Bug 472084 - VM Universe needs proper SELinux contexts set for files created under /var/lib/condor/execute
VM Universe needs proper SELinux contexts set for files created under /var/li...
Status: CLOSED ERRATA
Product: Red Hat Enterprise MRG
Classification: Red Hat
Component: grid (Show other bugs)
1.0
All Linux
urgent Severity urgent
: 1.1
: ---
Assigned To: Matthew Farrellee
Kim van der Riet
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-11-18 11:53 EST by Jeff Needle
Modified: 2009-02-04 11:04 EST (History)
2 users (show)

See Also:
Fixed In Version: condor 7.2.0-0.2
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-02-04 11:04:03 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
This tar ball contains policy to define a type and context for condor. (14.85 KB, application/x-compressed-tar)
2008-11-18 16:54 EST, Daniel Walsh
no flags Details

  None (edit)
Description Jeff Needle 2008-11-18 11:53:51 EST
Submitted a VM Universe job, which seems to create some files that xen needs to read under /var/lib/condor/execute, but cannot because SELinux context is not correct.

host=<hidden> type=AVC msg=audit(1227023889.424:17489): avc:  denied 
 { write } for  pid=4145 comm="virsh" path="/var/lib/condor/execute/dir_4132/xm_std_file" dev
=sda5 ino=2291153 scontext=user_u:system_r:xm_t:s0 tcontext=user_u:object_r:var_lib_t:s0 tcla
ss=file

host=<hidden> type=AVC msg=audit(1227023889.424:17489): avc:  denied 
 { write } for  pid=4145 comm="virsh" path="/var/lib/condor/execute/dir_4132/xm_error_file" d
ev=sda5 ino=2291154 scontext=user_u:system_r:xm_t:s0 tcontext=user_u:object_r:var_lib_t:s0 tc
lass=file

host=<hidden> type=AVC msg=audit(1227023889.424:17489): avc:  denied 
 { read write } for  pid=4145 comm="virsh" path="socket:[16980714]" dev=sockfs ino=16980714 s
context=user_u:system_r:xm_t:s0 tcontext=user_u:system_r:initrc_t:s0 tclass=tcp_socket

host=<hidden> type=AVC msg=audit(1227023889.424:17489): avc:  denied 
 { read write } for  pid=4145 comm="virsh" path="socket:[16980715]" dev=sockfs ino=16980715 s
context=user_u:system_r:xm_t:s0 tcontext=user_u:system_r:initrc_t:s0 tclass=udp_socket

host=<hidden> type=SYSCALL msg=audit(1227023889.424:17489): arch=4000
0003 syscall=11 success=yes exit=0 a0=99d0770 a1=99d0858 a2=99bff98 a3=0 items=0 ppid=4139 pi
d=4145 auid=3276 uid=0 gid=104 euid=0 suid=0 fsuid=0 egid=104 sgid=104 fsgid=104 tty=(none) s
es=2858 comm="virsh" exe="/usr/bin/virsh" subj=user_u:system_r:xm_t:s0 key=(null)
Comment 1 Daniel Walsh 2008-11-18 13:30:21 EST
To get this out there door, we really need to run the fgrid process that is starting jobs in some other context then initrc_t.

If you are running as initrc_t and run a confined application, a transition will happen and bad stuff will happen like we see above.

In Fedora 11 we need to start thinking about how to handle confined domains as condor jobs, so if I am shipping over data that has to be writable to xen or xm, it is labeled appropriately.

What is the daemon that is running xm/xen in this case?
Comment 2 Matthew Farrellee 2008-11-18 16:34:51 EST
The path is condor_master->condor_startd->condor_starter->condor_vm-gahp->shell script->virsh

As per discussion about this I'm going to add the following to the condor package's %post script...

semanage fcontext -a -t  unconfined_execmem_exec_t %_sbindir/condor_startd 
restorecon  %_sbindir/condor_startd
Comment 3 Daniel Walsh 2008-11-18 16:54:14 EST
Created attachment 323968 [details]
This tar ball contains policy to define a type and context for condor.

It will run the condor_startd daemon as an unconfined domain named condor_t.

I have included the commands to make the policy in prep stage of your package and the install.sh is the code that would be required in your post install.
Comment 6 errata-xmlrpc 2009-02-04 11:04:03 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2009-0036.html

Note You need to log in before you can comment on or make changes to this bug.