Bug 963305 - SELinux prevents sge_execd from running
SELinux prevents sge_execd from running
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
18
All Linux
unspecified Severity high
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-05-15 11:44 EDT by Orion Poplawski
Modified: 2013-08-06 13:12 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-08-06 13:12:55 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Orion Poplawski 2013-05-15 11:44:52 EDT
Description of problem:

sge_execd is prevented from running because of:

type=AVC msg=audit(1368632202.579:264): avc:  denied  { name_bind } for  pid=3981 comm="sge_execd" src=6445 scontext=system_u:system_r:sge_execd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket


In permissive mode I also see:

type=AVC msg=audit(1368632408.874:279): avc:  denied  { name_connect } for  pid=4287 comm="sge_execd" dest=6444 scontext=system_u:system_r:sge_execd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1368632410.923:281): avc:  denied  { search } for  pid=4287 comm="sge_execd" name="/" dev="tmpfs" ino=7011 scontext=system_u:system_r:sge_execd_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir
type=AVC msg=audit(1368632410.923:281): avc:  denied  { read } for  pid=4287 comm="sge_execd" name="cpuset.cpus" dev="cgroup" ino=7041 scontext=system_u:system_r:sge_execd_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=file
type=AVC msg=audit(1368632410.923:281): avc:  denied  { open } for  pid=4287 comm="sge_execd" path="/sys/fs/cgroup/cpuset/cpuset.cpus" dev="cgroup" ino=7041 scontext=system_u:system_r:sge_execd_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=file
type=AVC msg=audit(1368632410.923:282): avc:  denied  { getattr } for  pid=4287 comm="sge_execd" path="/sys/fs/cgroup/cpuset/cpuset.cpus" dev="cgroup" ino=7041 scontext=system_u:system_r:sge_execd_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=file
type=AVC msg=audit(1368632411.203:283): avc:  denied  { kill } for  pid=4302 comm="who" capability=5  scontext=system_u:system_r:sge_execd_t:s0 tcontext=system_u:system_r:sge_execd_t:s0 tclass=capability

Version-Release number of selected component (if applicable):
selinux-policy-3.11.1-92.fc18.noarch
Comment 1 Miroslav Grepl 2013-05-16 07:48:36 EDT
Is 6445/tcp a default port?
Comment 2 Orion Poplawski 2013-05-16 09:17:52 EDT
Yes, from /etc/services:

sge_qmaster     6444/tcp  sge-qmaster   # Grid Engine Qmaster Service
sge_execd       6445/tcp  sge-execd     # Grid Engine Execution Service
Comment 3 Miroslav Grepl 2013-05-16 09:25:14 EDT
Ah, yes. I missed it.
Comment 4 Miroslav Grepl 2013-05-16 09:33:51 EDT
commit 92b34f461695df146f0c216c9e4bea64f3e2d4dd
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Thu May 16 15:33:33 2013 +0200

    Allow sge_execd to bind sge ports. Allow kill capability and reads cgroup files
Comment 5 Orion Poplawski 2013-05-16 12:06:44 EDT
What git repo is that commit for?  I'd like to follow along.
Comment 6 Daniel Walsh 2013-05-16 13:32:29 EDT
git.fedorahosted.org/git/selinux-policy.git
Comment 7 Miroslav Grepl 2013-05-16 15:44:22 EDT
A new F18 build will have done by Friday.
Comment 8 Orion Poplawski 2013-05-16 15:56:26 EDT
(In reply to comment #6)
> git.fedorahosted.org/git/selinux-policy.git

Thanks.  This isn't mentioned in the selinux-policy.spec file.  The Url instead is: http://oss.tresys.com/repos/refpolicy/.  Perhaps that should be updated?
Comment 9 Orion Poplawski 2013-05-16 17:56:00 EDT
I don't really understand SELinux port stuff, but FWIW sge_execd will bind locally to port 6445 and connect remotely to port 6444.  sge_qmaster (and sge_shadowd) will bind locally to port 6444.  It probably connects to the execd sometimes as well.
Comment 10 Miroslav Grepl 2013-05-17 02:54:57 EDT
Ah, I missed

type=AVC msg=audit(1368632408.874:279): avc:  denied  { name_connect } for  pid=4287 comm="sge_execd" dest=6444 scontext=system_u:system_r:sge_execd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket

I treat these ports as sge_port_t. The point is sge_* processes run as sge_execd_t.

What does 

# ps -eZ |grep sge

on your system.
Comment 11 Orion Poplawski 2013-05-17 11:11:54 EDT
Okay, I wasn't sure if you had a sge_execd_port_t and sge_master_port_t.

In permissive to allow it to start:
system_u:system_r:sge_execd_t:s0 12648 ?       00:00:00 sge_execd
system_u:system_r:sge_execd_t:s0 12657 ?       00:00:00 cora.sh

cora.sh is my locally defined load monitor script that sge_execd starts.
Comment 12 Miroslav Grepl 2013-05-20 05:33:10 EDT
Ok. PLease try to test the latest f18 policy.

# yum update --enablerepo=updates-testing selinux-policy-targeted
Comment 13 Orion Poplawski 2013-05-20 10:58:30 EDT
That works, thanks.

Note You need to log in before you can comment on or make changes to this bug.