I noticed that processes spawned via HTCondor are not visible to
normal users of a system. The daemon that spawns the processes does
so with the type condor_startd_t, and all children of those daemons
inherit that type as well (visible with 'ps -efZ').
My understanding of SELinux is very basic, and I'm sure I'm doing this
wrong, so can someone help me with a policy here? My goal is to allow
users of a machine to see if there's Condor processes running without
having to guess based on the system load. What I have:
cat user_condor_startd.te
# Automatically generated by puppet, do not modify manually
policy_module(user_condor_startd, 1.0)
gen_require(`
type user_t;
type condor_startd_t;
class file { ioctl read getattr lock open } ;
class dir { ioctl read getattr lock search open } ;
class lnk_file { read getattr } ;
')
allow user_t condor_startd_t:file { ioctl read getattr lock open } ;
allow user_t condor_startd_t:dir { ioctl read getattr lock search open } ;
allow user_t condor_startd_t:lnk_file { read getattr } ;
While this does appear to display the processes in the output of 'ps',
the label is wrong:
$ ps -efZ | egrep '(^LABEL|condor)'
LABEL UID PID PPID C STIME TTY
TIME CMD
- condor 6760 6754 0 Apr13 ?
00:04:44 condor_startd -f
user_u:user_r:user_t:s0 condor 22297 22295 0 13:18 ?
00:00:00 sshd: condor@pts/1
user_u:user_r:user_t:s0 condor 22298 22297 0 13:18 pts/1
00:00:00 -bash
user_u:user_r:user_t:s0 condor 22373 22298 0 13:26 pts/1
00:00:00 ps -efZ
user_u:user_r:user_t:s0 condor 22374 22298 0 13:26 pts/1
00:00:00 egrep (^LABEL|condor)
And I'm also not sure if this is A) the right way to do it, or 2)
allowing more access to things than is necessary. I tried to base it
off what user_t can see of type proc_t (according to 'sesearch -A -s
user_t -t proc_t'), which in turn I guessed based on what I could see
as a user with 'ls -lZ /proc/'
--
Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & Astrophysical Sci
Princeton University | ICBM Address: 40.346344 -74.652242
345 Lewis Library |"On my ship, the Rocinante, wheeling through
Princeton, NJ 08544 | the galaxies; headed for the heart of Cygnus,
(267) 793-0852 | headlong into mystery." -Rush, 'Cygnus X-1'
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
