Re: Has there been some policy change on F17?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/13/2012 11:51 AM, Tim St Clair wrote:
> Folks -
> 
> I'm the package maintainer for condor, and we've been trying to update our
> package and have run into a slew of SELinux issues under fedora 17 that
> we've never seen before and I was hoping some folks could help illuminate
> what some of the changes might have been, or if there are is a list of
> known issues.
> 
> There are ~34 errors which spew out now, when previous editions there were
> 0.  I think they all stem from the 1st two though, any insight would be
> helpful.
> 
> -------------------------------------------------------------------------------------------
>
> 
SELinux is preventing /usr/sbin/condor_master from create access on the
directory condor.
> 
> *****  Plugin catchall (100. confidence) suggests
> ***************************
> 
> If you believe that condor_master should be allowed create access on the
> condor directory by default. Then you should report this as a bug. You can
> generate a local policy module to allow this access. Do allow this access
> for now by executing: # grep condor_master /var/log/audit/audit.log |
> audit2allow -M mypol # semodule -i mypol.pp
> 
> Additional Information: Source Context
> system_u:system_r:condor_master_t:s0 Target Context
> system_u:object_r:var_lock_t:s0 Target Objects                condor [ dir
> ] Source                        condor_master Source Path
> /usr/sbin/condor_master Port                          <Unknown> Host
> tstclair.redhat Source RPM Packages
> condor-7.9.1-0.1.fc17.2.x86_64 Target RPM Packages Policy RPM
> selinux-policy-3.10.0-142.fc17.noarch Selinux Enabled               True 
> Policy Type                   targeted Enforcing Mode
> Enforcing Host Name                     tstclair.redhat Platform
> Linux tstclair.redhat 3.5.0-2.fc17.x86_64 #1 SMP Mon Jul 30 14:48:59 UTC
> 2012 x86_64 x86_64 Alert Count                   1 First Seen
> Fri 10 Aug 2012 12:24:56 PM CDT Last Seen                     Fri 10 Aug
> 2012 12:24:56 PM CDT Local ID
> 4551e46a-0828-4bb3-8c03-bd6dfe62ce8f
> 
> Raw Audit Messages type=AVC msg=audit(1344619496.816:576): avc:  denied  {
> create } for  pid=8190 comm="condor_master" name="condor"
> scontext=system_u:system_r:condor_master_t:s0
> tcontext=system_u:object_r:var_lock_t:s0 tclass=dir
> 
> 
> type=SYSCALL msg=audit(1344619496.816:576): arch=x86_64 syscall=mkdir
> success=yes exit=0 a0=1a7b200 a1=1ff a2=ffffffffffffffff a3=7fffbd04d6b0
> items=0 ppid=1 pid=8190 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
> egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=condor_master
> exe=/usr/sbin/condor_master subj=system_u:system_r:condor_master_t:s0
> key=(null)
> 
> Hash: condor_master,condor_master_t,var_lock_t,dir,create
> 
> audit2allow
> 
> #============= condor_master_t ============== allow condor_master_t
> var_lock_t:dir create;
> 
> audit2allow -R
> 
> #============= condor_master_t ============== allow condor_master_t
> var_lock_t:dir create;
> 
> -------------------------------------------------------------------------------------------
>
>  Everything under that folder is created as condor:condor and the
> condor_master is running as condor, so I'm curious what the issue is?
> 
> Cheers, Tim
> 
> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx 
> https://admin.fedoraproject.org/mailman/listinfo/selinux
> 

restorecon -R -v /var/lock/condor

This directory got created with the wrong label.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAlApNbcACgkQrlYvE4MpobPhFQCeLGd4z3Gqtn8sZPAfDKvaUTA2
XHIAnjJj1OolKH/s4GuFimkD+kQoWMya
=nKY3
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux



[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux