Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Fedora SELinux Support (http://www.linux-archive.org/fedora-selinux-support/)
-   -   Has there been some policy change on F17? (http://www.linux-archive.org/fedora-selinux-support/693579-has-there-been-some-policy-change-f17.html)

Tim St Clair 08-13-2012 03:51 PM

Has there been some policy change on F17?
 
Folks -

I'm the package maintainer for condor, and we've been trying to update our package and have run into a slew of SELinux issues under fedora 17 that we've never seen before and I was hoping some folks could help illuminate what some of the changes might have been, or if there are is a list of known issues.

There are ~34 errors which spew out now, when previous editions there were 0. I think they all stem from the 1st two though, any insight would be helpful.

-------------------------------------------------------------------------------------------
SELinux is preventing /usr/sbin/condor_master from create access on the directory condor.

***** Plugin catchall (100. confidence) suggests ***************************

If you believe that condor_master should be allowed create access on the condor directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep condor_master /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context system_u:system_r:condor_master_t:s0
Target Context system_u:object_r:var_lock_t:s0
Target Objects condor [ dir ]
Source condor_master
Source Path /usr/sbin/condor_master
Port <Unknown>
Host tstclair.redhat
Source RPM Packages condor-7.9.1-0.1.fc17.2.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.10.0-142.fc17.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name tstclair.redhat
Platform Linux tstclair.redhat 3.5.0-2.fc17.x86_64 #1 SMP
Mon Jul 30 14:48:59 UTC 2012 x86_64 x86_64
Alert Count 1
First Seen Fri 10 Aug 2012 12:24:56 PM CDT
Last Seen Fri 10 Aug 2012 12:24:56 PM CDT
Local ID 4551e46a-0828-4bb3-8c03-bd6dfe62ce8f

Raw Audit Messages
type=AVC msg=audit(1344619496.816:576): avc: denied { create } for pid=8190 comm="condor_master" name="condor" scontext=system_u:system_r:condor_master_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir


type=SYSCALL msg=audit(1344619496.816:576): arch=x86_64 syscall=mkdir success=yes exit=0 a0=1a7b200 a1=1ff a2=ffffffffffffffff a3=7fffbd04d6b0 items=0 ppid=1 pid=8190 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=condor_master exe=/usr/sbin/condor_master subj=system_u:system_r:condor_master_t:s0 key=(null)

Hash: condor_master,condor_master_t,var_lock_t,dir,creat e

audit2allow

#============= condor_master_t ==============
allow condor_master_t var_lock_t:dir create;

audit2allow -R

#============= condor_master_t ==============
allow condor_master_t var_lock_t:dir create;

-------------------------------------------------------------------------------------------

Everything under that folder is created as condor:condor and the condor_master is running as condor, so I'm curious what the issue is?

Cheers,
Tim

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Daniel J Walsh 08-13-2012 05:13 PM

Has there been some policy change on F17?
 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/13/2012 11:51 AM, Tim St Clair wrote:
> Folks -
>
> I'm the package maintainer for condor, and we've been trying to update our
> package and have run into a slew of SELinux issues under fedora 17 that
> we've never seen before and I was hoping some folks could help illuminate
> what some of the changes might have been, or if there are is a list of
> known issues.
>
> There are ~34 errors which spew out now, when previous editions there were
> 0. I think they all stem from the 1st two though, any insight would be
> helpful.
>
> -------------------------------------------------------------------------------------------
>
>
SELinux is preventing /usr/sbin/condor_master from create access on the
directory condor.
>
> ***** Plugin catchall (100. confidence) suggests
> ***************************
>
> If you believe that condor_master should be allowed create access on the
> condor directory by default. Then you should report this as a bug. You can
> generate a local policy module to allow this access. Do allow this access
> for now by executing: # grep condor_master /var/log/audit/audit.log |
> audit2allow -M mypol # semodule -i mypol.pp
>
> Additional Information: Source Context
> system_u:system_r:condor_master_t:s0 Target Context
> system_u:object_r:var_lock_t:s0 Target Objects condor [ dir
> ] Source condor_master Source Path
> /usr/sbin/condor_master Port <Unknown> Host
> tstclair.redhat Source RPM Packages
> condor-7.9.1-0.1.fc17.2.x86_64 Target RPM Packages Policy RPM
> selinux-policy-3.10.0-142.fc17.noarch Selinux Enabled True
> Policy Type targeted Enforcing Mode
> Enforcing Host Name tstclair.redhat Platform
> Linux tstclair.redhat 3.5.0-2.fc17.x86_64 #1 SMP Mon Jul 30 14:48:59 UTC
> 2012 x86_64 x86_64 Alert Count 1 First Seen
> Fri 10 Aug 2012 12:24:56 PM CDT Last Seen Fri 10 Aug
> 2012 12:24:56 PM CDT Local ID
> 4551e46a-0828-4bb3-8c03-bd6dfe62ce8f
>
> Raw Audit Messages type=AVC msg=audit(1344619496.816:576): avc: denied {
> create } for pid=8190 comm="condor_master" name="condor"
> scontext=system_u:system_r:condor_master_t:s0
> tcontext=system_u:object_r:var_lock_t:s0 tclass=dir
>
>
> type=SYSCALL msg=audit(1344619496.816:576): arch=x86_64 syscall=mkdir
> success=yes exit=0 a0=1a7b200 a1=1ff a2=ffffffffffffffff a3=7fffbd04d6b0
> items=0 ppid=1 pid=8190 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
> egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=condor_master
> exe=/usr/sbin/condor_master subj=system_u:system_r:condor_master_t:s0
> key=(null)
>
> Hash: condor_master,condor_master_t,var_lock_t,dir,creat e
>
> audit2allow
>
> #============= condor_master_t ============== allow condor_master_t
> var_lock_t:dir create;
>
> audit2allow -R
>
> #============= condor_master_t ============== allow condor_master_t
> var_lock_t:dir create;
>
> -------------------------------------------------------------------------------------------
>
> Everything under that folder is created as condor:condor and the
> condor_master is running as condor, so I'm curious what the issue is?
>
> Cheers, Tim
>
> -- selinux mailing list selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>

restorecon -R -v /var/lock/condor

This directory got created with the wrong label.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAlApNbcACgkQrlYvE4MpobPhFQCeLGd4z3Gqtn 8sZPAfDKvaUTA2
XHIAnjJj1OolKH/s4GuFimkD+kQoWMya
=nKY3
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux


All times are GMT. The time now is 05:56 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.