New behavior, fcontext -a -t condor_log_t '/etc/sysctl.d' restorecon -v '/etc/sysctl.d' ausearch -c 'linux_kernel_tu' --raw | audit2allow -M my-linuxkerneltu semodule -i my-linuxkerneltu.pp systemctl status condor.service systemctl status condor.service ● condor.service - Condor Distributed High-Throughput-Computing Loaded: loaded (/usr/lib/systemd/system/condor.service; disabled; vendor preset: disabled) Active: active (running) since Thu 2022-01-27 09:38:12 CET; 1s ago Main PID: 36110 Tasks: 2 (limit: 9328) Memory: 2.7M CPU: 147ms CGroup: /system.slice/condor.service But I have a window "New SELinux security alert AVC denial, click to view" blinking permanently with ● condor.service - Condor Distributed High-Throughput-Computing Loaded: loaded (/usr/lib/systemd/system/condor.service; disabled; vendor preset: disabled) Active: activating (auto-restart) (Result: exit-code) since Thu 2022-01-27 09:39:42 CET; 1s ago Process: 39282 ExecStart=/usr/sbin/condor_master -f (code=exited, status=4) Main PID: 39282 (code=exited, status=4) CPU: 153ms I have to run systemctl stop condor.service ○ condor.service - Condor Distributed High-Throughput-Computing Loaded: loaded (/usr/lib/systemd/system/condor.service; disabled; vendor preset: disabled) Active: inactive (dead) Jan 27 09:40:19 Teucidide htcondor[40638]: Not changing ROOT_MAXKEYS_BYTES (/proc/sys/kernel/keys/root_maxbyte> Jan 27 09:40:19 Teucidide htcondor[40642]: Changing FS_CACHE_DIRTY_BYTES (/proc/sys/vm/dirty_bytes) from 10000> Jan 27 09:40:19 Teucidide htcondor[40645]: Not changing MAX_RECEIVE_BUFFER (/proc/sys/net/core/rmem_max): new > Jan 27 09:40:20 Teucidide systemd[1]: condor.service: Main process exited, code=exited, status=4/NOPERMISSION Jan 27 09:40:20 Teucidide systemd[1]: condor.service: Failed with result 'exit-code'. Jan 27 09:40:24 Teucidide systemd[1]: Stopped Condor Distributed High-Throughput-Computing. After a while, the blinking may stop > Complementary information > > > SELinux is preventing condor_master from getattr access on the filesystem /sys/fs/cgroup. > > ***** Plugin catchall (100. confidence) suggests ************************** > > If you believe that condor_master should be allowed getattr access on the cgroup filesystem by default. > Then you should report this as a bug. > You can generate a local policy module to allow this access. > Do > allow this access for now by executing: > # ausearch -c 'condor_master' --raw | audit2allow -M my-condormaster > # semodule -X 300 -i my-condormaster.pp > > Additional Information: > Source Context system_u:system_r:condor_master_t:s0 > Target Context system_u:object_r:cgroup_t:s0 > Target Objects /sys/fs/cgroup [ filesystem ] > Source condor_master > Source Path condor_master > Port <Unknown> > Host Teucidide > Source RPM Packages > Target RPM Packages > SELinux Policy RPM selinux-policy-targeted-34.23-1.fc34.noarch > Local Policy RPM selinux-policy-targeted-34.23-1.fc34.noarch > Selinux Enabled True > Policy Type targeted > Enforcing Mode Enforcing > Host Name Teucidide > Platform Linux Teucidide 5.15.16-100.fc34.x86_64 #1 SMP Thu > Jan 20 16:34:27 UTC 2022 x86_64 x86_64 > Alert Count 22 > First Seen 2022-01-27 08:57:41 CET > Last Seen 2022-01-27 08:59:52 CET > Local ID c3a3b533-2b6a-45a1-845d-03fc0b441ac1 > > Raw Audit Messages > type=AVC msg=audit(1643270392.39:589): avc: denied { getattr } for pid=9830 comm="condor_master" name="/" dev="cgroup2" ino=1 scontext=system_u:system_r:condor_master_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=filesystem permissive=0 > > > Hash: condor_master,condor_master_t,cgroup_t,filesystem,getattr > > > I did > ausearch -c 'condor_master' --raw | audit2allow -M my-condormaster > semodule -X 300 -i my-condormaster.pp > semodule -i my-condormaster.pp > auditctl -w /etc/shadow -p w > > But still > > Turn on full auditing > # auditctl -w /etc/shadow -p w > Try to recreate AVC. Then execute > # ausearch -m avc -ts recent > If you see PATH record check ownership/permissions on file, and fix it, > otherwise report as a bugzilla. > > > But I sill have the issue > and I cannot stop the service > > Jan 27 09:11:44 Teucidide htcondor[16962]: Not changing ROOT_MAXKEYS (/proc/sys/kernel/k> > Jan 27 09:11:44 Teucidide htcondor[16965]: Not changing ROOT_MAXKEYS_BYTES (/proc/sys/ke> > Jan 27 09:11:44 Teucidide htcondor[16969]: Changing FS_CACHE_DIRTY_BYTES (/proc/sys/vm/d> > Jan 27 09:11:44 Teucidide htcondor[16972]: Not changing MAX_RECEIVE_BUFFER (/proc/sys/ne> > Jan 27 09:11:45 Teucidide systemd[1]: condor.service: Main process exited, code=exited, > > Jan 27 09:11:45 Teucidide systemd[1]: condor.service: Failed with result 'exit-code'. > Jan 27 09:11:46 Teucidide systemd[1]: Stopped Condor Distributed High-Throughput-Computi> > Jan 27 09:11:46 Teucidide systemd[1]: /usr/lib/systemd/system/condor.service:14: Standar> > Jan 27 09:11:46 Teucidide systemd[1]: /usr/lib/systemd/system/condor.service:14: Standar> > Jan 27 09:13:15 Teucidide systemd[1]: /usr/lib/systemd/system/condor.service:14: Standar > > > systemctl status condor.service > ○ condor.service - Condor Distributed High-Throughput-Computing > Loaded: loaded (/usr/lib/systemd/system/condor.service; disabled; vendor preset: disabled) > Active: inactive (dead) > > Jan 27 09:14:24 Teucidide systemd[1]: /usr/lib/systemd/system/condor.service:14: Standard output type syslog i> > Jan 27 09:14:34 Teucidide systemd[1]: /usr/lib/systemd/system/condor.service:14: Standard output type syslog i> > Jan 27 09:15:00 Teucidide systemd[1]: /usr/lib/systemd/system/condor.service:14: Standard output type syslog i> > Jan 27 09:15:00 Teucidide systemd[1]: /usr/lib/systemd/system/condor.service:14: Standard output type syslog i> > Jan 27 09:15:00 Teucidide systemd[1]: /usr/lib/systemd/system/condor.service:14: Standard output type syslog i> > Jan 27 09:16:11 Teucidide systemd[1]: /usr/lib/systemd/system/condor.service:14: Standard output type syslog i> > Jan 27 09:16:11 Teucidide systemd[1]: /usr/lib/systemd/system/condor.service:14: Standard output type syslog i> > Jan 27 09:16:11 Teucidide systemd[1]: /usr/lib/systemd/system/condor.service:14: Standard output type syslog i> > Jan 27 09:16:22 Teucidide systemd[1]: /usr/lib/systemd/system/condor.service:14: Standard output type syslog i> > Jan 27 09:16:59 Teucidide systemd[1]: /usr/lib/systemd/system/condor.service:14: Standard output type syslog i> > > > > > Sent: Wednesday, January 26, 2022 at 11:10 AM > > From: "Patrick Dupre" <pdupre@xxxxxxx> > > To: "fedora" <users@xxxxxxxxxxxxxxxxxxxxxxx> > > Subject: condor > > > > Hello, > > > > When I Run > > systemctl start condor.service > > > > I get: > > *** SECURITY information for homere *** > > homere : Jan 26 09:47:25 : root : problem with defaults entries ; TTY=pts/8 > > ; PWD=/root/condor ; USER=root ; > > > > condor.service - Condor Distributed High-Throughput-Computing > > Loaded: loaded (/usr/lib/systemd/system/condor.service; disabled; vendor p> > > Active: active (running) since Wed 2022-01-26 11:09:35 CET; 463ms ago > > Main PID: 959618 (condor_master) > > Tasks: 2 (limit: 38217) > > Memory: 1.4M > > CPU: 13ms > > CGroup: /system.slice/condor.service > > └─959618 /usr/sbin/condor_master -f > > > > condor_status > > Error: communication error > > CEDAR:6001:Failed to connect to <192.168.13.3:9618> > > > > Any idea? > > > > =========================================================================== > > Patrick DUPRÉ | | email: pdupre@xxxxxxx > > Laboratoire interdisciplinaire Carnot de Bourgogne > > 9 Avenue Alain Savary, BP 47870, 21078 DIJON Cedex FRANCE > > Tel: +33 (0)380395988 | | Room# D114A > > =========================================================================== > > _______________________________________________ > > users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx > > To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx > > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx > > Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure > > > _______________________________________________ > users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx > Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure > _______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure