Bug 1295790 - SELinux is breaking condor
SELinux is breaking condor
Status: CLOSED EOL
Product: Fedora
Classification: Fedora
Component: condor (Show other bugs)
25
x86_64 Linux
unspecified Severity unspecified
: ---
: ---
Assigned To: matt
Fedora Extras Quality Assurance
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2016-01-05 08:12 EST by Knut J BJuland
Modified: 2017-12-12 06:08 EST (History)
17 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-12-12 06:08:03 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Knut J BJuland 2016-01-05 08:12:52 EST
Description of problem:
usr/bin/docker info' did not exit successfully 
Version-Release number of selected component (if applicable): WARNING: Error loading config file:stat /root/.docker/config.json: permission denied'

How reproducible:
install docker and condor


Steps to Reproduce:
1. install all condor and all docker rpms
2. systemctl start docker, systemctl start condor
3. watch in condor log file and find Error loading config file:stat /root/.docker/config.json: permission denied'.

Actual results:
docker should work

Expected results:


Additional info:
Comment 1 Knut J BJuland 2016-01-05 08:14:14 EST
Update with right versionContainers: 0
Images: 0
Server Version: 1.9.1-fc23
Storage Driver: devicemapper
 Pool Name: docker-8:36-27133951-pool
 Pool Blocksize: 65.54 kB
 Base Device Size: 107.4 GB
 Backing Filesystem: 
 Data file: /dev/loop0
 Metadata file: /dev/loop1
 Data Space Used: 53.74 MB
 Data Space Total: 107.4 GB
 Data Space Available: 107.3 GB
 Metadata Space Used: 606.2 kB
 Metadata Space Total: 2.147 GB
 Metadata Space Available: 2.147 GB
 Udev Sync Supported: true
 Deferred Removal Enabled: false
 Deferred Deletion Enabled: false
 Deferred Deleted Device Count: 0
 Data loop file: /var/lib/docker/devicemapper/devicemapper/data
 Metadata loop file: /var/lib/docker/devicemapper/devicemapper/metadata
 Library Version: 1.02.109 (2015-09-22)
Execution Driver: native-0.2
Logging Driver: journald
Kernel Version: 4.2.8-300.fc23.x86_64
Operating System: Fedora 23 (Workstation Edition)
CPUs: 12
Total Memory: 31.32 GiB
Name: uefi_super_knut
ID: KCYY:LCDL:PFII:4RIJ:UVQY:HLWS:KEQW:QY5U:GYJM:NYSK:2PEE:AQ3Y
Comment 2 Daniel Walsh 2016-02-22 14:35:47 EST
Could you see if this is an SELinux issue?

ausearch -m avc -ts recent

After it happens.
Comment 3 Knut J BJuland 2017-03-13 07:51:03 EDT
time->Mon Mar 13 12:50:23 2017
type=AVC msg=audit(1489405823.809:480): avc:  denied  { open } for  pid=181458 comm="cat" path="/proc/sys/fs/file-max" dev="proc" ino=14116 scontext=system_u:system_r:condor_master_t:s0 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=file permissive=0
----
time->Mon Mar 13 12:50:23 2017
type=AVC msg=audit(1489405823.812:481): avc:  denied  { open } for  pid=181460 comm="cat" path="/proc/sys/net/ipv4/ip_local_port_range" dev="proc" ino=25971 scontext=system_u:system_r:condor_master_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=0
----
time->Mon Mar 13 12:50:23 2017
type=AVC msg=audit(1489405823.812:482): avc:  denied  { open } for  pid=181457 comm="linux_kernel_tu" path="/proc/sys/net/ipv4/ip_local_port_range" dev="proc" ino=25971 scontext=system_u:system_r:condor_master_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=0
----
time->Mon Mar 13 12:50:23 2017
type=AVC msg=audit(1489405823.812:483): avc:  denied  { open } for  pid=181457 comm="linux_kernel_tu" path="/proc/sys/net/ipv4/ip_local_port_range" dev="proc" ino=25971 scontext=system_u:system_r:condor_master_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=0
----
time->Mon Mar 13 12:50:23 2017
type=AVC msg=audit(1489405823.813:484): avc:  denied  { open } for  pid=181461 comm="cat" path="/proc/sys/net/core/somaxconn" dev="proc" ino=25945 scontext=system_u:system_r:condor_master_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=0
----
time->Mon Mar 13 12:50:23 2017
type=AVC msg=audit(1489405823.814:485): avc:  denied  { open } for  pid=181462 comm="cat" path="/proc/sys/net/core/rmem_max" dev="proc" ino=15331 scontext=system_u:system_r:condor_master_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=0
Comment 4 Knut J BJuland 2017-03-13 07:54:58 EDT
I have add requested data.Duplicated in 1422529, 1422570 and 1423388. 

I got the message above when i start condor with sudo systemctl start condor. 
condor_q give me this message with selinux
ondor_q

-- Failed to fetch ads from: <10.0.0.70:9618?addrs=10.0.0.70-9618&noUDP&sock=181456_4d36_4> : localhost
SECMAN:2007:Failed to end classad message.

and as rootsudo condor_q


-- Schedd: localhost : <10.0.0.70:40057>
 ID      OWNER            SUBMITTED     RUN_TIME ST PRI SIZE CMD
   3.0   knutjbj         2/15 13:09   1+02:07:21 I  0    0.0 cluster2_sentinel.ORRE7he4q9G0q
   5.0   knutjbj         2/15 13:09   1+01:39:05 I  0    4.0 cluster4_sentinel.MzpMMZUsfXmfM
   8.0   knutjbj         2/17 09:26   1+00:51:02 I  0    4.0 cluster7_sentinel.fBgKqPDIyGUzu
  10.0   knutjbj         2/17 09:26   1+01:23:24 I  0   18.0 cluster9_sentinel.DssrmYuoVbVNo
  14.0   knutjbj         2/18 06:23   0+23:06:32 I  0   15.0 cluster13_sentinel.VoBL1ojLakeg2

5 jobs; 0 completed, 0 removed, 5 idle, 0 running, 0 held, 0 suspended

When I disable selinux
sudo systemctl start condor
[knutjbj@uefiknut ~]$ condor_q


-- Schedd: localhost : <10.0.0.70:9618?...
 ID      OWNER            SUBMITTED     RUN_TIME ST PRI SIZE CMD
   3.0   knutjbj         2/15 13:09   1+02:07:21 I  0    0.0 cluster2_sentinel.ORRE7he4q9G0q
   5.0   knutjbj         2/15 13:09   1+01:39:05 I  0    4.0 cluster4_sentinel.MzpMMZUsfXmfM
   8.0   knutjbj         2/17 09:26   1+00:51:02 I  0    4.0 cluster7_sentinel.fBgKqPDIyGUzu
  10.0   knutjbj         2/17 09:26   1+01:23:24 I  0   18.0 cluster9_sentinel.DssrmYuoVbVNo
  14.0   knutjbj         2/18 06:23   0+23:06:32 I  0   15.0 cluster13_sentinel.VoBL1ojLakeg2

5 jobs; 0 completed, 0 removed, 5 idle, 0 running, 0 held, 0 suspended
Comment 5 Daniel Walsh 2017-03-13 08:26:01 EDT
These AVC's have nothing to do with docker
Comment 6 Brian Bockelman 2017-03-13 23:50:00 EDT
Hi Knut!

I think Ben is working on an update currently -- upstream has a few SELinux-related fixes for the policy distributed by the condor RPM.

Dan is correct: these AVCs aren't related to Docker, but these do look suspiciously familiar.

There probably _are_ other AVCs in your logs (particularly, a lot of the shipped policy caused a crazy number of denials when using the Docker universe).

Let's wait a few more days and see if this clears up as part of the planned update.

HTH

Brian
Comment 7 Knut J BJuland 2017-03-24 09:48:59 EDT
Hi Brian

Which version of selinux-policy-target will contain thesse fixes?

Knut J
Comment 8 Fedora Update System 2017-04-04 09:01:54 EDT
condor-8.6.1-1.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-cc65fbb48c
Comment 9 Fedora Update System 2017-04-04 19:53:12 EDT
condor-8.6.1-1.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-cc65fbb48c
Comment 10 Knut J BJuland 2017-04-06 08:28:27 EDT
Will fedora 25 be updated as well?
Comment 11 Ben Cotton 2017-04-06 11:50:57 EDT
Do you have a workaround (that isn't disable SELinux)? If not, I'll update F25, but I'm inclined to not change the release series mid-stream if we can help it.
Comment 12 Knut J BJuland 2017-04-07 13:22:01 EDT
I have disable selinux.
Comment 14 Fedora End Of Life 2017-11-16 14:32:26 EST
This message is a reminder that Fedora 25 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 25. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '25'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version'
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not
able to fix it before Fedora 25 is end of life. If you would still like
to see this bug fixed and are able to reproduce it against a later version
of Fedora, you are encouraged  change the 'version' to a later Fedora
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's
lifetime, sometimes those efforts are overtaken by events. Often a
more recent Fedora release includes newer upstream software that fixes
bugs or makes them obsolete.
Comment 15 Fedora End Of Life 2017-12-12 06:08:03 EST
Fedora 25 changed to end-of-life (EOL) status on 2017-12-12. Fedora 25 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.

Note You need to log in before you can comment on or make changes to this bug.