SELinux problem with BOINC

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Recently, I mentioned getting regular SELinux alerts from BOINC, 
normally from Einstein@home.  I've just received another one, although 
from a WCT unit.  Yes, I'm following the troubleshooting instructions as 
I always do, and they seem to work, but only for that unit. (Using 
restorecon as root is all that's needed.) Somebody on the list asked to 
see the details, so here they are:

SELinux is preventing 
/var/lib/boinc/projects/www.worldcommunitygrid.org/wcg_hpf2_rosetta_6.40_i686-pc-linux-gnu 
from 'read, write' accesses on the chr_file /dev/nvidiactl.

*****  Plugin restorecon (89.7 confidence) suggests 
*************************

If you want to fix the label.
/dev/nvidiactl default label should be xserver_misc_device_t.
Then you can run restorecon.
Do
# /sbin/restorecon -v /dev/nvidiactl

*****  Plugin device (9.42 confidence) suggests 
*****************************

If you want to allow wcg_hpf2_rosetta_6.40_i686-pc-linux-gnu to have 
read write access on the nvidiactl chr_file
Then you need to change the label on /dev/nvidiactl to a type of a 
similar device.
Do
# semanage fcontext -a -t SIMILAR_TYPE '/dev/nvidiactl'
# restorecon -v '/dev/nvidiactl'

*****  Plugin catchall (1.39 confidence) suggests 
***************************

If you believe that wcg_hpf2_rosetta_6.40_i686-pc-linux-gnu should be 
allowed read write access on the nvidiactl chr_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep wcg_hpf2_rosett /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

*****  Plugin leaks (1.39 confidence) suggests 
******************************

If you want to ignore wcg_hpf2_rosetta_6.40_i686-pc-linux-gnu trying to 
read write access the nvidiactl chr_file, because you believe it should 
not need this access.
Then you should report this as a bug.
You can generate a local policy module to dontaudit this access.
Do
# grep 
/var/lib/boinc/projects/www.worldcommunitygrid.org/wcg_hpf2_rosetta_6.40_i686-pc-linux-gnu 
/var/log/audit/audit.log | audit2allow -D -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:boinc_project_t:s0
Target Context                system_u:object_r:device_t:s0
Target Objects                /dev/nvidiactl [ chr_file ]
Source                        wcg_hpf2_rosett
Source Path 
/var/lib/boinc/projects/www.worldcommunitygrid.org
                               /wcg_hpf2_rosetta_6.40_i686-pc-linux-gnu
Port                          <Unknown>
Host                          khorlia.zeff.us
Source RPM Packages
Target RPM Packages
Policy RPM                    selinux-policy-3.9.7-40.fc14
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     khorlia.zeff.us
Platform                      Linux khorlia.zeff.us 
2.6.35.13-92.fc14.i686 #1
                               SMP Sat May 21 17:39:42 UTC 2011 i686 i686
Alert Count                   1
First Seen                    Sun 19 Jun 2011 03:40:33 AM PDT
Last Seen                     Sun 19 Jun 2011 03:40:33 AM PDT
Local ID                      11d810b9-b11c-4bad-ad33-11fd32e3232a

Raw Audit Messages
type=AVC msg=audit(1308480033.334:1452): avc:  denied  { read write } 
for  pid=4942 comm="wcg_hpf2_rosett" path="/dev/nvidiactl" dev=devtmpfs 
ino=14053 scontext=system_u:system_r:boinc_project_t:s0 
tcontext=system_u:object_r:device_t:s0 tclass=chr_file


type=SYSCALL msg=audit(1308480033.334:1452): arch=i386 syscall=execve 
success=yes exit=0 a0=bfd279e8 a1=bfd23044 a2=9a9e640 a3=bfd279e8 
items=0 ppid=4925 pid=4942 auid=0 uid=495 gid=490 euid=495 suid=495 
fsuid=495 egid=490 sgid=490 fsgid=490 tty=(none) ses=167 
comm=wcg_hpf2_rosett 
exe=/var/lib/boinc/projects/www.worldcommunitygrid.org/wcg_hpf2_rosetta_6.40_i686-pc-linux-gnu 
subj=system_u:system_r:boinc_project_t:s0 key=(null)

Hash: wcg_hpf2_rosett,boinc_project_t,device_t,chr_file,read,write

audit2allow

#============= boinc_project_t ==============
allow boinc_project_t device_t:chr_file { read write };

audit2allow -R

#============= boinc_project_t ==============
allow boinc_project_t device_t:chr_file { read write };



-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux