Bug 852456 - OpenMPI problem with SELinux (Grid - parallel universe)
OpenMPI problem with SELinux (Grid - parallel universe)
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy (Show other bugs)
6.3
All Linux
urgent Severity high
: rc
: ---
Assigned To: Miroslav Grepl
Daniel Horák
: ZStream
Depends On: 835923
Blocks: 435010
  Show dependency treegraph
 
Reported: 2012-08-28 10:21 EDT by RHEL Product and Program Management
Modified: 2012-09-11 04:11 EDT (History)
9 users (show)

See Also:
Fixed In Version: selinux-policy-3.7.19-155.el6_3.4
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-09-11 04:11:00 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description RHEL Product and Program Management 2012-08-28 10:21:55 EDT
This bug has been copied from bug #835923 and has been proposed
to be backported to 6.3 z-stream (EUS).
Comment 4 Miroslav Grepl 2012-08-29 03:42:14 EDT
Fixed in selinux-policy-3.7.19-155.el6_3.3
Comment 6 Daniel Horák 2012-08-30 06:07:15 EDT
At least part of the problem is still here - OpenMPI job still fail:

# rpm -q condor -q selinux-policy
  condor-7.6.5-0.19.el6.i686
  selinux-policy-3.7.19-155.el6_3.3.noarch

With SELinux in Enforcing mode on one machine appear following AVC error:
# ausearch -m AVC -m USER_AVC -m SELINUX_ERR -ts ${START_DATE_TIME}
  ----
  time->Thu Aug 30 12:00:33 2012
  type=SYSCALL msg=audit(1346320833.196:22644): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bf81a380 a2=4005d964 a3=41148650 items=0 ppid=30288 pid=30303 auid=0 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=2 comm="ssh" exe="/usr/bin/ssh" subj=unconfined_u:system_r:condor_startd_ssh_t:s0 key=(null)
  type=AVC msg=audit(1346320833.196:22644): avc:  denied  { name_connect } for  pid=30303 comm="ssh" dest=4444 scontext=unconfined_u:system_r:condor_startd_ssh_t:s0 tcontext=system_u:object_r:kerberos_master_port_t:s0 tclass=tcp_socket

With SELinux in Permissive mode there is one more AVC message:
# ausearch -m AVC -m USER_AVC -m SELINUX_ERR -ts ${START_DATE_TIME}
  ----
  time->Thu Aug 30 12:05:25 2012
  type=SYSCALL msg=audit(1346321125.925:22653): arch=40000003 syscall=39 success=yes exit=0 a0=bfb8046b a1=1c0 a2=4005d964 a3=bfb8046b items=0 ppid=31430 pid=31445 auid=0 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=2 comm="ssh" exe="/usr/bin/ssh" subj=unconfined_u:system_r:condor_startd_ssh_t:s0 key=(null)
  type=AVC msg=audit(1346321125.925:22653): avc:  denied  { create } for  pid=31445 comm="ssh" name=".ssh" scontext=unconfined_u:system_r:condor_startd_ssh_t:s0 tcontext=unconfined_u:object_r:ssh_home_t:s0 tclass=dir
  type=AVC msg=audit(1346321125.925:22653): avc:  denied  { add_name } for  pid=31445 comm="ssh" name=".ssh" scontext=unconfined_u:system_r:condor_startd_ssh_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
  type=AVC msg=audit(1346321125.925:22653): avc:  denied  { write } for  pid=31445 comm="ssh" name="test" dev=vda2 ino=17065 scontext=unconfined_u:system_r:condor_startd_ssh_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
  ----
  time->Thu Aug 30 12:05:25 2012
  type=SYSCALL msg=audit(1346321125.799:22652): arch=40000003 syscall=102 success=yes exit=0 a0=3 a1=bfb7fdf0 a2=4005d964 a3=40c4f650 items=0 ppid=31430 pid=31445 auid=0 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=2 comm="ssh" exe="/usr/bin/ssh" subj=unconfined_u:system_r:condor_startd_ssh_t:s0 key=(null)
  type=AVC msg=audit(1346321125.799:22652): avc:  denied  { name_connect } for  pid=31445 comm="ssh" dest=4444 scontext=unconfined_u:system_r:condor_startd_ssh_t:s0 tcontext=system_u:object_r:kerberos_master_port_t:s0 tclass=tcp_socket
  

>> ASSIGNED
Comment 7 Daniel Horák 2012-08-30 06:20:26 EDT
I retested it also with new version of condor condor-7.6.5-0.21.el6 (currently yet not in errata for MRG2.2) and there is change in AVC messages in Permissive mode (one message is missing):

Enforcing mode:
# ausearch -m AVC -m USER_AVC -m SELINUX_ERR -ts ${START_DATE_TIME}
  ----
  time->Thu Aug 30 12:14:14 2012
  type=SYSCALL msg=audit(1346321654.631:22662): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bf9302e0 a2=4005d964 a3=41d99650 items=0 ppid=1241 pid=1256 auid=0 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=4 comm="ssh" exe="/usr/bin/ssh" subj=unconfined_u:system_r:condor_startd_ssh_t:s0 key=(null)
  type=AVC msg=audit(1346321654.631:22662): avc:  denied  { name_connect } for  pid=1256 comm="ssh" dest=4444 scontext=unconfined_u:system_r:condor_startd_ssh_t:s0 tcontext=system_u:object_r:kerberos_master_port_t:s0 tclass=tcp_socket


Permissive mode:
# ausearch -m AVC -m USER_AVC -m SELINUX_ERR -ts ${START_DATE_TIME}
  ----
  time->Thu Aug 30 12:16:19 2012
  type=SYSCALL msg=audit(1346321779.675:22664): arch=40000003 syscall=102 success=yes exit=0 a0=3 a1=bfd5ee60 a2=4005d964 a3=41620650 items=0 ppid=1877 pid=1892 auid=0 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=4 comm="ssh" exe="/usr/bin/ssh" subj=unconfined_u:system_r:condor_startd_ssh_t:s0 key=(null)
  type=AVC msg=audit(1346321779.675:22664): avc:  denied  { name_connect } for  pid=1892 comm="ssh" dest=4444 scontext=unconfined_u:system_r:condor_startd_ssh_t:s0 tcontext=system_u:object_r:kerberos_master_port_t:s0 tclass=tcp_socket
Comment 8 Miroslav Grepl 2012-08-31 09:13:32 EDT
Ok, this is a new issue.
Comment 9 Miroslav Grepl 2012-09-03 02:43:53 EDT
Fixed in selinux-policy-3.7.19-155.el6_3.4
Comment 10 Daniel Horák 2012-09-03 07:29:42 EDT
Tested via automatic test on RHEL 6.3 i386 and x86_64.
Related packages: 
  condor-7.6.5-0.22.el6.i686
  condor-classads-7.6.5-0.22.el6.i686
  condor-debuginfo-7.6.5-0.22.el6.i686
  openmpi-1.5.4-1.el6.i686
  openmpi-devel-1.5.4-1.el6.i686
  python-condorutils-1.5-4.el6.noarch
  selinux-policy-3.7.19-155.el6_3.4.noarch
  selinux-policy-targeted-3.7.19-155.el6_3.4.noarch

All tests pass and no AVC error appear.

>> VERIFIED
Comment 13 errata-xmlrpc 2012-09-11 04:11:00 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-1252.html

Note You need to log in before you can comment on or make changes to this bug.