Mailing List Archives

Authenticated access

 		[Computer Systems Lab]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] selinux denial

There are a couple more missing permissions for procd on my schedd:

require {
        type condor_procd_t;
        class perf_event { open write };
        class capability { dac_override sys_admin };
}

#============= condor_procd_t ==============
allow condor_procd_t self:capability dac_override;
allow condor_procd_t self:capability sys_admin;
allow condor_procd_t self:perf_event { open write };

--Mike

On 11/30/23 11:26, Michael Thomas wrote:
I've returned to investigating selinux warnings on many of my hosts, and came across these two on a condor-23.0.0 startd:
type=AVC msg=audit(1701367202.333:15914342): avc: denied { read } for pid=868067 comm="condor_procd" scontext=system_u:system_r:condor_procd_t:s0 tcontext=system_u:system_r:condor_procd_t:s0 tclass=perf_event permissive=1
type=AVC msg=audit(1701367217.357:15914353): avc: denied { dac_override } for pid=868067 comm="condor_procd" capability=1 scontext=system_u:system_r:condor_procd_t:s0 tcontext=system_u:system_r:condor_procd_t:s0 tclass=capability permissive=1 

It's easy enough to add a local policy to allow these:


require {
 ÂÂÂÂÂÂÂ type condor_procd_t;
 ÂÂÂÂÂÂÂ class perf_event read;
 ÂÂÂÂÂÂÂ class capability dac_override;
}

#============= condor_procd_t ==============
allow condor_procd_t self:capability dac_override;
allow condor_procd_t self:perf_event read;
...but I figured I'd report it here in case it should be added to the upstream condor policy. 

--Mike
_______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe
You can also unsubscribe by visiting
https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users

The archives can be found at:
https://lists.cs.wisc.edu/archive/htcondor-users/