Description of problem: After installing and starting condor I get the SELinux denial. Version-Release number of selected component (if applicable): selinux-policy-3.13.1-158.fc23.noarch condor.x86_64 8.5.1-1.fc23 How reproducible: Happened on my machine, I was able to reproduce on a clean install in a VM. Steps to Reproduce: 1. dnf install condor 2. systemctl start condor Additional info: SELinux is preventing condor_master from using the chown capability. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that condor_master should have the chown capability by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep condor_master /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:condor_master_t:s0 Target Context system_u:system_r:condor_master_t:s0 Target Objects Unknown [ capability ] Source condor_master Source Path condor_master Port <Unknown> Host localhost.localdomain Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-158.fc23.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name localhost.localdomain Platform Linux localhost.localdomain 4.2.8-300.fc23.x86_64 #1 SMP Tue Dec 15 16:49:06 UTC 2015 x86_64 x86_64 Alert Count 1 First Seen 2016-01-08 21:03:46 GMT Last Seen 2016-01-08 21:03:46 GMT Local ID 83391fd3-40ee-442c-998a-a2d717b3c213 Raw Audit Messages type=AVC msg=audit(1452287026.112:646): avc: denied { chown } for pid=3421 comm="condor_master" capability=0 scontext=system_u:system_r:condor_master_t:s0 tcontext=system_u:system_r:condor_master_t:s0 tclass=capability permissive=0 Hash: condor_master,condor_master_t,condor_master_t,capability,chown
commit a665711f5fdf24b5202c65dc17de41eefdf13b6a Author: Lukas Vrabec <lvrabec> Date: Tue Jan 12 16:40:18 2016 +0100 Allow condor_master_t domain capability chown. BZ(1297048)
selinux-policy-3.13.1-158.2.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-7cb7ac5cb9
selinux-policy-3.13.1-158.2.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-7cb7ac5cb9
Thanks, I think that is getting me further. But now I get a bunch more denials after starting condor. (I made a clean virtual machine, installed selinux-policy-3.13.1-158.2.fc23 and then installed condor). Jan 17 15:48:37 localhost.localdomain setroubleshoot[3565]: SELinux is preventing cat from search access on the directory fs. For complete SELinux messages. run sealert -l dad96dcb-1c63-4a88-9294-dc4218b9982f Jan 17 15:48:38 localhost.localdomain setroubleshoot[3565]: SELinux is preventing linux_kernel_tu from write access on the file pid_max. For complete SELinux messages. run sealert -l de162d98-cd82-445f-9dac-afa97b6089e3 Jan 17 15:48:38 localhost.localdomain setroubleshoot[3565]: SELinux is preventing linux_kernel_tu from write access on the file pid_max. For complete SELinux messages. run sealert -l de162d98-cd82-445f-9dac-afa97b6089e3 Jan 17 15:48:38 localhost.localdomain setroubleshoot[3565]: SELinux is preventing cat from search access on the directory net. For complete SELinux messages. run sealert -l 178146aa-c3d9-4389-8133-ed978e662324 Jan 17 15:48:38 localhost.localdomain setroubleshoot[3565]: SELinux is preventing cat from search access on the directory net. For complete SELinux messages. run sealert -l 178146aa-c3d9-4389-8133-ed978e662324 Jan 17 15:48:38 localhost.localdomain setroubleshoot[3565]: SELinux is preventing cat from search access on the directory net. For complete SELinux messages. run sealert -l 178146aa-c3d9-4389-8133-ed978e662324 Jan 17 15:48:38 localhost.localdomain setroubleshoot[3565]: SELinux is preventing cat from search access on the directory net. For complete SELinux messages. run sealert -l 178146aa-c3d9-4389-8133-ed978e662324 Jan 17 15:48:38 localhost.localdomain setroubleshoot[3565]: SELinux is preventing cat from search access on the directory net. For complete SELinux messages. run sealert -l 178146aa-c3d9-4389-8133-ed978e662324 Jan 17 15:48:39 localhost.localdomain setroubleshoot[3565]: SELinux is preventing condor_shared_p from name_connect access on the tcp_socket port 34198. For complete SELinux messages. run sealert -l a2a99dfa-1362-44d5-a3d2-1430c065a498 Jan 17 15:48:39 localhost.localdomain setroubleshoot[3565]: SELinux is preventing condor_shared_p from name_connect access on the tcp_socket port 34198. For complete SELinux messages. run sealert -l a2a99dfa-1362-44d5-a3d2-1430c065a498 Jan 17 15:48:39 localhost.localdomain setroubleshoot[3565]: SELinux is preventing condor_shared_p from name_connect access on the tcp_socket port 34198. For complete SELinux messages. run sealert -l a2a99dfa-1362-44d5-a3d2-1430c065a498 Jan 17 15:48:39 localhost.localdomain setroubleshoot[3565]: SELinux is preventing condor_shared_p from name_connect access on the tcp_socket port 34198. For complete SELinux messages. run sealert -l a2a99dfa-1362-44d5-a3d2-1430c065a498 Should I open a new bug report? Do I need a separate bug for each of these?
Hi, Could you attach: # ausearch -m AVC Thank you.
Created attachment 1115829 [details] auseach output Here is the output from sudo ausearch -m AVC
selinux-policy-3.13.1-158.2.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.