Submitted a VM Universe job, which seems to create some files that xen needs to read under /var/lib/condor/execute, but cannot because SELinux context is not correct. host=<hidden> type=AVC msg=audit(1227023889.424:17489): avc: denied { write } for pid=4145 comm="virsh" path="/var/lib/condor/execute/dir_4132/xm_std_file" dev =sda5 ino=2291153 scontext=user_u:system_r:xm_t:s0 tcontext=user_u:object_r:var_lib_t:s0 tcla ss=file host=<hidden> type=AVC msg=audit(1227023889.424:17489): avc: denied { write } for pid=4145 comm="virsh" path="/var/lib/condor/execute/dir_4132/xm_error_file" d ev=sda5 ino=2291154 scontext=user_u:system_r:xm_t:s0 tcontext=user_u:object_r:var_lib_t:s0 tc lass=file host=<hidden> type=AVC msg=audit(1227023889.424:17489): avc: denied { read write } for pid=4145 comm="virsh" path="socket:[16980714]" dev=sockfs ino=16980714 s context=user_u:system_r:xm_t:s0 tcontext=user_u:system_r:initrc_t:s0 tclass=tcp_socket host=<hidden> type=AVC msg=audit(1227023889.424:17489): avc: denied { read write } for pid=4145 comm="virsh" path="socket:[16980715]" dev=sockfs ino=16980715 s context=user_u:system_r:xm_t:s0 tcontext=user_u:system_r:initrc_t:s0 tclass=udp_socket host=<hidden> type=SYSCALL msg=audit(1227023889.424:17489): arch=4000 0003 syscall=11 success=yes exit=0 a0=99d0770 a1=99d0858 a2=99bff98 a3=0 items=0 ppid=4139 pi d=4145 auid=3276 uid=0 gid=104 euid=0 suid=0 fsuid=0 egid=104 sgid=104 fsgid=104 tty=(none) s es=2858 comm="virsh" exe="/usr/bin/virsh" subj=user_u:system_r:xm_t:s0 key=(null)
To get this out there door, we really need to run the fgrid process that is starting jobs in some other context then initrc_t. If you are running as initrc_t and run a confined application, a transition will happen and bad stuff will happen like we see above. In Fedora 11 we need to start thinking about how to handle confined domains as condor jobs, so if I am shipping over data that has to be writable to xen or xm, it is labeled appropriately. What is the daemon that is running xm/xen in this case?
The path is condor_master->condor_startd->condor_starter->condor_vm-gahp->shell script->virsh As per discussion about this I'm going to add the following to the condor package's %post script... semanage fcontext -a -t unconfined_execmem_exec_t %_sbindir/condor_startd restorecon %_sbindir/condor_startd
Created attachment 323968 [details] This tar ball contains policy to define a type and context for condor. It will run the condor_startd daemon as an unconfined domain named condor_t. I have included the commands to make the policy in prep stage of your package and the install.sh is the code that would be required in your post install.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2009-0036.html