This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 1295790 - SELinux is breaking condor
SELinux is breaking condor
Status: VERIFIED
Product: Fedora
Classification: Fedora
Component: condor (Show other bugs)
25
x86_64 Linux
unspecified Severity unspecified
: ---
: ---
Assigned To: matt
Fedora Extras Quality Assurance
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2016-01-05 08:12 EST by Knut J BJuland
Modified: 2017-04-12 14:51 EDT (History)
17 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-06-03 09:41:07 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Knut J BJuland 2016-01-05 08:12:52 EST
Description of problem:
usr/bin/docker info' did not exit successfully 
Version-Release number of selected component (if applicable): WARNING: Error loading config file:stat /root/.docker/config.json: permission denied'

How reproducible:
install docker and condor


Steps to Reproduce:
1. install all condor and all docker rpms
2. systemctl start docker, systemctl start condor
3. watch in condor log file and find Error loading config file:stat /root/.docker/config.json: permission denied'.

Actual results:
docker should work

Expected results:


Additional info:
Comment 1 Knut J BJuland 2016-01-05 08:14:14 EST
Update with right versionContainers: 0
Images: 0
Server Version: 1.9.1-fc23
Storage Driver: devicemapper
 Pool Name: docker-8:36-27133951-pool
 Pool Blocksize: 65.54 kB
 Base Device Size: 107.4 GB
 Backing Filesystem: 
 Data file: /dev/loop0
 Metadata file: /dev/loop1
 Data Space Used: 53.74 MB
 Data Space Total: 107.4 GB
 Data Space Available: 107.3 GB
 Metadata Space Used: 606.2 kB
 Metadata Space Total: 2.147 GB
 Metadata Space Available: 2.147 GB
 Udev Sync Supported: true
 Deferred Removal Enabled: false
 Deferred Deletion Enabled: false
 Deferred Deleted Device Count: 0
 Data loop file: /var/lib/docker/devicemapper/devicemapper/data
 Metadata loop file: /var/lib/docker/devicemapper/devicemapper/metadata
 Library Version: 1.02.109 (2015-09-22)
Execution Driver: native-0.2
Logging Driver: journald
Kernel Version: 4.2.8-300.fc23.x86_64
Operating System: Fedora 23 (Workstation Edition)
CPUs: 12
Total Memory: 31.32 GiB
Name: uefi_super_knut
ID: KCYY:LCDL:PFII:4RIJ:UVQY:HLWS:KEQW:QY5U:GYJM:NYSK:2PEE:AQ3Y
Comment 2 Daniel Walsh 2016-02-22 14:35:47 EST
Could you see if this is an SELinux issue?

ausearch -m avc -ts recent

After it happens.
Comment 3 Knut J BJuland 2017-03-13 07:51:03 EDT
time->Mon Mar 13 12:50:23 2017
type=AVC msg=audit(1489405823.809:480): avc:  denied  { open } for  pid=181458 comm="cat" path="/proc/sys/fs/file-max" dev="proc" ino=14116 scontext=system_u:system_r:condor_master_t:s0 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=file permissive=0
----
time->Mon Mar 13 12:50:23 2017
type=AVC msg=audit(1489405823.812:481): avc:  denied  { open } for  pid=181460 comm="cat" path="/proc/sys/net/ipv4/ip_local_port_range" dev="proc" ino=25971 scontext=system_u:system_r:condor_master_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=0
----
time->Mon Mar 13 12:50:23 2017
type=AVC msg=audit(1489405823.812:482): avc:  denied  { open } for  pid=181457 comm="linux_kernel_tu" path="/proc/sys/net/ipv4/ip_local_port_range" dev="proc" ino=25971 scontext=system_u:system_r:condor_master_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=0
----
time->Mon Mar 13 12:50:23 2017
type=AVC msg=audit(1489405823.812:483): avc:  denied  { open } for  pid=181457 comm="linux_kernel_tu" path="/proc/sys/net/ipv4/ip_local_port_range" dev="proc" ino=25971 scontext=system_u:system_r:condor_master_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=0
----
time->Mon Mar 13 12:50:23 2017
type=AVC msg=audit(1489405823.813:484): avc:  denied  { open } for  pid=181461 comm="cat" path="/proc/sys/net/core/somaxconn" dev="proc" ino=25945 scontext=system_u:system_r:condor_master_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=0
----
time->Mon Mar 13 12:50:23 2017
type=AVC msg=audit(1489405823.814:485): avc:  denied  { open } for  pid=181462 comm="cat" path="/proc/sys/net/core/rmem_max" dev="proc" ino=15331 scontext=system_u:system_r:condor_master_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=0
Comment 4 Knut J BJuland 2017-03-13 07:54:58 EDT
I have add requested data.Duplicated in 1422529, 1422570 and 1423388. 

I got the message above when i start condor with sudo systemctl start condor. 
condor_q give me this message with selinux
ondor_q

-- Failed to fetch ads from: <10.0.0.70:9618?addrs=10.0.0.70-9618&noUDP&sock=181456_4d36_4> : localhost
SECMAN:2007:Failed to end classad message.

and as rootsudo condor_q


-- Schedd: localhost : <10.0.0.70:40057>
 ID      OWNER            SUBMITTED     RUN_TIME ST PRI SIZE CMD
   3.0   knutjbj         2/15 13:09   1+02:07:21 I  0    0.0 cluster2_sentinel.ORRE7he4q9G0q
   5.0   knutjbj         2/15 13:09   1+01:39:05 I  0    4.0 cluster4_sentinel.MzpMMZUsfXmfM
   8.0   knutjbj         2/17 09:26   1+00:51:02 I  0    4.0 cluster7_sentinel.fBgKqPDIyGUzu
  10.0   knutjbj         2/17 09:26   1+01:23:24 I  0   18.0 cluster9_sentinel.DssrmYuoVbVNo
  14.0   knutjbj         2/18 06:23   0+23:06:32 I  0   15.0 cluster13_sentinel.VoBL1ojLakeg2

5 jobs; 0 completed, 0 removed, 5 idle, 0 running, 0 held, 0 suspended

When I disable selinux
sudo systemctl start condor
[knutjbj@uefiknut ~]$ condor_q


-- Schedd: localhost : <10.0.0.70:9618?...
 ID      OWNER            SUBMITTED     RUN_TIME ST PRI SIZE CMD
   3.0   knutjbj         2/15 13:09   1+02:07:21 I  0    0.0 cluster2_sentinel.ORRE7he4q9G0q
   5.0   knutjbj         2/15 13:09   1+01:39:05 I  0    4.0 cluster4_sentinel.MzpMMZUsfXmfM
   8.0   knutjbj         2/17 09:26   1+00:51:02 I  0    4.0 cluster7_sentinel.fBgKqPDIyGUzu
  10.0   knutjbj         2/17 09:26   1+01:23:24 I  0   18.0 cluster9_sentinel.DssrmYuoVbVNo
  14.0   knutjbj         2/18 06:23   0+23:06:32 I  0   15.0 cluster13_sentinel.VoBL1ojLakeg2

5 jobs; 0 completed, 0 removed, 5 idle, 0 running, 0 held, 0 suspended
Comment 5 Daniel Walsh 2017-03-13 08:26:01 EDT
These AVC's have nothing to do with docker
Comment 6 Brian Bockelman 2017-03-13 23:50:00 EDT
Hi Knut!

I think Ben is working on an update currently -- upstream has a few SELinux-related fixes for the policy distributed by the condor RPM.

Dan is correct: these AVCs aren't related to Docker, but these do look suspiciously familiar.

There probably _are_ other AVCs in your logs (particularly, a lot of the shipped policy caused a crazy number of denials when using the Docker universe).

Let's wait a few more days and see if this clears up as part of the planned update.

HTH

Brian
Comment 7 Knut J BJuland 2017-03-24 09:48:59 EDT
Hi Brian

Which version of selinux-policy-target will contain thesse fixes?

Knut J
Comment 8 Fedora Update System 2017-04-04 09:01:54 EDT
condor-8.6.1-1.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-cc65fbb48c
Comment 9 Fedora Update System 2017-04-04 19:53:12 EDT
condor-8.6.1-1.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-cc65fbb48c
Comment 10 Knut J BJuland 2017-04-06 08:28:27 EDT
Will fedora 25 be updated as well?
Comment 11 Ben Cotton 2017-04-06 11:50:57 EDT
Do you have a workaround (that isn't disable SELinux)? If not, I'll update F25, but I'm inclined to not change the release series mid-stream if we can help it.
Comment 12 Knut J BJuland 2017-04-07 13:22:01 EDT
I have disable selinux.

Note You need to log in before you can comment on or make changes to this bug.