts recent ---- time->Thu Nov 21 08:00:03 2013 type=USER_AVC msg=audit(1385020803.567:537): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received setenforce notice (enforcing=0) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' (5) enable again selinux # setenforce 1 # getenforce Enforcing (6) repeat (2) condor broken # ausearch -m avc,user_avc -ts recent ---- time->Thu Nov 21 08:00:03 2013 type=USER_AVC msg=audit(1385020803.567:537): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received setenforce notice (enforcing=0) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' ---- time->Thu Nov 21 08:02:02 2013 type=USER_AVC msg=audit(1385020922.632:548): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received setenforce notice (enforcing=1) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' ---> I think this is selinux issue if it can be fixed by Permissive mode and triggered back by Enforcing mode.
It works for me on F20. Lukas, could you test it on F19? Stanislav, could you try to run # semodule -DB re-test # ausearch -m avc,user_avc -ts recent
Created attachment 827063 [details] condor avc messages
If you execute # grep udp_socket condor-avc.txt | audit2allow -M mypol # semodule -i mypol.pp does it help?
(In reply to Miroslav Grepl from comment #8) Yes, this fixed my issue.
Thank you for testing. Please run # semodule -B to enabled "dontaudit" rules. commit ef59b516687408aa6c9a55659741f7449676e4b0 Author: Miroslav Grepl <mgrepl> Date: Thu Nov 21 10:52:05 2013 +0100 Allow condor domains to read/write condor_master udp_socket
selinux-policy-3.12.1-74.14.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-74.14.fc19
Package selinux-policy-3.12.1-74.14.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-74.14.fc19' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-22197/selinux-policy-3.12.1-74.14.fc19 then log in and leave karma (feedback).
selinux-policy-3.12.1-74.14.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.