Re: upss.. reason="memory violation" sig=11 => segfault htcondor

[lejeczek <peljasz@xxxxxxxxxxx>]

On 23/05/17 13:50, Gary Tierney wrote:
> CC'ing to list.  Replied directly to sender by accident.
>
> On Tue, May 23, 2017 at 01:45:12PM +0100, Gary Tierney wrote:
> > Try running `semodule -DB`.  Looks like something might be dontaudited.  After
> > running that command reproduce your error and check the audit log using Lukas'
> > ausearch command.
> >
> > On Tue, May 23, 2017 at 12:54:43PM +0100, lejeczek wrote:
> > > On 23/05/17 12:07, Lukas Vrabec wrote:
> > > > On 05/23/2017 12:56 PM, lejeczek wrote:
> > > > > hi fellas
> > > > >
> > > > > I don't want to disable se, I cannot find booleans, there is no
> > > > > domain
> > > > > for htcondor I think.
> > > > > How do I let my htcondor through?
> > > > > with se:
> > > > >
> > > > > condor_submit[29217]: segfault at 0 ip           (null) sp
> > > > > 00007ffd7dfa61c8
> > > > >
> > > > > type=ANOM_ABEND msg=audit(1495536871.977:1484): auid=2501 uid=1177
> > > > > gid=513 ses=63
> > > > > subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=1532
> > > > > comm="condor_submit" reason="memory violation" sig=11
> > > > >
> > > > > disable se and works.
> > > > >
> > > > > many thanks.
> > > > > L.
> > > > > _______________________________________________
> > > > > selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
> > > > > To unsubscribe send an email to
> > > > > selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
> > > > Hi,
> > > >
> > > > Could you reproduce the scenario and then attach output of:
> > > > # ausearch -m AVC,USER_AVC -ts recent
> > > >
> > > >
> > > > Thanks,
> > > > Lukas.
> > > hi,
> > > ausearch as above finds nothing, with only "recent" all the grep condor
> > > finds is that one line.
> > > Should I include a few more lines before that condor one?
> > > _______________________________________________
> > > selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
> > > To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
> > --
> > Gary Tierney
> >
> > GPG fingerprint: 412C 0EF9 C305 68E6 B660  BDAF 706E D765 85AA 79D8
> > https://sks-keyservers.net/pks/lookup?op=get&search=0x706ED76585AA79D8
there appears to be something not audited(might be more)

module condor 1.0;

require {
    type user_tmp_t;
    type condor_schedd_t;
    class dir getattr;
}

#============= condor_schedd_t ==============
allow condor_schedd_t user_tmp_t:dir getattr;


but I see there is also condor module packaged in with 
default targeted.
How do I expand on the default module, including what I find 
with dontaudit?


_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx