Re: upss.. reason="memory violation" sig=11 => segfault htcondor

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 05/23/2017 05:09 PM, lejeczek wrote:


On 23/05/17 13:50, Gary Tierney wrote:
CC'ing to list.  Replied directly to sender by accident.

On Tue, May 23, 2017 at 01:45:12PM +0100, Gary Tierney wrote:
Try running `semodule -DB`.  Looks like something might be
dontaudited.  After
running that command reproduce your error and check the audit log
using Lukas'
ausearch command.

On Tue, May 23, 2017 at 12:54:43PM +0100, lejeczek wrote:

On 23/05/17 12:07, Lukas Vrabec wrote:
On 05/23/2017 12:56 PM, lejeczek wrote:
hi fellas

I don't want to disable se, I cannot find booleans, there is no
domain
for htcondor I think.
How do I let my htcondor through?
with se:

condor_submit[29217]: segfault at 0 ip           (null) sp
00007ffd7dfa61c8

type=ANOM_ABEND msg=audit(1495536871.977:1484): auid=2501 uid=1177
gid=513 ses=63
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=1532
comm="condor_submit" reason="memory violation" sig=11

disable se and works.

many thanks.
L.
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to
selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Hi,

Could you reproduce the scenario and then attach output of:
# ausearch -m AVC,USER_AVC -ts recent


Thanks,
Lukas.

hi,
ausearch as above finds nothing, with only "recent" all the grep condor
finds is that one line.
Should I include a few more lines before that condor one?
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
--
Gary Tierney

GPG fingerprint: 412C 0EF9 C305 68E6 B660  BDAF 706E D765 85AA 79D8
https://sks-keyservers.net/pks/lookup?op=get&search=0x706ED76585AA79D8

from html docs (would be great to have it condor_* man in default not
only in devel) I see this(which makes segfault not occur):

semanage permissive -a condor_schedd_t

but would this be best practice?


If you would like to have just one SELinux domain in permissive mode and all others in enforcing mode, then yes this is best practice.

Thanks,
Lukas.

__________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx


--
Lukas Vrabec
Software Engineer, Security Technologies
Red Hat, Inc.
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx




[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux