Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Fedora User (http://www.linux-archive.org/fedora-user/)
-   -   SELinux problem with BOINC (http://www.linux-archive.org/fedora-user/541580-selinux-problem-boinc.html)

Joe Zeff 06-19-2011 03:50 PM

SELinux problem with BOINC
 
Recently, I mentioned getting regular SELinux alerts from BOINC,
normally from Einstein@home. I've just received another one, although
from a WCT unit. Yes, I'm following the troubleshooting instructions as
I always do, and they seem to work, but only for that unit. (Using
restorecon as root is all that's needed.) Somebody on the list asked to
see the details, so here they are:

SELinux is preventing
/var/lib/boinc/projects/www.worldcommunitygrid.org/wcg_hpf2_rosetta_6.40_i686-pc-linux-gnu
from 'read, write' accesses on the chr_file /dev/nvidiactl.

***** Plugin restorecon (89.7 confidence) suggests
*************************

If you want to fix the label.
/dev/nvidiactl default label should be xserver_misc_device_t.
Then you can run restorecon.
Do
# /sbin/restorecon -v /dev/nvidiactl

***** Plugin device (9.42 confidence) suggests
*****************************

If you want to allow wcg_hpf2_rosetta_6.40_i686-pc-linux-gnu to have
read write access on the nvidiactl chr_file
Then you need to change the label on /dev/nvidiactl to a type of a
similar device.
Do
# semanage fcontext -a -t SIMILAR_TYPE '/dev/nvidiactl'
# restorecon -v '/dev/nvidiactl'

***** Plugin catchall (1.39 confidence) suggests
***************************

If you believe that wcg_hpf2_rosetta_6.40_i686-pc-linux-gnu should be
allowed read write access on the nvidiactl chr_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep wcg_hpf2_rosett /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

***** Plugin leaks (1.39 confidence) suggests
******************************

If you want to ignore wcg_hpf2_rosetta_6.40_i686-pc-linux-gnu trying to
read write access the nvidiactl chr_file, because you believe it should
not need this access.
Then you should report this as a bug.
You can generate a local policy module to dontaudit this access.
Do
# grep
/var/lib/boinc/projects/www.worldcommunitygrid.org/wcg_hpf2_rosetta_6.40_i686-pc-linux-gnu
/var/log/audit/audit.log | audit2allow -D -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context system_u:system_r:boinc_project_t:s0
Target Context system_u:object_r:device_t:s0
Target Objects /dev/nvidiactl [ chr_file ]
Source wcg_hpf2_rosett
Source Path
/var/lib/boinc/projects/www.worldcommunitygrid.org
/wcg_hpf2_rosetta_6.40_i686-pc-linux-gnu
Port <Unknown>
Host khorlia.zeff.us
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.9.7-40.fc14
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name khorlia.zeff.us
Platform Linux khorlia.zeff.us
2.6.35.13-92.fc14.i686 #1
SMP Sat May 21 17:39:42 UTC 2011 i686 i686
Alert Count 1
First Seen Sun 19 Jun 2011 03:40:33 AM PDT
Last Seen Sun 19 Jun 2011 03:40:33 AM PDT
Local ID 11d810b9-b11c-4bad-ad33-11fd32e3232a

Raw Audit Messages
type=AVC msg=audit(1308480033.334:1452): avc: denied { read write }
for pid=4942 comm="wcg_hpf2_rosett" path="/dev/nvidiactl" dev=devtmpfs
ino=14053 scontext=system_u:system_r:boinc_project_t:s0
tcontext=system_u:object_r:device_t:s0 tclass=chr_file


type=SYSCALL msg=audit(1308480033.334:1452): arch=i386 syscall=execve
success=yes exit=0 a0=bfd279e8 a1=bfd23044 a2=9a9e640 a3=bfd279e8
items=0 ppid=4925 pid=4942 auid=0 uid=495 gid=490 euid=495 suid=495
fsuid=495 egid=490 sgid=490 fsgid=490 tty=(none) ses=167
comm=wcg_hpf2_rosett
exe=/var/lib/boinc/projects/www.worldcommunitygrid.org/wcg_hpf2_rosetta_6.40_i686-pc-linux-gnu
subj=system_u:system_r:boinc_project_t:s0 key=(null)

Hash: wcg_hpf2_rosett,boinc_project_t,device_t,chr_file, read,write

audit2allow

#============= boinc_project_t ==============
allow boinc_project_t device_t:chr_file { read write };

audit2allow -R

#============= boinc_project_t ==============
allow boinc_project_t device_t:chr_file { read write };



--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines


All times are GMT. The time now is 04:37 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.