7:50 a.m.
CC'ing to list. Replied directly to sender by accident.
On Tue, May 23, 2017 at 01:45:12PM +0100, Gary Tierney wrote:
Try running `semodule -DB`. Looks like something might be
dontaudited. After
running that command reproduce your error and check the audit log using Lukas'
ausearch command.
On Tue, May 23, 2017 at 12:54:43PM +0100, lejeczek wrote:
>
>
> On 23/05/17 12:07, Lukas Vrabec wrote:
> > On 05/23/2017 12:56 PM, lejeczek wrote:
> > > hi fellas
> > >
> > > I don't want to disable se, I cannot find booleans, there is no
> > > domain
> > > for htcondor I think.
> > > How do I let my htcondor through?
> > > with se:
> > >
> > > condor_submit[29217]: segfault at 0 ip (null) sp
> > > 00007ffd7dfa61c8
> > >
> > > type=ANOM_ABEND msg=audit(1495536871.977:1484): auid=2501 uid=1177
> > > gid=513 ses=63
> > > subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=1532
> > > comm="condor_submit" reason="memory violation" sig=11
> > >
> > > disable se and works.
> > >
> > > many thanks.
> > > L.
> > > _______________________________________________
> > > selinux mailing list -- selinux(a)lists.fedoraproject.org
> > > To unsubscribe send an email to
> > > selinux-leave(a)lists.fedoraproject.org
> >
> > Hi,
> >
> > Could you reproduce the scenario and then attach output of:
> > # ausearch -m AVC,USER_AVC -ts recent
> >
> >
> > Thanks,
> > Lukas.
> >
> hi,
> ausearch as above finds nothing, with only "recent" all the grep condor
> finds is that one line.
> Should I include a few more lines before that condor one?
> _______________________________________________
> selinux mailing list -- selinux(a)lists.fedoraproject.org
> To unsubscribe send an email to selinux-leave(a)lists.fedoraproject.org
--
Gary Tierney
GPG fingerprint: 412C 0EF9 C305 68E6 B660 BDAF 706E D765 85AA 79D8
https://sks-keyservers.net/pks/lookup?op=get&search=0x706ED76585AA79D8
--
Gary Tierney
GPG fingerprint: 412C 0EF9 C305 68E6 B660 BDAF 706E D765 85AA 79D8
https://sks-keyservers.net/pks/lookup?op=get&search=0x706ED76585AA79D8
10:01 a.m.
New subject: upss.. reason="memory violation" sig=11 => segfault htcondor
On 23/05/17 13:50, Gary Tierney wrote:
CC'ing to list. Replied directly to sender by accident.
On Tue, May 23, 2017 at 01:45:12PM +0100, Gary Tierney wrote:
> Try running `semodule -DB`. Looks like something might be dontaudited. After
> running that command reproduce your error and check the audit log using Lukas'
> ausearch command.
>
> On Tue, May 23, 2017 at 12:54:43PM +0100, lejeczek wrote:
>>
>> On 23/05/17 12:07, Lukas Vrabec wrote:
>>> On 05/23/2017 12:56 PM, lejeczek wrote:
>>>> hi fellas
>>>>
>>>> I don't want to disable se, I cannot find booleans, there is no
>>>> domain
>>>> for htcondor I think.
>>>> How do I let my htcondor through?
>>>> with se:
>>>>
>>>> condor_submit[29217]: segfault at 0 ip (null) sp
>>>> 00007ffd7dfa61c8
>>>>
>>>> type=ANOM_ABEND msg=audit(1495536871.977:1484): auid=2501 uid=1177
>>>> gid=513 ses=63
>>>> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=1532
>>>> comm="condor_submit" reason="memory violation"
sig=11
>>>>
>>>> disable se and works.
>>>>
>>>> many thanks.
>>>> L.
>>>> _______________________________________________
>>>> selinux mailing list -- selinux(a)lists.fedoraproject.org
>>>> To unsubscribe send an email to
>>>> selinux-leave(a)lists.fedoraproject.org
>>> Hi,
>>>
>>> Could you reproduce the scenario and then attach output of:
>>> # ausearch -m AVC,USER_AVC -ts recent
>>>
>>>
>>> Thanks,
>>> Lukas.
>>>
>> hi,
>> ausearch as above finds nothing, with only "recent" all the grep
condor
>> finds is that one line.
>> Should I include a few more lines before that condor one?
>> _______________________________________________
>> selinux mailing list -- selinux(a)lists.fedoraproject.org
>> To unsubscribe send an email to selinux-leave(a)lists.fedoraproject.org
> --
> Gary Tierney
>
> GPG fingerprint: 412C 0EF9 C305 68E6 B660 BDAF 706E D765 85AA 79D8
> https://sks-keyservers.net/pks/lookup?op=get&search=0x706ED76585AA79D8
there appears to be something not audited(might be more)
module condor 1.0;
require {
type user_tmp_t;
type condor_schedd_t;
class dir getattr;
}
#============= condor_schedd_t ==============
allow condor_schedd_t user_tmp_t:dir getattr;
but I see there is also condor module packaged in with
default targeted.
How do I expand on the default module, including what I find
with dontaudit?
10:09 a.m.
New subject: upss.. reason="memory violation" sig=11 => segfault htcondor
On 23/05/17 13:50, Gary Tierney wrote:
CC'ing to list. Replied directly to sender by accident.
On Tue, May 23, 2017 at 01:45:12PM +0100, Gary Tierney wrote:
> Try running `semodule -DB`. Looks like something might be dontaudited. After
> running that command reproduce your error and check the audit log using Lukas'
> ausearch command.
>
> On Tue, May 23, 2017 at 12:54:43PM +0100, lejeczek wrote:
>>
>> On 23/05/17 12:07, Lukas Vrabec wrote:
>>> On 05/23/2017 12:56 PM, lejeczek wrote:
>>>> hi fellas
>>>>
>>>> I don't want to disable se, I cannot find booleans, there is no
>>>> domain
>>>> for htcondor I think.
>>>> How do I let my htcondor through?
>>>> with se:
>>>>
>>>> condor_submit[29217]: segfault at 0 ip (null) sp
>>>> 00007ffd7dfa61c8
>>>>
>>>> type=ANOM_ABEND msg=audit(1495536871.977:1484): auid=2501 uid=1177
>>>> gid=513 ses=63
>>>> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=1532
>>>> comm="condor_submit" reason="memory violation"
sig=11
>>>>
>>>> disable se and works.
>>>>
>>>> many thanks.
>>>> L.
>>>> _______________________________________________
>>>> selinux mailing list -- selinux(a)lists.fedoraproject.org
>>>> To unsubscribe send an email to
>>>> selinux-leave(a)lists.fedoraproject.org
>>> Hi,
>>>
>>> Could you reproduce the scenario and then attach output of:
>>> # ausearch -m AVC,USER_AVC -ts recent
>>>
>>>
>>> Thanks,
>>> Lukas.
>>>
>> hi,
>> ausearch as above finds nothing, with only "recent" all the grep
condor
>> finds is that one line.
>> Should I include a few more lines before that condor one?
>> _______________________________________________
>> selinux mailing list -- selinux(a)lists.fedoraproject.org
>> To unsubscribe send an email to selinux-leave(a)lists.fedoraproject.org
> --
> Gary Tierney
>
> GPG fingerprint: 412C 0EF9 C305 68E6 B660 BDAF 706E D765 85AA 79D8
> https://sks-keyservers.net/pks/lookup?op=get&search=0x706ED76585AA79D8
from html docs (would be great to have it condor_* man in
default not only in devel) I see this(which makes segfault
not occur):
semanage permissive -a condor_schedd_t
but would this be best practice?
7:42 a.m.
New subject: upss.. reason="memory violation" sig=11 => segfault htcondor
On 05/23/2017 05:09 PM, lejeczek wrote:
On 23/05/17 13:50, Gary Tierney wrote:
> CC'ing to list. Replied directly to sender by accident.
>
> On Tue, May 23, 2017 at 01:45:12PM +0100, Gary Tierney wrote:
>> Try running `semodule -DB`. Looks like something might be
>> dontaudited. After
>> running that command reproduce your error and check the audit log
>> using Lukas'
>> ausearch command.
>>
>> On Tue, May 23, 2017 at 12:54:43PM +0100, lejeczek wrote:
>>>
>>> On 23/05/17 12:07, Lukas Vrabec wrote:
>>>> On 05/23/2017 12:56 PM, lejeczek wrote:
>>>>> hi fellas
>>>>>
>>>>> I don't want to disable se, I cannot find booleans, there is no
>>>>> domain
>>>>> for htcondor I think.
>>>>> How do I let my htcondor through?
>>>>> with se:
>>>>>
>>>>> condor_submit[29217]: segfault at 0 ip (null) sp
>>>>> 00007ffd7dfa61c8
>>>>>
>>>>> type=ANOM_ABEND msg=audit(1495536871.977:1484): auid=2501 uid=1177
>>>>> gid=513 ses=63
>>>>> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=1532
>>>>> comm="condor_submit" reason="memory violation"
sig=11
>>>>>
>>>>> disable se and works.
>>>>>
>>>>> many thanks.
>>>>> L.
>>>>> _______________________________________________
>>>>> selinux mailing list -- selinux(a)lists.fedoraproject.org
>>>>> To unsubscribe send an email to
>>>>> selinux-leave(a)lists.fedoraproject.org
>>>> Hi,
>>>>
>>>> Could you reproduce the scenario and then attach output of:
>>>> # ausearch -m AVC,USER_AVC -ts recent
>>>>
>>>>
>>>> Thanks,
>>>> Lukas.
>>>>
>>> hi,
>>> ausearch as above finds nothing, with only "recent" all the grep
condor
>>> finds is that one line.
>>> Should I include a few more lines before that condor one?
>>> _______________________________________________
>>> selinux mailing list -- selinux(a)lists.fedoraproject.org
>>> To unsubscribe send an email to selinux-leave(a)lists.fedoraproject.org
>> --
>> Gary Tierney
>>
>> GPG fingerprint: 412C 0EF9 C305 68E6 B660 BDAF 706E D765 85AA 79D8
>> https://sks-keyservers.net/pks/lookup?op=get&search=0x706ED76585AA79D8
>
from html docs (would be great to have it condor_* man in default not
only in devel) I see this(which makes segfault not occur):
semanage permissive -a condor_schedd_t
but would this be best practice?
If you would like to have just one SELinux domain in permissive mode and
all others in enforcing mode, then yes this is best practice.
Thanks,
Lukas.
__________________________________________
selinux mailing list -- selinux(a)lists.fedoraproject.org
To unsubscribe send an email to selinux-leave(a)lists.fedoraproject.org
--
Lukas Vrabec
Software Engineer, Security Technologies
Red Hat, Inc.
2529
days inactive
2530
days old
selinux@lists.fedoraproject.org
3 comments
3 participants
participants (3)
-
Gary Tierney -
lejeczek -
Lukas Vrabec