This bug has been copied from bug #835923 and has been proposed to be backported to 6.3 z-stream (EUS).
Fixed in selinux-policy-3.7.19-155.el6_3.3
At least part of the problem is still here - OpenMPI job still fail: # rpm -q condor -q selinux-policy condor-7.6.5-0.19.el6.i686 selinux-policy-3.7.19-155.el6_3.3.noarch With SELinux in Enforcing mode on one machine appear following AVC error: # ausearch -m AVC -m USER_AVC -m SELINUX_ERR -ts ${START_DATE_TIME} ---- time->Thu Aug 30 12:00:33 2012 type=SYSCALL msg=audit(1346320833.196:22644): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bf81a380 a2=4005d964 a3=41148650 items=0 ppid=30288 pid=30303 auid=0 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=2 comm="ssh" exe="/usr/bin/ssh" subj=unconfined_u:system_r:condor_startd_ssh_t:s0 key=(null) type=AVC msg=audit(1346320833.196:22644): avc: denied { name_connect } for pid=30303 comm="ssh" dest=4444 scontext=unconfined_u:system_r:condor_startd_ssh_t:s0 tcontext=system_u:object_r:kerberos_master_port_t:s0 tclass=tcp_socket With SELinux in Permissive mode there is one more AVC message: # ausearch -m AVC -m USER_AVC -m SELINUX_ERR -ts ${START_DATE_TIME} ---- time->Thu Aug 30 12:05:25 2012 type=SYSCALL msg=audit(1346321125.925:22653): arch=40000003 syscall=39 success=yes exit=0 a0=bfb8046b a1=1c0 a2=4005d964 a3=bfb8046b items=0 ppid=31430 pid=31445 auid=0 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=2 comm="ssh" exe="/usr/bin/ssh" subj=unconfined_u:system_r:condor_startd_ssh_t:s0 key=(null) type=AVC msg=audit(1346321125.925:22653): avc: denied { create } for pid=31445 comm="ssh" name=".ssh" scontext=unconfined_u:system_r:condor_startd_ssh_t:s0 tcontext=unconfined_u:object_r:ssh_home_t:s0 tclass=dir type=AVC msg=audit(1346321125.925:22653): avc: denied { add_name } for pid=31445 comm="ssh" name=".ssh" scontext=unconfined_u:system_r:condor_startd_ssh_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir type=AVC msg=audit(1346321125.925:22653): avc: denied { write } for pid=31445 comm="ssh" name="test" dev=vda2 ino=17065 scontext=unconfined_u:system_r:condor_startd_ssh_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir ---- time->Thu Aug 30 12:05:25 2012 type=SYSCALL msg=audit(1346321125.799:22652): arch=40000003 syscall=102 success=yes exit=0 a0=3 a1=bfb7fdf0 a2=4005d964 a3=40c4f650 items=0 ppid=31430 pid=31445 auid=0 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=2 comm="ssh" exe="/usr/bin/ssh" subj=unconfined_u:system_r:condor_startd_ssh_t:s0 key=(null) type=AVC msg=audit(1346321125.799:22652): avc: denied { name_connect } for pid=31445 comm="ssh" dest=4444 scontext=unconfined_u:system_r:condor_startd_ssh_t:s0 tcontext=system_u:object_r:kerberos_master_port_t:s0 tclass=tcp_socket >> ASSIGNED
I retested it also with new version of condor condor-7.6.5-0.21.el6 (currently yet not in errata for MRG2.2) and there is change in AVC messages in Permissive mode (one message is missing): Enforcing mode: # ausearch -m AVC -m USER_AVC -m SELINUX_ERR -ts ${START_DATE_TIME} ---- time->Thu Aug 30 12:14:14 2012 type=SYSCALL msg=audit(1346321654.631:22662): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bf9302e0 a2=4005d964 a3=41d99650 items=0 ppid=1241 pid=1256 auid=0 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=4 comm="ssh" exe="/usr/bin/ssh" subj=unconfined_u:system_r:condor_startd_ssh_t:s0 key=(null) type=AVC msg=audit(1346321654.631:22662): avc: denied { name_connect } for pid=1256 comm="ssh" dest=4444 scontext=unconfined_u:system_r:condor_startd_ssh_t:s0 tcontext=system_u:object_r:kerberos_master_port_t:s0 tclass=tcp_socket Permissive mode: # ausearch -m AVC -m USER_AVC -m SELINUX_ERR -ts ${START_DATE_TIME} ---- time->Thu Aug 30 12:16:19 2012 type=SYSCALL msg=audit(1346321779.675:22664): arch=40000003 syscall=102 success=yes exit=0 a0=3 a1=bfd5ee60 a2=4005d964 a3=41620650 items=0 ppid=1877 pid=1892 auid=0 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=4 comm="ssh" exe="/usr/bin/ssh" subj=unconfined_u:system_r:condor_startd_ssh_t:s0 key=(null) type=AVC msg=audit(1346321779.675:22664): avc: denied { name_connect } for pid=1892 comm="ssh" dest=4444 scontext=unconfined_u:system_r:condor_startd_ssh_t:s0 tcontext=system_u:object_r:kerberos_master_port_t:s0 tclass=tcp_socket
Ok, this is a new issue.
Fixed in selinux-policy-3.7.19-155.el6_3.4
Tested via automatic test on RHEL 6.3 i386 and x86_64. Related packages: condor-7.6.5-0.22.el6.i686 condor-classads-7.6.5-0.22.el6.i686 condor-debuginfo-7.6.5-0.22.el6.i686 openmpi-1.5.4-1.el6.i686 openmpi-devel-1.5.4-1.el6.i686 python-condorutils-1.5-4.el6.noarch selinux-policy-3.7.19-155.el6_3.4.noarch selinux-policy-targeted-3.7.19-155.el6_3.4.noarch All tests pass and no AVC error appear. >> VERIFIED
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-1252.html