Bug 984061 - Numerous SELinux issues on Condor
Numerous SELinux issues on Condor
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
19
All Linux
medium Severity medium
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
: Reopened
: 987056 (view as bug list)
Depends On:
Blocks: 992726
  Show dependency treegraph
 
Reported: 2013-07-12 12:11 EDT by Timothy St. Clair
Modified: 2013-08-21 20:51 EDT (History)
6 users (show)

See Also:
Fixed In Version: selinux-policy-3.12.1-71.fc19
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 992726 (view as bug list)
Environment:
Last Closed: 2013-08-21 20:51:29 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Audit log of failure on startup (59.69 KB, text/plain)
2013-07-22 12:39 EDT, Timothy St. Clair
no flags Details
Error logs when installing condor-8.1.0-0.2 (5.42 KB, text/plain)
2013-07-25 06:54 EDT, Bernard Piette
no flags Details

  None (edit)
Description Timothy St. Clair 2013-07-12 12:11:44 EDT
Description of problem:
F18 SELinux policy is preventing updated package from running.

Version-Release number of selected component (if applicable):
F18 & F19 Latest

How reproducible:
100%

Steps to Reproduce:
1. Download and install latest condor from koji-testing (http://koji.fedoraproject.org/koji/buildinfo?buildID=428879) 
2. systemctl start condor.service
3. warnings/errors depending on you level

Actual results:
Numerous warnings and errors

Expected results:
Starts up
Comment 1 Timothy St. Clair 2013-07-12 12:12:54 EDT
See also: https://bugzilla.redhat.com/show_bug.cgi?id=920543
Comment 2 Miroslav Grepl 2013-07-16 09:25:01 EDT
What AVC are you getting?
Comment 3 Timothy St. Clair 2013-07-22 11:54:03 EDT
*** Bug 987056 has been marked as a duplicate of this bug. ***
Comment 4 Timothy St. Clair 2013-07-22 12:39:16 EDT
Created attachment 776975 [details]
Audit log of failure on startup

Contains the startup log, but I'm guessing there are more, but this is the first batch.
Comment 5 Timothy St. Clair 2013-07-24 12:31:04 EDT
Any traction here?  I would like to push out a condor update to F19, and there have been other bug reports coming in.
Comment 6 Daniel Walsh 2013-07-24 17:27:17 EDT
ce1e00335b8ac8248370ce5fb512b4a8f62f1760 allows this in git.
Comment 7 Bernard Piette 2013-07-25 06:54:22 EDT
Created attachment 778207 [details]
Error logs when installing condor-8.1.0-0.2

Various error logs when trying to install condor-8.1.0-0.2.
Comment 8 Timothy St. Clair 2013-07-25 09:53:54 EDT
Bernard - re: comment #7 

Are your logs captured from an updated policy in comment #6?

---------------------------------------------------------------
Miroslav -

We do this dance every time there is a policy update.  Doesn't it make sense to have a series of "troublesome" packages to eval against prior to updating policy?  I would be happy to write up the process for a very simple smoke test.  Or if you had some type of test-bed I would be happy to try and jig into it.
Comment 9 Bernard Piette 2013-07-25 10:05:40 EDT
(In reply to Timothy St. Clair from comment #8)
> Bernard - re: comment #7 
> 
> Are your logs captured from an updated policy in comment #6?
> 
> ---------------------------------------------------------------
> Miroslav -
> 
> We do this dance every time there is a policy update.  Doesn't it make sense
> to have a series of "troublesome" packages to eval against prior to updating
> policy?  I would be happy to write up the process for a very simple smoke
> test.  Or if you had some type of test-bed I would be happy to try and jig
> into it.

Miroslav,

I am new to Bugzilla. I maintain 200 Fedora PCs running condor, so can test things easily. What does comment 6 mean? What is that updated policy or how do I get it installed?

Bernard
Comment 10 Miroslav Grepl 2013-07-26 05:06:36 EDT
It meas it has been fixed on 

https://git.fedorahosted.org/git/selinux-policy.git

and will be a part of the next selinux-policy F19 build.
Comment 11 Bernard Piette 2013-07-30 11:54:12 EDT
(In reply to Miroslav Grepl from comment #10)
> It meas it has been fixed on 
> 
> https://git.fedorahosted.org/git/selinux-policy.git
> 
> and will be a part of the next selinux-policy F19 build.

I did one more test with the following selinux rpms installed: 

libselinux-devel-2.1.13-15.fc19.x86_64
selinux-policy-doc-3.12.1-66.fc19.noarch
libselinux-2.1.13-15.fc19.x86_64
libselinux-utils-2.1.13-15.fc19.x86_64
libselinux-python-2.1.13-15.fc19.x86_64
selinux-policy-devel-3.12.1-66.fc19.noarch
selinux-policy-3.12.1-66.fc19.noarch
libselinux-2.1.13-15.fc19.i686
selinux-policy-targeted-3.12.1-66.fc19.noarch

# rpm -Uvh condor-8.1.0-0.2.fc19.x86_64.rpm condor-classads-8.1.0-0.2.fc19.x86_64.rpm condor-procd-8.1.0-0.2.fc19.x86_64.rpm

Updating / installing...
   1:condor-procd-8.1.0-0.2.fc19      ################################# [ 33%]
   2:condor-classads-8.1.0-0.2.fc19   ################################# [ 67%]
   3:condor-8.1.0-0.2.fc19            ################################# [100%]
libsemanage.dbase_llist_set: record not found in the database
libsemanage.dbase_llist_set: could not set record value
Could not change boolean condor_domain_can_network_connect
Could not change policy booleans


Then 
# systemctl start condor
# tail /var/log/messages
Jul 30 16:53:01 hopf systemd[1]: Starting Condor Distributed High-Throughput-Computing...
Jul 30 16:53:01 hopf systemd[1]: Started Condor Distributed High-Throughput-Computing.
Jul 30 16:53:01 hopf systemd[1]: condor.service: main process exited, code=exited, status=4/NOPERMISSION
Jul 30 16:53:01 hopf systemd[1]: condor.service: control process exited, code=exited status=1
Jul 30 16:53:01 hopf systemd[1]: Unit condor.service entered failed state.
Jul 30 16:53:01 hopf condor_master[3501]: ERROR "Failed to determine my IP address using NETWORK_INTERFACE=*" at line 232 in file /builddir/build/BUILD/condor-8.1.0/src/condor_utils/my_hostname.cpp
Jul 30 16:53:01 hopf condor_off[3504]: Can't find address for local master
Jul 30 16:53:01 hopf condor_off[3504]: Perhaps you need to query another pool.

Bernard
Comment 12 Fedora Update System 2013-08-02 09:28:10 EDT
selinux-policy-3.12.1-69.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-69.fc19
Comment 13 Fedora Update System 2013-08-02 17:54:13 EDT
Package selinux-policy-3.12.1-69.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-69.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-14089/selinux-policy-3.12.1-69.fc19
then log in and leave karma (feedback).
Comment 14 Bernard Piette 2013-08-03 12:12:15 EDT
After installing selinux-policy-3.12.1-69.fc19:

hopf:# rpm -Uvh condor-8.1.0-0.2.fc19.x86_64.rpm condor-classads-8.1.0-0.2.fc19.x86_64.rpm condor_error.txt condor-procd-8.1.0-0.2.fc19.x86_64.rpm

Preparing...                          ################################# [100%]
Updating / installing...
   1:condor-procd-8.1.0-0.2.fc19      ################################# [ 33%]
   2:condor-classads-8.1.0-0.2.fc19   ################################# [ 67%]
   3:condor-8.1.0-0.2.fc19            ################################# [100%]
libsemanage.dbase_llist_set: record not found in the database
libsemanage.dbase_llist_set: could not set record value
Could not change boolean condor_domain_can_network_connect
Could not change policy booleans


SO there still is an selinux problem. with the boolean condor_domain_can_network_connect.

This being said, when I start condor :

hopf:# systemctl start condor

the daemon now start, but not the condor_schedd:

hopf:# ps aux | fgrep condor
condor   23108  0.0  0.0  88672  4368 ?        Ss   17:03   0:00 /usr/sbin/condor_master -f
root     23109  0.0  0.0  23336  3620 ?        S    17:03   0:00 condor_procd -A /var/run/condor/procd_pipe -R 10000000 -S 60 -C 988
condor   23112  0.0  0.0  88600  4380 ?        Ss   17:03   0:00 condor_collector -f
root     23176  0.0  0.0 107960   676 pts/2    S+   17:09   0:00 fgrep --color=auto condor

hopf:# tail -f /var/log/messages
Aug  3 17:03:47 hopf systemd[1]: Starting Condor Distributed High-Throughput-Computing...
Aug  3 17:03:47 hopf systemd[1]: Started Condor Distributed High-Throughput-Computing.

hopf:# condor_q
Error: 

Extra Info: You probably saw this error because the condor_schedd is not 
running on the machine you are trying to query. If the condor_schedd is not 
running, the Condor system will not be able to find an address and port to 
connect to and satisfy this request. Please make sure the Condor daemons are 
running and try again.
 
Extra Info: If the condor_schedd is running on the machine you are trying to 
query and you still see the error, the most likely cause is that you have 
setup a personal Condor, you have not defined SCHEDD_NAME in your 
condor_config file, and something is wrong with your SCHEDD_ADDRESS_FILE 
setting. You must define either or both of those settings in your config 
file, or you must use the -name option to condor_q. Please see the Condor 
manual for details on SCHEDD_NAME and SCHEDD_ADDRESS_FILE. 

So some progress has been made, but there are still problems.

Bernard
Comment 15 Fedora Update System 2013-08-04 18:59:02 EDT
selinux-policy-3.12.1-69.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 16 Miroslav Grepl 2013-08-05 02:03:03 EDT
Fixed in selinux-policy-3.12.1-70.fc19.

The problem is there is no  condor_domain_can_network_connect boolean but condor_tcp_network_connect.
Comment 17 Fedora Update System 2013-08-20 04:24:55 EDT
selinux-policy-3.12.1-71.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-71.fc19
Comment 18 Fedora Update System 2013-08-20 20:14:06 EDT
Package selinux-policy-3.12.1-71.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-71.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-15088/selinux-policy-3.12.1-71.fc19
then log in and leave karma (feedback).
Comment 19 Fedora Update System 2013-08-21 20:51:29 EDT
selinux-policy-3.12.1-71.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.