Description of problem: F18 SELinux policy is preventing updated package from running. Version-Release number of selected component (if applicable): F18 & F19 Latest How reproducible: 100% Steps to Reproduce: 1. Download and install latest condor from koji-testing (http://koji.fedoraproject.org/koji/buildinfo?buildID=428879) 2. systemctl start condor.service 3. warnings/errors depending on you level Actual results: Numerous warnings and errors Expected results: Starts up
See also: https://bugzilla.redhat.com/show_bug.cgi?id=920543
What AVC are you getting?
*** Bug 987056 has been marked as a duplicate of this bug. ***
Created attachment 776975 [details] Audit log of failure on startup Contains the startup log, but I'm guessing there are more, but this is the first batch.
Any traction here? I would like to push out a condor update to F19, and there have been other bug reports coming in.
ce1e00335b8ac8248370ce5fb512b4a8f62f1760 allows this in git.
Created attachment 778207 [details] Error logs when installing condor-8.1.0-0.2 Various error logs when trying to install condor-8.1.0-0.2.
Bernard - re: comment #7 Are your logs captured from an updated policy in comment #6? --------------------------------------------------------------- Miroslav - We do this dance every time there is a policy update. Doesn't it make sense to have a series of "troublesome" packages to eval against prior to updating policy? I would be happy to write up the process for a very simple smoke test. Or if you had some type of test-bed I would be happy to try and jig into it.
(In reply to Timothy St. Clair from comment #8) > Bernard - re: comment #7 > > Are your logs captured from an updated policy in comment #6? > > --------------------------------------------------------------- > Miroslav - > > We do this dance every time there is a policy update. Doesn't it make sense > to have a series of "troublesome" packages to eval against prior to updating > policy? I would be happy to write up the process for a very simple smoke > test. Or if you had some type of test-bed I would be happy to try and jig > into it. Miroslav, I am new to Bugzilla. I maintain 200 Fedora PCs running condor, so can test things easily. What does comment 6 mean? What is that updated policy or how do I get it installed? Bernard
It meas it has been fixed on https://git.fedorahosted.org/git/selinux-policy.git and will be a part of the next selinux-policy F19 build.
(In reply to Miroslav Grepl from comment #10) > It meas it has been fixed on > > https://git.fedorahosted.org/git/selinux-policy.git > > and will be a part of the next selinux-policy F19 build. I did one more test with the following selinux rpms installed: libselinux-devel-2.1.13-15.fc19.x86_64 selinux-policy-doc-3.12.1-66.fc19.noarch libselinux-2.1.13-15.fc19.x86_64 libselinux-utils-2.1.13-15.fc19.x86_64 libselinux-python-2.1.13-15.fc19.x86_64 selinux-policy-devel-3.12.1-66.fc19.noarch selinux-policy-3.12.1-66.fc19.noarch libselinux-2.1.13-15.fc19.i686 selinux-policy-targeted-3.12.1-66.fc19.noarch # rpm -Uvh condor-8.1.0-0.2.fc19.x86_64.rpm condor-classads-8.1.0-0.2.fc19.x86_64.rpm condor-procd-8.1.0-0.2.fc19.x86_64.rpm Updating / installing... 1:condor-procd-8.1.0-0.2.fc19 ################################# [ 33%] 2:condor-classads-8.1.0-0.2.fc19 ################################# [ 67%] 3:condor-8.1.0-0.2.fc19 ################################# [100%] libsemanage.dbase_llist_set: record not found in the database libsemanage.dbase_llist_set: could not set record value Could not change boolean condor_domain_can_network_connect Could not change policy booleans Then # systemctl start condor # tail /var/log/messages Jul 30 16:53:01 hopf systemd[1]: Starting Condor Distributed High-Throughput-Computing... Jul 30 16:53:01 hopf systemd[1]: Started Condor Distributed High-Throughput-Computing. Jul 30 16:53:01 hopf systemd[1]: condor.service: main process exited, code=exited, status=4/NOPERMISSION Jul 30 16:53:01 hopf systemd[1]: condor.service: control process exited, code=exited status=1 Jul 30 16:53:01 hopf systemd[1]: Unit condor.service entered failed state. Jul 30 16:53:01 hopf condor_master[3501]: ERROR "Failed to determine my IP address using NETWORK_INTERFACE=*" at line 232 in file /builddir/build/BUILD/condor-8.1.0/src/condor_utils/my_hostname.cpp Jul 30 16:53:01 hopf condor_off[3504]: Can't find address for local master Jul 30 16:53:01 hopf condor_off[3504]: Perhaps you need to query another pool. Bernard
selinux-policy-3.12.1-69.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-69.fc19
Package selinux-policy-3.12.1-69.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-69.fc19' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-14089/selinux-policy-3.12.1-69.fc19 then log in and leave karma (feedback).
After installing selinux-policy-3.12.1-69.fc19: hopf:# rpm -Uvh condor-8.1.0-0.2.fc19.x86_64.rpm condor-classads-8.1.0-0.2.fc19.x86_64.rpm condor_error.txt condor-procd-8.1.0-0.2.fc19.x86_64.rpm Preparing... ################################# [100%] Updating / installing... 1:condor-procd-8.1.0-0.2.fc19 ################################# [ 33%] 2:condor-classads-8.1.0-0.2.fc19 ################################# [ 67%] 3:condor-8.1.0-0.2.fc19 ################################# [100%] libsemanage.dbase_llist_set: record not found in the database libsemanage.dbase_llist_set: could not set record value Could not change boolean condor_domain_can_network_connect Could not change policy booleans SO there still is an selinux problem. with the boolean condor_domain_can_network_connect. This being said, when I start condor : hopf:# systemctl start condor the daemon now start, but not the condor_schedd: hopf:# ps aux | fgrep condor condor 23108 0.0 0.0 88672 4368 ? Ss 17:03 0:00 /usr/sbin/condor_master -f root 23109 0.0 0.0 23336 3620 ? S 17:03 0:00 condor_procd -A /var/run/condor/procd_pipe -R 10000000 -S 60 -C 988 condor 23112 0.0 0.0 88600 4380 ? Ss 17:03 0:00 condor_collector -f root 23176 0.0 0.0 107960 676 pts/2 S+ 17:09 0:00 fgrep --color=auto condor hopf:# tail -f /var/log/messages Aug 3 17:03:47 hopf systemd[1]: Starting Condor Distributed High-Throughput-Computing... Aug 3 17:03:47 hopf systemd[1]: Started Condor Distributed High-Throughput-Computing. hopf:# condor_q Error: Extra Info: You probably saw this error because the condor_schedd is not running on the machine you are trying to query. If the condor_schedd is not running, the Condor system will not be able to find an address and port to connect to and satisfy this request. Please make sure the Condor daemons are running and try again. Extra Info: If the condor_schedd is running on the machine you are trying to query and you still see the error, the most likely cause is that you have setup a personal Condor, you have not defined SCHEDD_NAME in your condor_config file, and something is wrong with your SCHEDD_ADDRESS_FILE setting. You must define either or both of those settings in your config file, or you must use the -name option to condor_q. Please see the Condor manual for details on SCHEDD_NAME and SCHEDD_ADDRESS_FILE. So some progress has been made, but there are still problems. Bernard
selinux-policy-3.12.1-69.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
Fixed in selinux-policy-3.12.1-70.fc19. The problem is there is no condor_domain_can_network_connect boolean but condor_tcp_network_connect.
selinux-policy-3.12.1-71.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-71.fc19
Package selinux-policy-3.12.1-71.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-71.fc19' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-15088/selinux-policy-3.12.1-71.fc19 then log in and leave karma (feedback).
selinux-policy-3.12.1-71.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.