Re: [HTCondor-users] selinux denial

[Tim Theisen <tim@xxxxxxxxxxx>]

Hello Mike,

Thank you for the suggestion. I'll see about getting this into a future 
version.

...Tim

On 11/30/23 12:56, Michael Thomas wrote:
> There are a couple more missing permissions for procd on my schedd:
>
> require {
> ÂÂÂÂÂÂÂ type condor_procd_t;
> ÂÂÂÂÂÂÂ class perf_event { open write };
> ÂÂÂÂÂÂÂ class capability { dac_override sys_admin };
> }
>
> #============= condor_procd_t ==============
> allow condor_procd_t self:capability dac_override;
> allow condor_procd_t self:capability sys_admin;
> allow condor_procd_t self:perf_event { open write };
>
> --Mike
>
> On 11/30/23 11:26, Michael Thomas wrote:
> > I've returned to investigating selinux warnings on many of my hosts, 
> > and came across these two on a condor-23.0.0 startd:
> >
> > type=AVC msg=audit(1701367202.333:15914342): avc: denied { read } 
> > for pid=868067 comm="condor_procd" 
> > scontext=system_u:system_r:condor_procd_t:s0 
> > tcontext=system_u:system_r:condor_procd_t:s0 tclass=perf_event 
> > permissive=1
> >
> > type=AVC msg=audit(1701367217.357:15914353): avc: denied { 
> > dac_override } for pid=868067 comm="condor_procd" capability=1 
> > scontext=system_u:system_r:condor_procd_t:s0 
> > tcontext=system_u:system_r:condor_procd_t:s0 tclass=capability 
> > permissive=1
> >
> > It's easy enough to add a local policy to allow these:
> >
> >
> > require {
> > ÂÂÂÂÂÂÂÂ type condor_procd_t;
> > ÂÂÂÂÂÂÂÂ class perf_event read;
> > ÂÂÂÂÂÂÂÂ class capability dac_override;
> > }
> >
> > #============= condor_procd_t ==============
> > allow condor_procd_t self:capability dac_override;
> > allow condor_procd_t self:perf_event read;
> >
> >
> > ...but I figured I'd report it here in case it should be added to the 
> > upstream condor policy.
> >
> > --Mike
> > _______________________________________________
> > HTCondor-users mailing list
> > To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx 
> > with a
> > subject: Unsubscribe
> > You can also unsubscribe by visiting
> > https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users
> >
> > The archives can be found at:
> > https://lists.cs.wisc.edu/archive/htcondor-users/
>
> _______________________________________________
> HTCondor-users mailing list
> To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx 
> with a
> subject: Unsubscribe
> You can also unsubscribe by visiting
> https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users
>
> The archives can be found at:
> https://lists.cs.wisc.edu/archive/htcondor-users/

--
Tim Theisen (he, him, his)
Release Manager
HTCondor & Open Science Grid
Center for High Throughput Computing
Department of Computer Sciences
University of Wisconsin - Madison
4261 Computer Sciences and Statistics
1210 W Dayton St
Madison, WI 53706-1685
+1 608 265 5736