Created attachment 708895 [details] Fix for Condor AVC messages Description of problem: SELinux denies the normal operation of the Condor service Version-Release number of selected component (if applicable): selinux-policy-targeted-3.11.1-82.fc18.noarch condor-qmf-7.9.1-0.1.fc18.3.x86_64 condor-7.9.1-0.1.fc18.3.x86_64 How reproducible: Always Steps to Reproduce: 1. Invoke "systemctl start condor" Actual results: The audit log is full of AVC messages related to the condor qmf daemon. Expected results: Condor daemon starts successfully. Additional info: I have attached a Condor policy addition that fixes the problems
Ok, looks ok except allow condor_negotiator_t self:capability dac_override; Could you re-test it with full auditing # echo "-w /etc/shadow -p w" >> /etc/audit/audit.rules # systemctl restart auditd.service re-test it and run # ausearch -m avc -ts recent
Removed the dac_override capability of condor_negotiator_t and it works without any further adjustments. Up to now I haven't got any issues. Here's the new policy: >>>> CUT HERE <<<< module mycondor 1.0; require { type condor_negotiator_t; type condor_master_t; type passwd_file_t; type proc_t; type condor_collector_t; type node_t; type condor_master_exec_t; type condor_schedd_t; class capability dac_override; class tcp_socket node_bind; class udp_socket node_bind; class file { getattr read open execute_no_trans }; class capability2 block_suspend; } #============= condor_collector_t ============== allow condor_collector_t self:capability dac_override; allow condor_collector_t self:capability2 block_suspend; #============= condor_master_t ============== allow condor_master_t condor_master_exec_t:file execute_no_trans; allow condor_master_t node_t:tcp_socket node_bind; allow condor_master_t node_t:udp_socket node_bind; allow condor_master_t passwd_file_t:file { read getattr open }; allow condor_master_t proc_t:file { read getattr open }; allow condor_master_t self:capability2 block_suspend; #============= condor_negotiator_t ============== allow condor_negotiator_t self:capability2 block_suspend; #============= condor_schedd_t ============== allow condor_schedd_t self:capability2 block_suspend; >>>> END OF CUT <<<<
And how about allow condor_collector_t self:capability dac_override;
I will try to remove that one tomorrow also. Note, there are some more AVC messages related to the purging of queues that I will also try investigating. I will post the updated policy afterwards.
This is the result of my multi-day investigation: the dac_override capabilities are needed for normal operation of the condor (removing/purging queues, for example) and while the AVC messages are not generated upon startup, they show during normal operation of the service: >>>> CUT HERE <<<< module mycondor2 1.0; require { type condor_master_t; type node_t; type krb5_conf_t; type condor_negotiator_t; type condor_master_tmp_t; type passwd_file_t; type proc_t; type condor_collector_t; type condor_master_exec_t; type condor_schedd_t; class capability dac_override; class tcp_socket node_bind; class file { getattr read open execute_no_trans }; class capability2 block_suspend; class udp_socket node_bind; class dir getattr; } #============= condor_collector_t ============== allow condor_collector_t self:capability dac_override; allow condor_collector_t self:capability2 block_suspend; #============= condor_master_t ============== allow condor_master_t condor_master_exec_t:file execute_no_trans; allow condor_master_t krb5_conf_t:file getattr; allow condor_master_t node_t:tcp_socket node_bind; allow condor_master_t node_t:udp_socket node_bind; allow condor_master_t passwd_file_t:file { read getattr open }; allow condor_master_t proc_t:file { read getattr open }; allow condor_master_t self:capability2 block_suspend; #============= condor_negotiator_t ============== allow condor_negotiator_t self:capability dac_override; allow condor_negotiator_t self:capability2 block_suspend; #============= condor_schedd_t ============== allow condor_schedd_t condor_master_tmp_t:dir getattr; allow condor_schedd_t self:capability2 block_suspend; >>>> END OF CUT <<<<
Today, selinux stops condor running at the point where it reads /etc/passwd. This causes the gnome unlock screen to become locked until Xorg is killed.
I am addinng condor fixes to selinux-policy-3.12.1-25.fc19
I think my comment 6 can be ignored since the lock happened again after I erased condor and disabled selinux. Something locks gnome when switching from alt-f2 to alt-f1 screens but not selinux.
This message is a reminder that Fedora 18 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 18. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '18'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 18's end of life. Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 18 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior to Fedora 18's end of life. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Fedora 18 changed to end-of-life (EOL) status on 2014-01-14. Fedora 18 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.