Re: condor

Patrick Dupre <pdupre@xxxxxxx> · Thu, 27 Jan 2022 09:44:05 +0100

New behavior,

fcontext -a -t condor_log_t '/etc/sysctl.d'
restorecon -v '/etc/sysctl.d'
ausearch -c 'linux_kernel_tu' --raw | audit2allow -M my-linuxkerneltu
semodule -i my-linuxkerneltu.pp

systemctl status condor.service
systemctl status condor.service
● condor.service - Condor Distributed High-Throughput-Computing
     Loaded: loaded (/usr/lib/systemd/system/condor.service; disabled; vendor preset: disabled)
     Active: active (running) since Thu 2022-01-27 09:38:12 CET; 1s ago
   Main PID: 36110
      Tasks: 2 (limit: 9328)
     Memory: 2.7M
        CPU: 147ms
     CGroup: /system.slice/condor.service

But I have a window

"New SELinux security alert
AVC denial, click to view"
blinking permanently

with

● condor.service - Condor Distributed High-Throughput-Computing
     Loaded: loaded (/usr/lib/systemd/system/condor.service; disabled; vendor preset: disabled)
     Active: activating (auto-restart) (Result: exit-code) since Thu 2022-01-27 09:39:42 CET; 1s ago
    Process: 39282 ExecStart=/usr/sbin/condor_master -f (code=exited, status=4)
   Main PID: 39282 (code=exited, status=4)
        CPU: 153ms

I have to run
systemctl stop condor.service

○ condor.service - Condor Distributed High-Throughput-Computing
     Loaded: loaded (/usr/lib/systemd/system/condor.service; disabled; vendor preset: disabled)
     Active: inactive (dead)

Jan 27 09:40:19 Teucidide htcondor[40638]: Not changing ROOT_MAXKEYS_BYTES (/proc/sys/kernel/keys/root_maxbyte>
Jan 27 09:40:19 Teucidide htcondor[40642]: Changing FS_CACHE_DIRTY_BYTES (/proc/sys/vm/dirty_bytes) from 10000>
Jan 27 09:40:19 Teucidide htcondor[40645]: Not changing MAX_RECEIVE_BUFFER (/proc/sys/net/core/rmem_max): new >
Jan 27 09:40:20 Teucidide systemd[1]: condor.service: Main process exited, code=exited, status=4/NOPERMISSION
Jan 27 09:40:20 Teucidide systemd[1]: condor.service: Failed with result 'exit-code'.
Jan 27 09:40:24 Teucidide systemd[1]: Stopped Condor Distributed High-Throughput-Computing.

After a while, the blinking may stop

> Complementary information
> 
> 
> SELinux is preventing condor_master from getattr access on the filesystem /sys/fs/cgroup.
> 
> *****  Plugin catchall (100. confidence) suggests   **************************
> 
> If you believe that condor_master should be allowed getattr access on the cgroup filesystem by default.
> Then you should report this as a bug.
> You can generate a local policy module to allow this access.
> Do
> allow this access for now by executing:
> # ausearch -c 'condor_master' --raw | audit2allow -M my-condormaster
> # semodule -X 300 -i my-condormaster.pp
> 
> Additional Information:
> Source Context                system_u:system_r:condor_master_t:s0
> Target Context                system_u:object_r:cgroup_t:s0
> Target Objects                /sys/fs/cgroup [ filesystem ]
> Source                        condor_master
> Source Path                   condor_master
> Port                          <Unknown>
> Host                          Teucidide
> Source RPM Packages           
> Target RPM Packages           
> SELinux Policy RPM            selinux-policy-targeted-34.23-1.fc34.noarch
> Local Policy RPM              selinux-policy-targeted-34.23-1.fc34.noarch
> Selinux Enabled               True
> Policy Type                   targeted
> Enforcing Mode                Enforcing
> Host Name                     Teucidide
> Platform                      Linux Teucidide 5.15.16-100.fc34.x86_64 #1 SMP Thu
>                               Jan 20 16:34:27 UTC 2022 x86_64 x86_64
> Alert Count                   22
> First Seen                    2022-01-27 08:57:41 CET
> Last Seen                     2022-01-27 08:59:52 CET
> Local ID                      c3a3b533-2b6a-45a1-845d-03fc0b441ac1
> 
> Raw Audit Messages
> type=AVC msg=audit(1643270392.39:589): avc:  denied  { getattr } for  pid=9830 comm="condor_master" name="/" dev="cgroup2" ino=1 scontext=system_u:system_r:condor_master_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=filesystem permissive=0
> 
> 
> Hash: condor_master,condor_master_t,cgroup_t,filesystem,getattr
> 
> 
> I did
>  ausearch -c 'condor_master' --raw | audit2allow -M my-condormaster
> semodule -X 300 -i my-condormaster.pp
> semodule -i my-condormaster.pp
> auditctl -w /etc/shadow -p w
> 
> But still
> 
> Turn on full auditing
> # auditctl -w /etc/shadow -p w
> Try to recreate AVC. Then execute
> # ausearch -m avc -ts recent
> If you see PATH record check ownership/permissions on file, and fix it,
> otherwise report as a bugzilla.
> 
> 
> But I sill have the issue
> and I cannot stop the service
> 
> Jan 27 09:11:44 Teucidide htcondor[16962]: Not changing ROOT_MAXKEYS (/proc/sys/kernel/k>
> Jan 27 09:11:44 Teucidide htcondor[16965]: Not changing ROOT_MAXKEYS_BYTES (/proc/sys/ke>
> Jan 27 09:11:44 Teucidide htcondor[16969]: Changing FS_CACHE_DIRTY_BYTES (/proc/sys/vm/d>
> Jan 27 09:11:44 Teucidide htcondor[16972]: Not changing MAX_RECEIVE_BUFFER (/proc/sys/ne>
> Jan 27 09:11:45 Teucidide systemd[1]: condor.service: Main process exited, code=exited, >
> Jan 27 09:11:45 Teucidide systemd[1]: condor.service: Failed with result 'exit-code'.
> Jan 27 09:11:46 Teucidide systemd[1]: Stopped Condor Distributed High-Throughput-Computi>
> Jan 27 09:11:46 Teucidide systemd[1]: /usr/lib/systemd/system/condor.service:14: Standar>
> Jan 27 09:11:46 Teucidide systemd[1]: /usr/lib/systemd/system/condor.service:14: Standar>
> Jan 27 09:13:15 Teucidide systemd[1]: /usr/lib/systemd/system/condor.service:14: Standar
> 
> 
>  systemctl status condor.service
> ○ condor.service - Condor Distributed High-Throughput-Computing
>      Loaded: loaded (/usr/lib/systemd/system/condor.service; disabled; vendor preset: disabled)
>      Active: inactive (dead)
> 
> Jan 27 09:14:24 Teucidide systemd[1]: /usr/lib/systemd/system/condor.service:14: Standard output type syslog i>
> Jan 27 09:14:34 Teucidide systemd[1]: /usr/lib/systemd/system/condor.service:14: Standard output type syslog i>
> Jan 27 09:15:00 Teucidide systemd[1]: /usr/lib/systemd/system/condor.service:14: Standard output type syslog i>
> Jan 27 09:15:00 Teucidide systemd[1]: /usr/lib/systemd/system/condor.service:14: Standard output type syslog i>
> Jan 27 09:15:00 Teucidide systemd[1]: /usr/lib/systemd/system/condor.service:14: Standard output type syslog i>
> Jan 27 09:16:11 Teucidide systemd[1]: /usr/lib/systemd/system/condor.service:14: Standard output type syslog i>
> Jan 27 09:16:11 Teucidide systemd[1]: /usr/lib/systemd/system/condor.service:14: Standard output type syslog i>
> Jan 27 09:16:11 Teucidide systemd[1]: /usr/lib/systemd/system/condor.service:14: Standard output type syslog i>
> Jan 27 09:16:22 Teucidide systemd[1]: /usr/lib/systemd/system/condor.service:14: Standard output type syslog i>
> Jan 27 09:16:59 Teucidide systemd[1]: /usr/lib/systemd/system/condor.service:14: Standard output type syslog i>
> 
> 
> 
> > Sent: Wednesday, January 26, 2022 at 11:10 AM
> > From: "Patrick Dupre" <pdupre@xxxxxxx>
> > To: "fedora" <users@xxxxxxxxxxxxxxxxxxxxxxx>
> > Subject: condor
> >
> > Hello,
> > 
> > When I Run
> > systemctl start condor.service
> > 
> > I get:
> > *** SECURITY information for homere ***
> > homere : Jan 26 09:47:25 : root : problem with defaults entries ; TTY=pts/8
> > ; PWD=/root/condor ; USER=root ;
> > 
> > condor.service - Condor Distributed High-Throughput-Computing
> >      Loaded: loaded (/usr/lib/systemd/system/condor.service; disabled; vendor p>
> >      Active: active (running) since Wed 2022-01-26 11:09:35 CET; 463ms ago
> >    Main PID: 959618 (condor_master)
> >       Tasks: 2 (limit: 38217)
> >      Memory: 1.4M
> >         CPU: 13ms
> >      CGroup: /system.slice/condor.service
> >              └─959618 /usr/sbin/condor_master -f
> > 
> > condor_status
> > Error: communication error
> > CEDAR:6001:Failed to connect to <192.168.13.3:9618>
> > 
> > Any idea?
> > 
> > ===========================================================================
> >  Patrick DUPRÉ                                 | | email: pdupre@xxxxxxx
> >  Laboratoire interdisciplinaire Carnot de Bourgogne
> >  9 Avenue Alain Savary, BP 47870, 21078 DIJON Cedex FRANCE
> >  Tel: +33 (0)380395988                    | | Room# D114A
> > ===========================================================================
> > _______________________________________________
> > users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
> > To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
> > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
> > Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
> >
> _______________________________________________
> users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
> Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
>
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure