CC'ing to list. Replied directly to sender by accident.
On Tue, May 23, 2017 at 01:45:12PM +0100, Gary Tierney wrote:
Try running `semodule -DB`. Looks like something might be dontaudited. After running that command reproduce your error and check the audit log using Lukas' ausearch command.
On Tue, May 23, 2017 at 12:54:43PM +0100, lejeczek wrote:
On 23/05/17 12:07, Lukas Vrabec wrote:
On 05/23/2017 12:56 PM, lejeczek wrote:
hi fellas
I don't want to disable se, I cannot find booleans, there is no domain for htcondor I think. How do I let my htcondor through? with se:
condor_submit[29217]: segfault at 0 ip (null) sp 00007ffd7dfa61c8
type=ANOM_ABEND msg=audit(1495536871.977:1484): auid=2501 uid=1177 gid=513 ses=63 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=1532 comm="condor_submit" reason="memory violation" sig=11
disable se and works.
many thanks. L. _______________________________________________ selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org
Hi,
Could you reproduce the scenario and then attach output of: # ausearch -m AVC,USER_AVC -ts recent
Thanks, Lukas.
hi, ausearch as above finds nothing, with only "recent" all the grep condor finds is that one line. Should I include a few more lines before that condor one? _______________________________________________ selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org
-- Gary Tierney
GPG fingerprint: 412C 0EF9 C305 68E6 B660 BDAF 706E D765 85AA 79D8 https://sks-keyservers.net/pks/lookup?op=get&search=0x706ED76585AA79D8
On 23/05/17 13:50, Gary Tierney wrote:
CC'ing to list. Replied directly to sender by accident.
On Tue, May 23, 2017 at 01:45:12PM +0100, Gary Tierney wrote:
Try running `semodule -DB`. Looks like something might be dontaudited. After running that command reproduce your error and check the audit log using Lukas' ausearch command.
On Tue, May 23, 2017 at 12:54:43PM +0100, lejeczek wrote:
On 23/05/17 12:07, Lukas Vrabec wrote:
On 05/23/2017 12:56 PM, lejeczek wrote:
hi fellas
I don't want to disable se, I cannot find booleans, there is no domain for htcondor I think. How do I let my htcondor through? with se:
condor_submit[29217]: segfault at 0 ip (null) sp 00007ffd7dfa61c8
type=ANOM_ABEND msg=audit(1495536871.977:1484): auid=2501 uid=1177 gid=513 ses=63 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=1532 comm="condor_submit" reason="memory violation" sig=11
disable se and works.
many thanks. L. _______________________________________________ selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org
Hi,
Could you reproduce the scenario and then attach output of: # ausearch -m AVC,USER_AVC -ts recent
Thanks, Lukas.
hi, ausearch as above finds nothing, with only "recent" all the grep condor finds is that one line. Should I include a few more lines before that condor one? _______________________________________________ selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org
-- Gary Tierney
GPG fingerprint: 412C 0EF9 C305 68E6 B660 BDAF 706E D765 85AA 79D8 https://sks-keyservers.net/pks/lookup?op=get&search=0x706ED76585AA79D8
there appears to be something not audited(might be more)
module condor 1.0;
require { type user_tmp_t; type condor_schedd_t; class dir getattr; }
#============= condor_schedd_t ============== allow condor_schedd_t user_tmp_t:dir getattr;
but I see there is also condor module packaged in with default targeted. How do I expand on the default module, including what I find with dontaudit?
On 23/05/17 13:50, Gary Tierney wrote:
CC'ing to list. Replied directly to sender by accident.
On Tue, May 23, 2017 at 01:45:12PM +0100, Gary Tierney wrote:
Try running `semodule -DB`. Looks like something might be dontaudited. After running that command reproduce your error and check the audit log using Lukas' ausearch command.
On Tue, May 23, 2017 at 12:54:43PM +0100, lejeczek wrote:
On 23/05/17 12:07, Lukas Vrabec wrote:
On 05/23/2017 12:56 PM, lejeczek wrote:
hi fellas
I don't want to disable se, I cannot find booleans, there is no domain for htcondor I think. How do I let my htcondor through? with se:
condor_submit[29217]: segfault at 0 ip (null) sp 00007ffd7dfa61c8
type=ANOM_ABEND msg=audit(1495536871.977:1484): auid=2501 uid=1177 gid=513 ses=63 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=1532 comm="condor_submit" reason="memory violation" sig=11
disable se and works.
many thanks. L. _______________________________________________ selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org
Hi,
Could you reproduce the scenario and then attach output of: # ausearch -m AVC,USER_AVC -ts recent
Thanks, Lukas.
hi, ausearch as above finds nothing, with only "recent" all the grep condor finds is that one line. Should I include a few more lines before that condor one? _______________________________________________ selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org
-- Gary Tierney
GPG fingerprint: 412C 0EF9 C305 68E6 B660 BDAF 706E D765 85AA 79D8 https://sks-keyservers.net/pks/lookup?op=get&search=0x706ED76585AA79D8
from html docs (would be great to have it condor_* man in default not only in devel) I see this(which makes segfault not occur):
semanage permissive -a condor_schedd_t
but would this be best practice?
On 05/23/2017 05:09 PM, lejeczek wrote:
On 23/05/17 13:50, Gary Tierney wrote:
CC'ing to list. Replied directly to sender by accident.
On Tue, May 23, 2017 at 01:45:12PM +0100, Gary Tierney wrote:
Try running `semodule -DB`. Looks like something might be dontaudited. After running that command reproduce your error and check the audit log using Lukas' ausearch command.
On Tue, May 23, 2017 at 12:54:43PM +0100, lejeczek wrote:
On 23/05/17 12:07, Lukas Vrabec wrote:
On 05/23/2017 12:56 PM, lejeczek wrote:
hi fellas
I don't want to disable se, I cannot find booleans, there is no domain for htcondor I think. How do I let my htcondor through? with se:
condor_submit[29217]: segfault at 0 ip (null) sp 00007ffd7dfa61c8
type=ANOM_ABEND msg=audit(1495536871.977:1484): auid=2501 uid=1177 gid=513 ses=63 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=1532 comm="condor_submit" reason="memory violation" sig=11
disable se and works.
many thanks. L. _______________________________________________ selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org
Hi,
Could you reproduce the scenario and then attach output of: # ausearch -m AVC,USER_AVC -ts recent
Thanks, Lukas.
hi, ausearch as above finds nothing, with only "recent" all the grep condor finds is that one line. Should I include a few more lines before that condor one? _______________________________________________ selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org
-- Gary Tierney
GPG fingerprint: 412C 0EF9 C305 68E6 B660 BDAF 706E D765 85AA 79D8 https://sks-keyservers.net/pks/lookup?op=get&search=0x706ED76585AA79D8
from html docs (would be great to have it condor_* man in default not only in devel) I see this(which makes segfault not occur):
semanage permissive -a condor_schedd_t
but would this be best practice?
If you would like to have just one SELinux domain in permissive mode and all others in enforcing mode, then yes this is best practice.
Thanks, Lukas.
__________________________________________
selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org
selinux@lists.fedoraproject.org