CC'ing to list. Replied directly to sender by accident.
On Tue, May 23, 2017 at 01:45:12PM +0100, Gary Tierney wrote:
> Try running `semodule -DB`. Looks like something might be dontaudited. After
> running that command reproduce your error and check the audit log using Lukas'
> ausearch command.
>
> On Tue, May 23, 2017 at 12:54:43PM +0100, lejeczek wrote:
>>
>> On 23/05/17 12:07, Lukas Vrabec wrote:
>>> On 05/23/2017 12:56 PM, lejeczek wrote:
>>>> hi fellas
>>>>
>>>> I don't want to disable se, I cannot find booleans, there is no
>>>> domain
>>>> for htcondor I think.
>>>> How do I let my htcondor through?
>>>> with se:
>>>>
>>>> condor_submit[29217]: segfault at 0 ip (null) sp
>>>> 00007ffd7dfa61c8
>>>>
>>>> type=ANOM_ABEND msg=audit(1495536871.977:1484): auid=2501 uid=1177
>>>> gid=513 ses=63
>>>> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=1532
>>>> comm="condor_submit" reason="memory violation"
sig=11
>>>>
>>>> disable se and works.
>>>>
>>>> many thanks.
>>>> L.
>>>> _______________________________________________
>>>> selinux mailing list -- selinux(a)lists.fedoraproject.org
>>>> To unsubscribe send an email to
>>>> selinux-leave(a)lists.fedoraproject.org
>>> Hi,
>>>
>>> Could you reproduce the scenario and then attach output of:
>>> # ausearch -m AVC,USER_AVC -ts recent
>>>
>>>
>>> Thanks,
>>> Lukas.
>>>
>> hi,
>> ausearch as above finds nothing, with only "recent" all the grep
condor
>> finds is that one line.
>> Should I include a few more lines before that condor one?
>> _______________________________________________
>> selinux mailing list -- selinux(a)lists.fedoraproject.org
>> To unsubscribe send an email to selinux-leave(a)lists.fedoraproject.org
> --
> Gary Tierney
>
> GPG fingerprint: 412C 0EF9 C305 68E6 B660 BDAF 706E D765 85AA 79D8
>
https://sks-keyservers.net/pks/lookup?op=get&search=0x706ED76585AA79D8
there appears to be something not audited(might be more)
module condor 1.0;
require {
type user_tmp_t;
type condor_schedd_t;
class dir getattr;
}
#============= condor_schedd_t ==============
allow condor_schedd_t user_tmp_t:dir getattr;
but I see there is also condor module packaged in with
default targeted.
How do I expand on the default module, including what I find
with dontaudit?