Re: upss.. reason="memory violation" sig=11 => segfault htcondor

[Lukas Vrabec <lvrabec@xxxxxxxxxx>]

On 05/23/2017 05:09 PM, lejeczek wrote:
> On 23/05/17 13:50, Gary Tierney wrote:
> > CC'ing to list.  Replied directly to sender by accident.
> >
> > On Tue, May 23, 2017 at 01:45:12PM +0100, Gary Tierney wrote:
> > > Try running `semodule -DB`.  Looks like something might be
> > > dontaudited.  After
> > > running that command reproduce your error and check the audit log
> > > using Lukas'
> > > ausearch command.
> > >
> > > On Tue, May 23, 2017 at 12:54:43PM +0100, lejeczek wrote:
> > > > On 23/05/17 12:07, Lukas Vrabec wrote:
> > > > > On 05/23/2017 12:56 PM, lejeczek wrote:
> > > > > > hi fellas
> > > > > >
> > > > > > I don't want to disable se, I cannot find booleans, there is no
> > > > > > domain
> > > > > > for htcondor I think.
> > > > > > How do I let my htcondor through?
> > > > > > with se:
> > > > > >
> > > > > > condor_submit[29217]: segfault at 0 ip           (null) sp
> > > > > > 00007ffd7dfa61c8
> > > > > >
> > > > > > type=ANOM_ABEND msg=audit(1495536871.977:1484): auid=2501 uid=1177
> > > > > > gid=513 ses=63
> > > > > > subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=1532
> > > > > > comm="condor_submit" reason="memory violation" sig=11
> > > > > >
> > > > > > disable se and works.
> > > > > >
> > > > > > many thanks.
> > > > > > L.
> > > > > > _______________________________________________
> > > > > > selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
> > > > > > To unsubscribe send an email to
> > > > > > selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
> > > > > Hi,
> > > > >
> > > > > Could you reproduce the scenario and then attach output of:
> > > > > # ausearch -m AVC,USER_AVC -ts recent
> > > > >
> > > > >
> > > > > Thanks,
> > > > > Lukas.
> > > > hi,
> > > > ausearch as above finds nothing, with only "recent" all the grep condor
> > > > finds is that one line.
> > > > Should I include a few more lines before that condor one?
> > > > _______________________________________________
> > > > selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
> > > > To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
> > > --
> > > Gary Tierney
> > >
> > > GPG fingerprint: 412C 0EF9 C305 68E6 B660  BDAF 706E D765 85AA 79D8
> > > https://sks-keyservers.net/pks/lookup?op=get&search=0x706ED76585AA79D8
> from html docs (would be great to have it condor_* man in default not
> only in devel) I see this(which makes segfault not occur):
>
> semanage permissive -a condor_schedd_t
>
> but would this be best practice?

If you would like to have just one SELinux domain in permissive mode and 
all others in enforcing mode, then yes this is best practice.

Thanks,
Lukas.

__________________________________________
> selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx


--
Lukas Vrabec
Software Engineer, Security Technologies
Red Hat, Inc.
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx