Re: condor

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Complementary information


SELinux is preventing condor_master from getattr access on the filesystem /sys/fs/cgroup.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that condor_master should be allowed getattr access on the cgroup filesystem by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'condor_master' --raw | audit2allow -M my-condormaster
# semodule -X 300 -i my-condormaster.pp

Additional Information:
Source Context                system_u:system_r:condor_master_t:s0
Target Context                system_u:object_r:cgroup_t:s0
Target Objects                /sys/fs/cgroup [ filesystem ]
Source                        condor_master
Source Path                   condor_master
Port                          <Unknown>
Host                          Teucidide
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-34.23-1.fc34.noarch
Local Policy RPM              selinux-policy-targeted-34.23-1.fc34.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     Teucidide
Platform                      Linux Teucidide 5.15.16-100.fc34.x86_64 #1 SMP Thu
                              Jan 20 16:34:27 UTC 2022 x86_64 x86_64
Alert Count                   22
First Seen                    2022-01-27 08:57:41 CET
Last Seen                     2022-01-27 08:59:52 CET
Local ID                      c3a3b533-2b6a-45a1-845d-03fc0b441ac1

Raw Audit Messages
type=AVC msg=audit(1643270392.39:589): avc:  denied  { getattr } for  pid=9830 comm="condor_master" name="/" dev="cgroup2" ino=1 scontext=system_u:system_r:condor_master_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=filesystem permissive=0


Hash: condor_master,condor_master_t,cgroup_t,filesystem,getattr


I did
 ausearch -c 'condor_master' --raw | audit2allow -M my-condormaster
semodule -X 300 -i my-condormaster.pp
semodule -i my-condormaster.pp
auditctl -w /etc/shadow -p w

But still

Turn on full auditing
# auditctl -w /etc/shadow -p w
Try to recreate AVC. Then execute
# ausearch -m avc -ts recent
If you see PATH record check ownership/permissions on file, and fix it,
otherwise report as a bugzilla.


But I sill have the issue
and I cannot stop the service

Jan 27 09:11:44 Teucidide htcondor[16962]: Not changing ROOT_MAXKEYS (/proc/sys/kernel/k>
Jan 27 09:11:44 Teucidide htcondor[16965]: Not changing ROOT_MAXKEYS_BYTES (/proc/sys/ke>
Jan 27 09:11:44 Teucidide htcondor[16969]: Changing FS_CACHE_DIRTY_BYTES (/proc/sys/vm/d>
Jan 27 09:11:44 Teucidide htcondor[16972]: Not changing MAX_RECEIVE_BUFFER (/proc/sys/ne>
Jan 27 09:11:45 Teucidide systemd[1]: condor.service: Main process exited, code=exited, >
Jan 27 09:11:45 Teucidide systemd[1]: condor.service: Failed with result 'exit-code'.
Jan 27 09:11:46 Teucidide systemd[1]: Stopped Condor Distributed High-Throughput-Computi>
Jan 27 09:11:46 Teucidide systemd[1]: /usr/lib/systemd/system/condor.service:14: Standar>
Jan 27 09:11:46 Teucidide systemd[1]: /usr/lib/systemd/system/condor.service:14: Standar>
Jan 27 09:13:15 Teucidide systemd[1]: /usr/lib/systemd/system/condor.service:14: Standar


 systemctl status condor.service
○ condor.service - Condor Distributed High-Throughput-Computing
     Loaded: loaded (/usr/lib/systemd/system/condor.service; disabled; vendor preset: disabled)
     Active: inactive (dead)

Jan 27 09:14:24 Teucidide systemd[1]: /usr/lib/systemd/system/condor.service:14: Standard output type syslog i>
Jan 27 09:14:34 Teucidide systemd[1]: /usr/lib/systemd/system/condor.service:14: Standard output type syslog i>
Jan 27 09:15:00 Teucidide systemd[1]: /usr/lib/systemd/system/condor.service:14: Standard output type syslog i>
Jan 27 09:15:00 Teucidide systemd[1]: /usr/lib/systemd/system/condor.service:14: Standard output type syslog i>
Jan 27 09:15:00 Teucidide systemd[1]: /usr/lib/systemd/system/condor.service:14: Standard output type syslog i>
Jan 27 09:16:11 Teucidide systemd[1]: /usr/lib/systemd/system/condor.service:14: Standard output type syslog i>
Jan 27 09:16:11 Teucidide systemd[1]: /usr/lib/systemd/system/condor.service:14: Standard output type syslog i>
Jan 27 09:16:11 Teucidide systemd[1]: /usr/lib/systemd/system/condor.service:14: Standard output type syslog i>
Jan 27 09:16:22 Teucidide systemd[1]: /usr/lib/systemd/system/condor.service:14: Standard output type syslog i>
Jan 27 09:16:59 Teucidide systemd[1]: /usr/lib/systemd/system/condor.service:14: Standard output type syslog i>



> Sent: Wednesday, January 26, 2022 at 11:10 AM
> From: "Patrick Dupre" <pdupre@xxxxxxx>
> To: "fedora" <users@xxxxxxxxxxxxxxxxxxxxxxx>
> Subject: condor
>
> Hello,
> 
> When I Run
> systemctl start condor.service
> 
> I get:
> *** SECURITY information for homere ***
> homere : Jan 26 09:47:25 : root : problem with defaults entries ; TTY=pts/8
> ; PWD=/root/condor ; USER=root ;
> 
> condor.service - Condor Distributed High-Throughput-Computing
>      Loaded: loaded (/usr/lib/systemd/system/condor.service; disabled; vendor p>
>      Active: active (running) since Wed 2022-01-26 11:09:35 CET; 463ms ago
>    Main PID: 959618 (condor_master)
>       Tasks: 2 (limit: 38217)
>      Memory: 1.4M
>         CPU: 13ms
>      CGroup: /system.slice/condor.service
>              └─959618 /usr/sbin/condor_master -f
> 
> condor_status
> Error: communication error
> CEDAR:6001:Failed to connect to <192.168.13.3:9618>
> 
> Any idea?
> 
> ===========================================================================
>  Patrick DUPRÉ                                 | | email: pdupre@xxxxxxx
>  Laboratoire interdisciplinaire Carnot de Bourgogne
>  9 Avenue Alain Savary, BP 47870, 21078 DIJON Cedex FRANCE
>  Tel: +33 (0)380395988                    | | Room# D114A
> ===========================================================================
> _______________________________________________
> users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
> Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
>
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux