Various Selinux errors in journalctld on RHEL 10.1

Get Help
1

I installed OpenOnDemand 4.1.4 on a RHEL 10.1 host with enforcing Selinux. I have set setsebool ondemand_use_slurm on
When I try to submit a job I get following error:

An error occurred when submitting jobs for simulation 1: sbatch: error: s_p_parse_file: unable to read "/run/slurm/conf/slurm.conf": Permission denied
sbatch: error: ClusterName needs to be specified
sbatch: fatal: Unable to process configuration file

slurm error:

SELinux is preventing /usr/bin/sinfo from open access on the file /var/spool/slurmd/conf-cache/slurm.conf.

***** Plugin catchall (100. confidence) suggests **************************

If you believe that sinfo should be allowed open access on the slurm.conf file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.

Do
allow this access for now by executing:

ausearch -c ‘sinfo’ --raw | audit2allow -M my-sinfo

semodule -X 300 -i my-sinfo.pp

Additional Information:
Source Context system_u:system_r:ood_pun_t:s0
Target Context system_u:object_r:var_spool_t:s0
Target Objects /var/spool/slurmd/conf-cache/slurm.conf [ file ]
Source sinfo
Source Path /usr/bin/sinfo
Port
Host cbevm-ood-0.cbevm.inst.atlas.clip.vbc.ac.at
Source RPM Packages slurm-25.11.2-1.el10.x86_64
Target RPM Packages
SELinux Policy RPM selinux-policy-targeted-42.1.7-1.el10_1.1.noarch
Local Policy RPM
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name cbevm-ood-0.cbevm.inst.atlas.clip.vbc.ac.at
Platform Linux cbevm-ood-0.cbevm.inst.atlas.clip.vbc.ac.at
6.12.0-124.43.1.el10_1.x86_64 #1 SMP
PREEMPT_DYNAMIC Tue Mar 3 19:10:08 EST 2026
x86_64
Alert Count 35
First Seen 2026-04-30 00:44:31 CEST
Last Seen 2026-05-01 20:08:10 CEST
Local ID 03481587-4cb3-48f5-85c7-501455eb0592

Raw Audit Messages
type=AVC msg=audit(1777658890.926:1213): avc: denied { open } for pid=4988 comm=“squeue” path=“/var/spool/slurmd/conf-cache/slurm.conf” dev=“vda3” ino=33876739 scontext=system_u:system_r:ood_pun_t:s0 tcontext=system_u:object_r:var_spool_t:s0 tclass=file permissive=0

type=SYSCALL msg=audit(1777658890.926:1213): arch=x86_64 syscall=openat success=no exit=EACCES a0=ffffff9c a1=1ed002b0 a2=0 a3=0 items=0 ppid=3823 pid=4988 auid=4294967295 uid=10303 gid=1999 euid=10303 suid=10303 fsuid=10303 egid=1999 sgid=1999 fsgid=1999 tty=(none) ses=4294967295 comm=squeue exe=/usr/bin/squeue subj=system_u:system_r:ood_pun_t:s0 key=(null)

Hash: sinfo,ood_pun_t,var_spool_t,file,open

I see also some non slurm related selinux errors in journalctl:

lnk_file fd issue:

SELinux is preventing /opt/ood/ondemand/root/usr/sbin/nginx from read access on the lnk_file fd.

***** Plugin catchall (100. confidence) suggests **************************

If you believe that nginx should be allowed read access on the fd lnk_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:

ausearch -c ‘nginx’ --raw | audit2allow -M my-nginx

semodule -X 300 -i my-nginx.pp

Additional Information:
Source Context system_u:system_r:ood_pun_t:s0
Target Context system_u:object_r:init_var_run_t:s0
Target Objects fd [ lnk_file ]
Source nginx
Source Path /opt/ood/ondemand/root/usr/sbin/nginx
Port
Host cbevm-ood-0.cbevm.inst.atlas.clip.vbc.ac.at
Source RPM Packages ondemand-passenger-6.1.0-2.ood4.1.0.el10.x86_64
Target RPM Packages
SELinux Policy RPM selinux-policy-targeted-42.1.7-1.el10_1.1.noarch
Local Policy RPM
Selinux Enabled True
Policy Type targeted

Enforcing Mode Enforcing
Host Name cbevm-ood-0.cbevm.inst.atlas.clip.vbc.ac.at
Platform Linux cbevm-ood-0.cbevm.inst.atlas.clip.vbc.ac.at
6.12.0-124.43.1.el10_1.x86_64 #1 SMP
PREEMPT_DYNAMIC Tue Mar 3 19:10:08 EST 2026
x86_64
Alert Count 822
First Seen 2026-04-30 00:41:21 CEST
Last Seen 2026-05-01 20:06:16 CEST
Local ID 8a1e49c3-93f7-4838-9291-1d71fd05f833

Raw Audit Messages
type=AVC msg=audit(1777658776.858:1177): avc: denied { read } for pid=4868 comm=“PassengerAgent” name=“fd” dev=“tmpfs” ino=23 scontext=system_u:system_r:ood_pun_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=lnk_file permissive=0

type=SYSCALL msg=audit(1777658776.858:1177): arch=x86_64 syscall=newfstatat success=no exit=EACCES a0=ffffff9c a1=67e56a a2=7f1f4c61dd40 a3=0 items=0 ppid=4867 pid=4868 auid=4294967295 uid=10303 gid=1999 euid=10303 suid=10303 fsuid=10303 egid=1999 sgid=1999 fsgid=1999 tty=(none) ses=4294967295 comm=PassengerAgent exe=/opt/ood/ondemand/root/usr/lib64/passenger/support-binaries/PassengerAgent subj=system_u:system_r:ood_pun_t:s0 key=(null)

Hash: nginx,ood_pun_t,init_var_run_t,lnk_file,read

ps issue:

SELinux is preventing /usr/bin/ps from read access on the directory node.

***** Plugin catchall (100. confidence) suggests **************************

If you believe that ps should be allowed read access on the node directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:

ausearch -c ‘ps’ --raw | audit2allow -M my-ps

semodule -X 300 -i my-ps.pp

Additional Information:
Source Context system_u:system_r:ood_pun_t:s0
Target Context system_u:object_r:sysfs_t:s0
Target Objects node [ dir ]
Source ps
Source Path /usr/bin/ps
Port
Host cbevm-ood-0.cbevm.inst.atlas.clip.vbc.ac.at
Source RPM Packages procps-ng-4.0.4-8.el10.x86_64
Target RPM Packages
SELinux Policy RPM selinux-policy-targeted-42.1.7-1.el10_1.1.noarch
Local Policy RPM
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name cbevm-ood-0.cbevm.inst.atlas.clip.vbc.ac.at
Platform Linux cbevm-ood-0.cbevm.inst.atlas.clip.vbc.ac.at
6.12.0-124.43.1.el10_1.x86_64 #1 SMP
PREEMPT_DYNAMIC Tue Mar 3 19:10:08 EST 2026
x86_64
Alert Count 232
First Seen 2026-04-30 00:44:19 CEST
Last Seen 2026-05-01 20:07:16 CEST
Local ID df023fb1-c732-4750-8db3-ebfc21b9b007

Raw Audit Messages
type=AVC msg=audit(1777658836.929:1192): avc: denied { read } for pid=4911 comm=“ps” name=“node” dev=“sysfs” ino=588 scontext=system_u:system_r:ood_pun_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir permissive=0

type=SYSCALL msg=audit(1777658836.929:1192): arch=x86_64 syscall=openat success=no exit=EACCES a0=ffffff9c a1=7fc0f2fa979e a2=90800 a3=0 items=0 ppid=2642 pid=4911 auid=4294967295 uid=10303 gid=1999 euid=10303 suid=10303 fsuid=10303 egid=1999 sgid=1999 fsgid=1999 tty=(none) ses=4294967295 comm=ps exe=/usr/bin/ps subj=system_u:system_r:ood_pun_t:s0 key=(null)

Hash: ps,ood_pun_t,sysfs_t,dir,read

favicon:

SELinux is preventing /usr/sbin/httpd from map access on the file /var/www/ood/public/favicon.ico.

***** Plugin catchall_boolean (89.3 confidence) suggests ******************

If you want to allow domain to can mmap files
Then you must tell SELinux about this by enabling the ‘domain_can_mmap_files’ boolean.

Do
setsebool -P domain_can_mmap_files 1

***** Plugin catchall (11.6 confidence) suggests **************************

If you believe that httpd should be allowed map access on the favicon.ico file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:

ausearch -c ‘httpd’ --raw | audit2allow -M my-httpd

semodule -X 300 -i my-httpd.pp

Additional Information:
Source Context system_u:system_r:httpd_t:s0

Target Context system_u:object_r:ood_apps_public_t:s0
Target Objects /var/www/ood/public/favicon.ico [ file ]
Source httpd
Source Path /usr/sbin/httpd
Port
Host cbevm-ood-0.cbevm.inst.atlas.clip.vbc.ac.at
Source RPM Packages httpd-core-2.4.63-4.el10_1.3.x86_64
Target RPM Packages ondemand-4.1.4-1.el10.x86_64
SELinux Policy RPM selinux-policy-targeted-42.1.7-1.el10_1.1.noarch
Local Policy RPM
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name cbevm-ood-0.cbevm.inst.atlas.clip.vbc.ac.at
Platform Linux cbevm-ood-0.cbevm.inst.atlas.clip.vbc.ac.at
6.12.0-124.43.1.el10_1.x86_64 #1 SMP
PREEMPT_DYNAMIC Tue Mar 3 19:10:08 EST 2026
x86_64
Alert Count 9
First Seen 2026-04-30 00:43:51 CEST
Last Seen 2026-05-01 20:08:10 CEST
Local ID 17d6df51-87ac-4414-b6f6-e24d26a66d57

Raw Audit Messages
type=AVC msg=audit(1777658890.964:1214): avc: denied { map } for pid=1993 comm=“httpd” path=“/var/www/ood/public/favicon.ico” dev=“vda3” ino=109516129 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ood_apps_public_t:s0 tclass=file permissive=0

type=SYSCALL msg=audit(1777658890.964:1214): arch=x86_64 syscall=mmap success=no exit=EACCES a0=0 a1=47e a2=1 a3=1 items=0 ppid=1988 pid=1993 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null)

This is the policy file that would allow the selinux violations:

module ood 1.0;

require {
type ood_pun_t;
type ood_apps_public_t;
type systemd_userdbd_runtime_t;
type sysfs_t;
type var_spool_t;
type init_var_run_t;
type httpd_t;
class dir read;
class lnk_file read;
class file { map open read };
}

#============= httpd_t ==============

#!!! This avc can be allowed using the boolean ‘domain_can_mmap_files’
allow httpd_t ood_apps_public_t:file map;

#============= ood_pun_t ==============
allow ood_pun_t init_var_run_t:lnk_file read;
allow ood_pun_t sysfs_t:dir read;
allow ood_pun_t sysfs_t:file read;
allow ood_pun_t systemd_userdbd_runtime_t:dir read;
allow ood_pun_t var_spool_t:file open;

2

selinux is largely community driven component of OnDemand. We have it, but are not enforcing it. Pull requests welcome as it appears you have a solution for the issues.