Bug 1397476
| Summary: | SELinux is preventing boinc_client from 'read' accesses on the file mmap_min_addr. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Jia Yuan Lo <jylo06g> |
| Component: | selinux-policy-targeted | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED ERRATA | QA Contact: | Ben Levenson <benl> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 25 | CC: | cheekyboinc, dominick.grift, dwalsh, germano.massullo, jylo06g, Laurence.Field, lvrabec, mattia.verga, mgrepl, mmahut, plautrba, pmoore, ssekidde, xjakub |
| Target Milestone: | --- | Keywords: | Reopened |
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Unspecified | ||
| Whiteboard: | abrt_hash:ee835ebddf29c5538afb59122c2906b9d141e6f8d311b7bfada9be2b8c03d45b; | ||
| Fixed In Version: | boinc-client-7.8.4-1.fc27 boinc-client-7.8.4-1.fc26 boinc-client-7.8.4-1.fc25 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-12-09 03:29:03 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Boinc folks, Do you know what happened here? Thanks. Update: Sorry, I think I forget to update permission for files inside /var/lib/boinc. Update permission for /var/lib/boinc folder only seems not enough. After this BOINC works normally and no more SELinux alerts... But I think BOINC should do all this permission setting automatically without manual user intervention. I think this bug is all good now since it is the current BOINC's behaviour Could you please explain what do you mean with:
> Update: Sorry, I think I forget to update permission for files inside
> /var/lib/boinc. Update permission for /var/lib/boinc folder only seems not
> enough.
I did this sudo chmod g+rw /var/lib/boinc but without this sudo chmod g+rw /var/lib/boinc/* and then starts BOINC Manager, BOINC can't connect to client(?) and SELinux alerts triggers after some time... Doing back sudo chmod g+rw /var/lib/boinc/* BOINC works, alerts gone... Note that I also did systemctl restart boinc-client.service a few times before realising I miss some steps after BOINC installed. Thats where the alert really comes in. Could you please show us the output of: # ls -latr /var/lib/boinc/ Sorry I have formatted my laptop... I was following this old guide http://boinc.berkeley.edu/wiki/Installing_BOINC_on_Fedora#Set_up_your_accounts Is this still relevant? Do I still need to chmod here and there? I think you guys should just closed this report since it doesn't worth the time to investigate the problem just because I didn't follow those instructions... /var/lib/boinc/ is owned and should be owned by boinc user only for security reasons and the defaults permissions are fine. Your SELinux alert is triggered by other factors but we can no longer investigate because the laptop has been formatted Description of problem: Happened after 1st time install BOINC client and 1st time starting BOINC client service Version-Release number of selected component: selinux-policy-3.13.1-225.1.fc25.noarch Additional info: reporter: libreport-2.8.0 hashmarkername: setroubleshoot kernel: 4.8.12-300.fc25.x86_64 type: libreport Ok, this time ignore all the previous comments before #9...
Here's the command I run after freshly installed Fedora 25...
sudo dnf -y install boinc-client boinc-manager
sudo gpasswd -a $(whoami) boinc
sudo gpasswd -a boinc video
sudo systemctl start boinc-client.service
^ above starts the SELinux trigger I assume
sudo systemctl enable boinc-client.service
find /var/lib/boinc -type d -exec sudo chmod 755 {} \;
find /var/lib/boinc -type f -exec sudo chmod 644 {} \;
ln -s /var/lib/boinc/gui_rpc_auth.cfg ~/gui_rpc_auth.cfg
It looks like its actually the brawling between TLP and SELinux that also got BOINC drag into the fight... If you don't install TLP, you will not get that SELinux error. Sorry folks for the mess up bug report and wasted everybody's time. SELinux guys, you can close these as well... https://bugzilla.redhat.com/show_bug.cgi?id=1403493 https://bugzilla.redhat.com/show_bug.cgi?id=1403494 These reports here are also ERRONEOUSLY commented by me that its got to do with BOINC which in fact is TLP vs SELinux... https://bugzilla.redhat.com/show_bug.cgi?id=1403490 https://bugzilla.redhat.com/show_bug.cgi?id=1403489 https://bugzilla.redhat.com/show_bug.cgi?id=1403488 https://bugzilla.redhat.com/show_bug.cgi?id=1403486 https://bugzilla.redhat.com/show_bug.cgi?id=1403485 https://bugzilla.redhat.com/show_bug.cgi?id=1403103 https://bugzilla.redhat.com/show_bug.cgi?id=1403462 https://bugzilla.redhat.com/show_bug.cgi?id=1403487 https://bugzilla.redhat.com/show_bug.cgi?id=1403102 Marking this as WORKS FOR ME... *** Bug 1403493 has been marked as a duplicate of this bug. *** *** Bug 1403494 has been marked as a duplicate of this bug. *** Sorry I am still getting errors after dozens of fresh installs and I have checked all the permission and BOINC is up and running But after every boot SELinux is still complaining... Which project are you running? Please show us # ls -latr /var/lib/boinc (In reply to Germano Massullo from comment #15) > Which project are you running? Please show us > # ls -latr /var/lib/boinc [root@asus-x552l jylo]# ls -latr /var/lib/boinc total 480 drwxr-xr-x. 61 root root 4096 Apr 12 01:25 .. -rw-r--r--. 1 boinc boinc 0 Apr 12 01:25 stderrdae.txt -rw-r--r--. 1 boinc boinc 32 Apr 12 01:25 gui_rpc_auth.cfg -rw-r--r--. 1 boinc boinc 55537 Apr 12 01:25 all_projects_list.xml drwxr-----. 3 boinc boinc 4096 Apr 12 01:31 .pki -rw-r--r--. 1 boinc boinc 1392 Apr 12 01:31 get_project_config.xml -rw-r--r--. 1 boinc boinc 142 Apr 12 01:32 lookup_account.xml drwxrwx--x. 3 boinc boinc 4096 Apr 12 01:32 projects -rw-r--r--. 1 boinc boinc 26212 Apr 12 01:32 master_www.worldcommunitygrid.org.xml -rw-r--r--. 1 boinc boinc 9281 Apr 12 01:32 get_current_version.xml -rw-r--r--. 1 boinc boinc 1344 Apr 12 01:32 global_prefs.xml drwxrwx--x. 6 boinc boinc 4096 Apr 12 01:39 slots -rw-r--r--. 1 boinc boinc 0 Apr 12 11:16 lockfile -rw-r--r--. 1 boinc boinc 560 Apr 12 11:16 stderrgpudetect.txt -rw-r--r--. 1 boinc boinc 3238 Apr 12 11:16 coproc_info.xml -rw-r--r--. 1 boinc boinc 272 Apr 12 11:16 stdoutgpudetect.txt drwxr-xr-x. 2 boinc boinc 4096 Apr 12 11:16 notices -rw-r--r--. 1 boinc boinc 807 Apr 12 11:16 time_stats_log -rw-r--r--. 1 boinc boinc 2212 Apr 12 11:25 account_www.worldcommunitygrid.org.xml -rw-r--r--. 1 boinc boinc 12585 Apr 12 13:55 sched_request_www.worldcommunitygrid.org.xml -rw-r--r--. 1 boinc boinc 32679 Apr 12 13:55 sched_reply_www.worldcommunitygrid.org.xml -rw-r--r--. 1 boinc boinc 748 Apr 12 13:55 statistics_www.worldcommunitygrid.org.xml -rw-r--r--. 1 boinc boinc 990 Apr 12 13:58 job_log_www.worldcommunitygrid.org.txt -rw-r--r--. 1 boinc boinc 11798 Apr 12 14:03 lookup_website.html -rw-r--r--. 1 boinc boinc 56676 Apr 12 14:03 stdoutdae.txt -rw-r--r--. 1 boinc boinc 121 Apr 12 14:03 daily_xfer_history.xml -rw-r--r--. 1 boinc boinc 95010 Apr 12 14:10 client_state_prev.xml -rw-r--r--. 1 boinc boinc 95010 Apr 12 14:14 client_state.xml drwxr-xr-x. 6 boinc boinc 4096 Apr 12 14:14 . Show us # cat /proc/sys/vm/mmap_min_addr (In reply to Germano Massullo from comment #17) > Show us > # cat /proc/sys/vm/mmap_min_addr [root@asus-x552l jylo]# cat /proc/sys/vm/mmap_min_addr 65536 Similar bugreport https://bugzilla.redhat.com/show_bug.cgi?id=1404015 boinc-client-7.8.3-2.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-65f3922240 boinc-client-7.8.3-2.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-520df58c68 boinc-client-7.8.3-2.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-a21b5d9b81 boinc-client-7.8.3-2.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-25fce4ebdd boinc-client-7.8.3-2.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-25fce4ebdd boinc-client-7.8.3-2.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-65f3922240 boinc-client-7.8.3-2.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-a21b5d9b81 boinc-client-7.8.3-2.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-520df58c68 boinc-client-7.8.4-1.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-afb2246c84 boinc-client-7.8.4-1.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-45b1e5bc58 boinc-client-7.8.4-1.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-b3e960d5ad boinc-client-7.8.4-1.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-c45de2e44e boinc-client-7.8.4-1.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-afb2246c84 boinc-client-7.8.4-1.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-b3e960d5ad boinc-client-7.8.4-1.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-c45de2e44e boinc-client-7.8.4-1.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-45b1e5bc58 This message is a reminder that Fedora 25 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 25. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '25'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 25 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. boinc-client-7.8.4-1.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report. boinc-client-7.8.4-1.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report. boinc-client-7.8.4-1.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report. boinc-client-7.8.4-1.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report. |
Description of problem: SELinux is preventing boinc_client from 'read' accesses on the file mmap_min_addr. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that boinc_client should be allowed read access on the mmap_min_addr file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'boinc_client' --raw | audit2allow -M my-boincclient # semodule -X 300 -i my-boincclient.pp Additional Information: Source Context system_u:system_r:boinc_t:s0 Target Context system_u:object_r:sysctl_vm_t:s0 Target Objects mmap_min_addr [ file ] Source boinc_client Source Path boinc_client Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-224.fc25.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.8.8-300.fc25.x86_64 #1 SMP Tue Nov 15 18:10:06 UTC 2016 x86_64 x86_64 Alert Count 2 First Seen 2016-11-23 23:49:12 MYT Last Seen 2016-11-23 23:49:12 MYT Local ID 248dd580-4e41-42dc-84b0-1ba0f2464d24 Raw Audit Messages type=AVC msg=audit(1479916152.856:524): avc: denied { read } for pid=5263 comm="boinc_client" name="mmap_min_addr" dev="proc" ino=33171 scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:object_r:sysctl_vm_t:s0 tclass=file permissive=0 Hash: boinc_client,boinc_t,sysctl_vm_t,file,read Version-Release number of selected component: selinux-policy-3.13.1-224.fc25.noarch Additional info: reporter: libreport-2.8.0 hashmarkername: setroubleshoot kernel: 4.8.8-300.fc25.x86_64 type: libreport