Bug 1297048 - SELinux is preventing condor_master from using the chown capability.
SELinux is preventing condor_master from using the chown capability.
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
23
Unspecified Unspecified
low Severity low
: ---
: ---
Assigned To: Lukas Vrabec
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2016-01-08 16:12 EST by Sam Tygier
Modified: 2016-01-21 21:21 EST (History)
5 users (show)

See Also:
Fixed In Version: selinux-policy-3.13.1-158.3.fc23 selinux-policy-3.13.1-158.2.fc23
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-01-21 21:21:16 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
auseach output (59.15 KB, text/plain)
2016-01-18 07:31 EST, Sam Tygier
no flags Details

  None (edit)
Description Sam Tygier 2016-01-08 16:12:04 EST
Description of problem:
After installing and starting condor I get the SELinux denial.

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-158.fc23.noarch
condor.x86_64 8.5.1-1.fc23

How reproducible:
Happened on my machine, I was able to reproduce on a clean install in a VM.

Steps to Reproduce:
1. dnf install condor
2. systemctl start condor

Additional info:
SELinux is preventing condor_master from using the chown capability.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that condor_master should have the chown capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep condor_master /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:condor_master_t:s0
Target Context                system_u:system_r:condor_master_t:s0
Target Objects                Unknown [ capability ]
Source                        condor_master
Source Path                   condor_master
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-158.fc23.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 4.2.8-300.fc23.x86_64
                              #1 SMP Tue Dec 15 16:49:06 UTC 2015 x86_64 x86_64
Alert Count                   1
First Seen                    2016-01-08 21:03:46 GMT
Last Seen                     2016-01-08 21:03:46 GMT
Local ID                      83391fd3-40ee-442c-998a-a2d717b3c213

Raw Audit Messages
type=AVC msg=audit(1452287026.112:646): avc:  denied  { chown } for  pid=3421 comm="condor_master" capability=0  scontext=system_u:system_r:condor_master_t:s0 tcontext=system_u:system_r:condor_master_t:s0 tclass=capability permissive=0


Hash: condor_master,condor_master_t,condor_master_t,capability,chown
Comment 1 Lukas Vrabec 2016-01-12 10:41:15 EST
commit a665711f5fdf24b5202c65dc17de41eefdf13b6a
Author: Lukas Vrabec <lvrabec@redhat.com>
Date:   Tue Jan 12 16:40:18 2016 +0100

    Allow condor_master_t domain capability chown. BZ(1297048)
Comment 2 Fedora Update System 2016-01-14 08:15:23 EST
selinux-policy-3.13.1-158.2.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-7cb7ac5cb9
Comment 3 Fedora Update System 2016-01-15 13:53:25 EST
selinux-policy-3.13.1-158.2.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-7cb7ac5cb9
Comment 4 Sam Tygier 2016-01-17 11:02:11 EST
Thanks, I think that is getting me further. But now I get a bunch more denials after starting condor. (I made a clean virtual machine, installed selinux-policy-3.13.1-158.2.fc23 and then installed condor).

Jan 17 15:48:37 localhost.localdomain setroubleshoot[3565]: SELinux is preventing cat from search access on the directory fs. For complete SELinux messages. run sealert -l dad96dcb-1c63-4a88-9294-dc4218b9982f
Jan 17 15:48:38 localhost.localdomain setroubleshoot[3565]: SELinux is preventing linux_kernel_tu from write access on the file pid_max. For complete SELinux messages. run sealert -l de162d98-cd82-445f-9dac-afa97b6089e3
Jan 17 15:48:38 localhost.localdomain setroubleshoot[3565]: SELinux is preventing linux_kernel_tu from write access on the file pid_max. For complete SELinux messages. run sealert -l de162d98-cd82-445f-9dac-afa97b6089e3
Jan 17 15:48:38 localhost.localdomain setroubleshoot[3565]: SELinux is preventing cat from search access on the directory net. For complete SELinux messages. run sealert -l 178146aa-c3d9-4389-8133-ed978e662324
Jan 17 15:48:38 localhost.localdomain setroubleshoot[3565]: SELinux is preventing cat from search access on the directory net. For complete SELinux messages. run sealert -l 178146aa-c3d9-4389-8133-ed978e662324
Jan 17 15:48:38 localhost.localdomain setroubleshoot[3565]: SELinux is preventing cat from search access on the directory net. For complete SELinux messages. run sealert -l 178146aa-c3d9-4389-8133-ed978e662324
Jan 17 15:48:38 localhost.localdomain setroubleshoot[3565]: SELinux is preventing cat from search access on the directory net. For complete SELinux messages. run sealert -l 178146aa-c3d9-4389-8133-ed978e662324
Jan 17 15:48:38 localhost.localdomain setroubleshoot[3565]: SELinux is preventing cat from search access on the directory net. For complete SELinux messages. run sealert -l 178146aa-c3d9-4389-8133-ed978e662324
Jan 17 15:48:39 localhost.localdomain setroubleshoot[3565]: SELinux is preventing condor_shared_p from name_connect access on the tcp_socket port 34198. For complete SELinux messages. run sealert -l a2a99dfa-1362-44d5-a3d2-1430c065a498
Jan 17 15:48:39 localhost.localdomain setroubleshoot[3565]: SELinux is preventing condor_shared_p from name_connect access on the tcp_socket port 34198. For complete SELinux messages. run sealert -l a2a99dfa-1362-44d5-a3d2-1430c065a498
Jan 17 15:48:39 localhost.localdomain setroubleshoot[3565]: SELinux is preventing condor_shared_p from name_connect access on the tcp_socket port 34198. For complete SELinux messages. run sealert -l a2a99dfa-1362-44d5-a3d2-1430c065a498
Jan 17 15:48:39 localhost.localdomain setroubleshoot[3565]: SELinux is preventing condor_shared_p from name_connect access on the tcp_socket port 34198. For complete SELinux messages. run sealert -l a2a99dfa-1362-44d5-a3d2-1430c065a498

Should I open a new bug report? Do I need a separate bug for each of these?
Comment 5 Lukas Vrabec 2016-01-18 07:06:12 EST
Hi, 
Could you attach:
# ausearch -m AVC 

Thank you.
Comment 6 Sam Tygier 2016-01-18 07:31 EST
Created attachment 1115829 [details]
auseach output

Here is the output from
sudo ausearch -m AVC
Comment 7 Fedora Update System 2016-01-21 21:20:35 EST
selinux-policy-3.13.1-158.2.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.