Has there been some policy change on F17?
Daniel J Walsh
dwalsh at redhat.com
Mon Aug 13 17:13:27 UTC 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 08/13/2012 11:51 AM, Tim St Clair wrote:
> Folks -
>
> I'm the package maintainer for condor, and we've been trying to update our
> package and have run into a slew of SELinux issues under fedora 17 that
> we've never seen before and I was hoping some folks could help illuminate
> what some of the changes might have been, or if there are is a list of
> known issues.
>
> There are ~34 errors which spew out now, when previous editions there were
> 0. I think they all stem from the 1st two though, any insight would be
> helpful.
>
> -------------------------------------------------------------------------------------------
>
>
SELinux is preventing /usr/sbin/condor_master from create access on the
directory condor.
>
> ***** Plugin catchall (100. confidence) suggests
> ***************************
>
> If you believe that condor_master should be allowed create access on the
> condor directory by default. Then you should report this as a bug. You can
> generate a local policy module to allow this access. Do allow this access
> for now by executing: # grep condor_master /var/log/audit/audit.log |
> audit2allow -M mypol # semodule -i mypol.pp
>
> Additional Information: Source Context
> system_u:system_r:condor_master_t:s0 Target Context
> system_u:object_r:var_lock_t:s0 Target Objects condor [ dir
> ] Source condor_master Source Path
> /usr/sbin/condor_master Port <Unknown> Host
> tstclair.redhat Source RPM Packages
> condor-7.9.1-0.1.fc17.2.x86_64 Target RPM Packages Policy RPM
> selinux-policy-3.10.0-142.fc17.noarch Selinux Enabled True
> Policy Type targeted Enforcing Mode
> Enforcing Host Name tstclair.redhat Platform
> Linux tstclair.redhat 3.5.0-2.fc17.x86_64 #1 SMP Mon Jul 30 14:48:59 UTC
> 2012 x86_64 x86_64 Alert Count 1 First Seen
> Fri 10 Aug 2012 12:24:56 PM CDT Last Seen Fri 10 Aug
> 2012 12:24:56 PM CDT Local ID
> 4551e46a-0828-4bb3-8c03-bd6dfe62ce8f
>
> Raw Audit Messages type=AVC msg=audit(1344619496.816:576): avc: denied {
> create } for pid=8190 comm="condor_master" name="condor"
> scontext=system_u:system_r:condor_master_t:s0
> tcontext=system_u:object_r:var_lock_t:s0 tclass=dir
>
>
> type=SYSCALL msg=audit(1344619496.816:576): arch=x86_64 syscall=mkdir
> success=yes exit=0 a0=1a7b200 a1=1ff a2=ffffffffffffffff a3=7fffbd04d6b0
> items=0 ppid=1 pid=8190 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
> egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=condor_master
> exe=/usr/sbin/condor_master subj=system_u:system_r:condor_master_t:s0
> key=(null)
>
> Hash: condor_master,condor_master_t,var_lock_t,dir,create
>
> audit2allow
>
> #============= condor_master_t ============== allow condor_master_t
> var_lock_t:dir create;
>
> audit2allow -R
>
> #============= condor_master_t ============== allow condor_master_t
> var_lock_t:dir create;
>
> -------------------------------------------------------------------------------------------
>
> Everything under that folder is created as condor:condor and the
> condor_master is running as condor, so I'm curious what the issue is?
>
> Cheers, Tim
>
> -- selinux mailing list selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
restorecon -R -v /var/lock/condor
This directory got created with the wrong label.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAlApNbcACgkQrlYvE4MpobPhFQCeLGd4z3Gqtn8sZPAfDKvaUTA2
XHIAnjJj1OolKH/s4GuFimkD+kQoWMya
=nKY3
-----END PGP SIGNATURE-----
More information about the selinux
mailing list