Red Hat Bugzilla – Bug 783267
[RFE] ssh_to_job for VM/Java/Sched/Local universe
Last modified: 2013-03-06 13:41:07 EST
Description of problem: Validate the behavior of ssh_to_job when running VM/Java/Sched/Local universe jobs.
correct please validate vanilla, vm, java, local, and parallel
On both version of RHEL (5.8 and 6.2) with condor-7.6.5-0.12 is problem with selinux. Should it be part of this BZ, or is it candidate for new one? (Problem is on all universes.) # getenforce Enforcing # condor_ssh_to_job 14 ssh_exchange_identification: Connection closed by remote host # setenforce Permissive # condor_ssh_to_job 14 Welcome to HOST! Your condor job is running with pid(s) 8523. RHEL 5.8: selinux-policy-2.4.6-327.el5 RHEL 6.2: selinux-policy-3.7.19-126.el6_2.10
Is it at all related to the other ssh key gen bug? We should kick back on *this one if there is an issue.
On RHEL 6.2 i386 - vanilla universe job: # getenforce Permissive # START_DATE_TIME=$(date "+%m/%d/%Y %T") ... condor_ssh_to_job ... # ausearch -m AVC -m USER_AVC -m SELINUX_ERR -ts ${START_DATE_TIME} ---- time->Mon Mar 26 08:50:19 2012 type=SYSCALL msg=audit(1332744619.754:4515): arch=40000003 syscall=102 success=yes exit=0 a0=7 a1=bf880380 a2=4007f7a0 a3=bf88042c items=0 ppid=14089 pid=14336 auid=0 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=24 comm="sshd" exe="/usr/sbin/sshd" subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1332744619.754:4515): avc: denied { getattr } for pid=14336 comm="sshd" laddr=IP lport=47653 faddr=IP fport=47444 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket ---- time->Mon Mar 26 08:50:19 2012 type=SYSCALL msg=audit(1332744619.754:4516): arch=40000003 syscall=102 success=yes exit=0 a0=e a1=bf8804d0 a2=4007f7a0 a3=40080a08 items=0 ppid=14089 pid=14336 auid=0 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=24 comm="sshd" exe="/usr/sbin/sshd" subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1332744619.754:4516): avc: denied { setopt } for pid=14336 comm="sshd" laddr=IP lport=47653 faddr=IP fport=47444 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket ---- time->Mon Mar 26 08:50:19 2012 type=SYSCALL msg=audit(1332744619.755:4517): arch=40000003 syscall=102 success=yes exit=0 a0=f a1=bf87f470 a2=4007f7a0 a3=bf87f4e8 items=0 ppid=14089 pid=14336 auid=0 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=24 comm="sshd" exe="/usr/sbin/sshd" subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1332744619.755:4517): avc: denied { getopt } for pid=14336 comm="sshd" laddr=IP lport=47653 faddr=IP fport=47444 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket ---- time->Mon Mar 26 08:50:19 2012 type=SYSCALL msg=audit(1332744619.883:4518): arch=40000003 syscall=102 success=yes exit=0 a0=7 a1=bf880250 a2=4007f7a0 a3=bf8802fc items=0 ppid=14089 pid=14336 auid=0 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=24 comm="sshd" exe="/usr/sbin/sshd" subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1332744619.883:4518): avc: denied { getattr } for pid=14336 comm="sshd" laddr=IP lport=47653 faddr=IP fport=47444 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket ---- time->Mon Mar 26 08:50:19 2012 type=SYSCALL msg=audit(1332744619.901:4519): arch=40000003 syscall=102 success=yes exit=0 a0=f a1=bf880140 a2=4007f7a0 a3=3 items=0 ppid=14336 pid=14345 auid=0 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=24 comm="sshd" exe="/usr/sbin/sshd" subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1332744619.901:4519): avc: denied { getopt } for pid=14345 comm="sshd" laddr=IP lport=47653 faddr=IP fport=47444 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket ---- time->Mon Mar 26 08:50:19 2012 type=SYSCALL msg=audit(1332744619.901:4520): arch=40000003 syscall=102 success=yes exit=0 a0=e a1=bf880190 a2=4007f7a0 a3=1 items=0 ppid=14336 pid=14345 auid=0 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=24 comm="sshd" exe="/usr/sbin/sshd" subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1332744619.901:4520): avc: denied { setopt } for pid=14345 comm="sshd" laddr=IP lport=47653 faddr=IP fport=47444 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket
$ ps -eZ |grep initrc We need to add a policy for a process running as initrc_t. I guess this is condor.
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: C: The ability to debug a job while it is running on a target machine. C: Could not directly attach a debugger to a running executable. C: Add support to allow users to ssh to the job sandbox directory of the running job. R: Users can now ssh to their jobs to debug them on the target machine.
Tested and verified via automatic test on RHEL 5.9/6.4 - i386/x86_64 with condor-7.8.8-0.3.el6. Tested following universes: + vanilla + local + java + parallel TODO: test VM universe.
Retested on VM universe on RHEL 5/6 x86_64 with KVM and RHEL 5x with XEN with condor-7.8.8-0.3. >>> VERIFIED
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2013-0564.html