Re: [HTCondor-users] htcondor and selinux

[Michael Pelletier <michael.v.pelletier@xxxxxxxxxxxx>]

The default LOCAL_DIR is /var, so one way to do it would be to add permissions for everything for which HTCondor uses system_u:object_r:var_t to access unconfined_u:object_r:user_home_dir_t. This would require creating a .te file with all of the necessary rights in it mapped to user_home_dir_t.

That would probably grant more permissions to HTCondor one would prefer, since it wouldn't only cover the /home/condor directory but all other homedirs as well, and be more of a hassle to implement. So a better approach may be to set up a contexts for the /home/condor directory itself to mirror the contexts of the directories in question:

LOCAL_DIR = /var
CRED_STORE_DIR = $(LOCAL_DIR)/cred_dir
EXECUTE = $(LOCAL_DIR)/lib/condor/execute
LOCK = $(LOCAL_DIR)/lock/condor
LOG = $(LOCAL_DIR)/log/condor
RUN = $(LOCAL_DIR)/run/condor
SPOOL = $(LOCAL_DIR)/lib/condor/spool

So you'd build out the /home/condor directory with the necessary subdirectory structure to match the above, and for the LOCK directory:

semanage fcontext -add -type condor_var_lock_t "/home/condor/lock/condor(/.*)?"

You'd repeat this command line for each of the references to LOCAL_DIR in your configuration, applying the appropriate target contexts identified with ls -Z on each of the directories. And then you'd relabel /home/condor to apply the updated labeling to the subdirectories, and that should get you where you need to be.


Michael V Pelletier
Principal Engineer

Raytheon Technologies
Information Technology
Digital Transormation & Innovation