Bug 1307183 - gridengine MPI jobs fail with SELinux denials
gridengine MPI jobs fail with SELinux denials
Status: ASSIGNED
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy (Show other bugs)
7.2
All Linux
medium Severity medium
: rc
: ---
Assigned To: Lukas Vrabec
Miroslav Vadkerti
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2016-02-12 18:25 EST by Orion Poplawski
Modified: 2017-05-18 07:14 EDT (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Orion Poplawski 2016-02-12 18:25:49 EST
Description of problem:

Cross-host mpi jobs run through gridengine/sge fail due to many SELinux denials.

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-60.el7.noarch

Initial host machine:
type=AVC msg=audit(1455319362.723:154): avc:  denied  { open } for  pid=5957 comm="ssh" path="/home/orion/.ssh/config" dev="0:46" ino=10490044 scontext=system_u:system_r:sge_job_ssh_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=file
type=AVC msg=audit(1455319362.726:155): avc:  denied  { name_connect } for  pid=5957 comm="ssh" dest=39374 scontext=system_u:system_r:sge_job_ssh_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1455319362.825:156): avc:  denied  { open } for  pid=5958 comm="ssh-keysign" path="/etc/ssh/ssh_host_dsa_key" dev="sda3" ino=53102399 scontext=system_u:system_r:ssh_keysign_t:s0 tcontext=system_u:object_r:sshd_key_t:s0 tclass=file
type=AVC msg=audit(1455319362.826:157): avc:  denied  { read } for  pid=5958 comm="ssh-keysign" name="passwd" dev="sda3" ino=36264502 scontext=system_u:system_r:ssh_keysign_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
type=AVC msg=audit(1455319362.826:157): avc:  denied  { open } for  pid=5958 comm="ssh-keysign" path="/etc/passwd" dev="sda3" ino=36264502 scontext=system_u:system_r:ssh_keysign_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
type=AVC msg=audit(1455319362.826:158): avc:  denied  { getattr } for  pid=5958 comm="ssh-keysign" path="/etc/passwd" dev="sda3" ino=36264502 scontext=system_u:system_r:ssh_keysign_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
type=AVC msg=audit(1455319362.826:159): avc:  denied  { read } for  pid=5958 comm="ssh-keysign" name="passwd" dev="sda3" ino=18101704 scontext=system_u:system_r:ssh_keysign_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file
type=AVC msg=audit(1455319362.826:159): avc:  denied  { open } for  pid=5958 comm="ssh-keysign" path="/var/lib/sss/mc/passwd" dev="sda3" ino=18101704 scontext=system_u:system_r:ssh_keysign_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file
type=AVC msg=audit(1455319362.826:160): avc:  denied  { getattr } for  pid=5958 comm="ssh-keysign" path="/var/lib/sss/mc/passwd" dev="sda3" ino=18101704 scontext=system_u:system_r:ssh_keysign_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file
type=AVC msg=audit(1455319362.828:161): avc:  denied  { getattr } for  pid=5958 comm="ssh-keysign" laddr=10.10.10.201 lport=38145 faddr=10.10.10.202 fport=39374 scontext=system_u:system_r:ssh_keysign_t:s0 tcontext=system_u:system_r:sge_job_ssh_t:s0 tclass=tcp_socket
type=AVC msg=audit(1455319362.828:162): avc:  denied  { read } for  pid=5958 comm="ssh-keysign" name="resolv.conf" dev="sda3" ino=33595525 scontext=system_u:system_r:ssh_keysign_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file
type=AVC msg=audit(1455319362.828:162): avc:  denied  { open } for  pid=5958 comm="ssh-keysign" path="/etc/resolv.conf" dev="sda3" ino=33595525 scontext=system_u:system_r:ssh_keysign_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file
type=AVC msg=audit(1455319362.829:163): avc:  denied  { getattr } for  pid=5958 comm="ssh-keysign" path="/etc/resolv.conf" dev="sda3" ino=33595525 scontext=system_u:system_r:ssh_keysign_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file
type=AVC msg=audit(1455319362.829:164): avc:  denied  { create } for  pid=5958 comm="ssh-keysign" scontext=system_u:system_r:ssh_keysign_t:s0 tcontext=system_u:system_r:ssh_keysign_t:s0 tclass=udp_socket
type=AVC msg=audit(1455319362.829:165): avc:  denied  { connect } for  pid=5958 comm="ssh-keysign" scontext=system_u:system_r:ssh_keysign_t:s0 tcontext=system_u:system_r:ssh_keysign_t:s0 tclass=udp_socket
type=AVC msg=audit(1455319362.829:166): avc:  denied  { getattr } for  pid=5958 comm="ssh-keysign" path="socket:[38466]" dev="sockfs" ino=38466 scontext=system_u:system_r:ssh_keysign_t:s0 tcontext=system_u:system_r:ssh_keysign_t:s0 tclass=udp_socket

Remote host:
type=AVC msg=audit(1455319362.740:166): avc:  denied  { getattr } for  pid=5526 comm="sshd" laddr=10.10.10.202 lport=39374 faddr=10.10.10.201 fport=38145 scontext=system_u:system_r:sshd_t:s0 tcontext=system_u:system_r:sge_shepherd_t:s0 tclass=tcp_socket
type=AVC msg=audit(1455319362.740:167): avc:  denied  { setopt } for  pid=5526 comm="sshd" laddr=10.10.10.202 lport=39374 faddr=10.10.10.201 fport=38145 scontext=system_u:system_r:sshd_t:s0 tcontext=system_u:system_r:sge_shepherd_t:s0 tclass=tcp_socket
type=AVC msg=audit(1455319362.741:168): avc:  denied  { getopt } for  pid=5526 comm="sshd" laddr=10.10.10.202 lport=39374 faddr=10.10.10.201 fport=38145 scontext=system_u:system_r:sshd_t:s0 tcontext=system_u:system_r:sge_shepherd_t:s0 tclass=tcp_socket
type=AVC msg=audit(1455319363.108:179): avc:  denied  { getattr } for  pid=5526 comm="sshd" laddr=10.10.10.202 lport=39374 faddr=10.10.10.201 fport=38145 scontext=system_u:system_r:sshd_t:s0 tcontext=system_u:system_r:sge_shepherd_t:s0 tclass=tcp_socket
type=AVC msg=audit(1455319363.251:186): avc:  denied  { getattr } for  pid=5526 comm="sshd" laddr=10.10.10.202 lport=39374 faddr=10.10.10.201 fport=38145 scontext=system_u:system_r:sshd_t:s0 tcontext=system_u:system_r:sge_shepherd_t:s0 tclass=tcp_socket

# getsebool -a | grep sge
sge_domain_can_network_connect --> on
sge_use_nfs --> off
Comment 1 Orion Poplawski 2016-02-12 18:27:59 EST
Sorry, the nfs_t denial is fixed with:

setsebool sge_use_nfs=on
Comment 3 Lukas Vrabec 2016-06-29 12:11:32 EDT
Hi, 
Could you use following command:
# semanage boolean -m ssh_keysign --on

And then try to reproduce your issue? 

Thank you.
Comment 4 Orion Poplawski 2016-06-29 18:52:55 EDT
Still get on master:

type=AVC msg=audit(1467240065.520:85): avc:  denied  { name_connect } for  pid=5532 comm="ssh" dest=35585 scontext=system_u:system_r:sge_job_ssh_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1467240065.655:86): avc:  denied  { open } for  pid=5533 comm="ssh-keysign" path="/etc/ssh/ssh_host_dsa_key" dev="sda3" ino=52875372 scontext=system_u:system_r:ssh_keysign_t:s0 tcontext=system_u:object_r:sshd_key_t:s0 tclass=file
type=AVC msg=audit(1467240065.656:87): avc:  denied  { read } for  pid=5533 comm="ssh-keysign" name="passwd" dev="sda3" ino=33795233 scontext=system_u:system_r:ssh_keysign_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
type=AVC msg=audit(1467240065.656:87): avc:  denied  { open } for  pid=5533 comm="ssh-keysign" path="/etc/passwd" dev="sda3" ino=33795233 scontext=system_u:system_r:ssh_keysign_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
type=AVC msg=audit(1467240065.656:88): avc:  denied  { getattr } for  pid=5533 comm="ssh-keysign" path="/etc/passwd" dev="sda3" ino=33795233 scontext=system_u:system_r:ssh_keysign_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
type=AVC msg=audit(1467240065.656:89): avc:  denied  { read } for  pid=5533 comm="ssh-keysign" name="passwd" dev="sda3" ino=17671904 scontext=system_u:system_r:ssh_keysign_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file
type=AVC msg=audit(1467240065.656:89): avc:  denied  { open } for  pid=5533 comm="ssh-keysign" path="/var/lib/sss/mc/passwd" dev="sda3" ino=17671904 scontext=system_u:system_r:ssh_keysign_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file
type=AVC msg=audit(1467240065.656:90): avc:  denied  { getattr } for  pid=5533 comm="ssh-keysign" path="/var/lib/sss/mc/passwd" dev="sda3" ino=17671904 scontext=system_u:system_r:ssh_keysign_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file
type=AVC msg=audit(1467240065.658:91): avc:  denied  { getattr } for  pid=5533 comm="ssh-keysign" laddr=10.10.10.202 lport=36702 faddr=10.10.10.203 fport=35585 scontext=system_u:system_r:ssh_keysign_t:s0 tcontext=system_u:system_r:sge_job_ssh_t:s0 tclass=tcp_socket
type=AVC msg=audit(1467240065.658:92): avc:  denied  { read } for  pid=5533 comm="ssh-keysign" name="resolv.conf" dev="sda3" ino=33595525 scontext=system_u:system_r:ssh_keysign_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file
type=AVC msg=audit(1467240065.658:92): avc:  denied  { open } for  pid=5533 comm="ssh-keysign" path="/etc/resolv.conf" dev="sda3" ino=33595525 scontext=system_u:system_r:ssh_keysign_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file
type=AVC msg=audit(1467240065.659:93): avc:  denied  { getattr } for  pid=5533 comm="ssh-keysign" path="/etc/resolv.conf" dev="sda3" ino=33595525 scontext=system_u:system_r:ssh_keysign_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file
type=AVC msg=audit(1467240065.659:94): avc:  denied  { create } for  pid=5533 comm="ssh-keysign" scontext=system_u:system_r:ssh_keysign_t:s0 tcontext=system_u:system_r:ssh_keysign_t:s0 tclass=udp_socket
type=AVC msg=audit(1467240065.659:95): avc:  denied  { connect } for  pid=5533 comm="ssh-keysign" scontext=system_u:system_r:ssh_keysign_t:s0 tcontext=system_u:system_r:ssh_keysign_t:s0 tclass=udp_socket
type=AVC msg=audit(1467240065.659:96): avc:  denied  { getattr } for  pid=5533 comm="ssh-keysign" path="socket:[38189]" dev="sockfs" ino=38189 scontext=system_u:system_r:ssh_keysign_t:s0 tcontext=system_u:system_r:ssh_keysign_t:s0 tclass=udp_socket

On second:
type=AVC msg=audit(1467239926.328:49): avc:  denied  { execute_no_trans } for  pid=2561 comm="ldd" path="/usr/lib/ld-2.17.so" dev="sda3" ino=1665671 scontext=system_u:system_r:sge_execd_t:s0 tcontext=system_u:object_r:ld_so_t:s0 tclass=file
type=AVC msg=audit(1467240065.365:84): avc:  denied  { relabelfrom } for  pid=5449 comm="chcon" name="krb5cc_sge_A6EC8x" dev="tmpfs" ino=38316 scontext=system_u:system_r:sge_execd_t:s0 tcontext=system_u:object_r:sge_tmp_t:s0 tclass=file
type=AVC msg=audit(1467240065.365:84): avc:  denied  { relabelto } for  pid=5449 comm="chcon" name="krb5cc_sge_A6EC8x" dev="tmpfs" ino=38316 scontext=system_u:system_r:sge_execd_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=file
type=AVC msg=audit(1467240065.533:85): avc:  denied  { getattr } for  pid=5457 comm="sshd" laddr=10.10.10.203 lport=35585 faddr=10.10.10.202 fport=36702 scontext=system_u:system_r:sshd_t:s0 tcontext=system_u:system_r:sge_shepherd_t:s0 tclass=tcp_socket
type=AVC msg=audit(1467240065.533:86): avc:  denied  { setopt } for  pid=5457 comm="sshd" laddr=10.10.10.203 lport=35585 faddr=10.10.10.202 fport=36702 scontext=system_u:system_r:sshd_t:s0 tcontext=system_u:system_r:sge_shepherd_t:s0 tclass=tcp_socket
type=AVC msg=audit(1467240065.533:87): avc:  denied  { getopt } for  pid=5457 comm="sshd" laddr=10.10.10.203 lport=35585 faddr=10.10.10.202 fport=36702 scontext=system_u:system_r:sshd_t:s0 tcontext=system_u:system_r:sge_shepherd_t:s0 tclass=tcp_socket
type=AVC msg=audit(1467240066.307:104): avc:  denied  { getattr } for  pid=5457 comm="sshd" laddr=10.10.10.203 lport=35585 faddr=10.10.10.202 fport=36702 scontext=system_u:system_r:sshd_t:s0 tcontext=system_u:system_r:sge_shepherd_t:s0 tclass=tcp_socket
type=AVC msg=audit(1467240074.586:119): avc:  denied  { getattr } for  pid=5457 comm="sshd" laddr=10.10.10.203 lport=35585 faddr=10.10.10.202 fport=36702 scontext=system_u:system_r:sshd_t:s0 tcontext=system_u:system_r:sge_shepherd_t:s0 tclass=tcp_socket

sge_domain_can_network_connect --> on
sge_use_nfs --> on
ssh_chroot_rw_homedirs --> off
ssh_keysign --> on

selinux-policy-targeted-3.13.1-60.el7_2.7.noarch

Note You need to log in before you can comment on or make changes to this bug.