Mailing List Archives
Public Access
|
|
![[Computer Systems Lab]](https://www-auth.cs.wisc.edu/pics/csl_logo.gif)
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[HTCondor-users] selinux denial
- Date: Thu, 30 Nov 2023 11:26:48 -0700
- From: Michael Thomas <wart@xxxxxxxxxxx>
- Subject: [HTCondor-users] selinux denial
I've returned to investigating selinux warnings on many of my hosts, and
came across these two on a condor-23.0.0 startd:
type=AVC msg=audit(1701367202.333:15914342): avc: denied { read } for
pid=868067 comm="condor_procd"
scontext=system_u:system_r:condor_procd_t:s0
tcontext=system_u:system_r:condor_procd_t:s0 tclass=perf_event permissive=1
type=AVC msg=audit(1701367217.357:15914353): avc: denied {
dac_override } for pid=868067 comm="condor_procd" capability=1
scontext=system_u:system_r:condor_procd_t:s0
tcontext=system_u:system_r:condor_procd_t:s0 tclass=capability permissive=1
It's easy enough to add a local policy to allow these:
require {
type condor_procd_t;
class perf_event read;
class capability dac_override;
}
#============= condor_procd_t ==============
allow condor_procd_t self:capability dac_override;
allow condor_procd_t self:perf_event read;
...but I figured I'd report it here in case it should be added to the
upstream condor policy.
--Mike