Bug 1572812
| Summary: | SELinux is preventing boinc from 'connectto' accesses on the unix_stream_socket 002F746D702F2E5831312D756E69782F5831. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Garrett Figueroa <garrett.figueroa> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 27 | CC: | dwalsh, lvrabec, mgrepl, plautrba, pmoore |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Unspecified | ||
| Whiteboard: | abrt_hash:dcbd3666865f0ec50a75ab98d3b2f90f40c2c48bb3bf4a5bfbbbbf6a2afc345e;VARIANT_ID=workstation; | ||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-04-28 08:33:20 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
This looks correct you definitely do not want to allow containers to connect to the Xserver. SELinux is doing precisely what it is designed to do. Allowing a process to connect to the XServer would allow it to screen scape all of you data on the desktop, it would also allow it to fool humans into typing passwords. It would also allow it to grab all data in the cut and paste buffer. Especially things like passwords. If you want to run trusted applications to connect to the desktop then you need to disable SELinux. The way you do this with podman is podman run --security-opt label=disable ... Or with docker docker run --security-opt label=disable ... |
Description of problem: SELinux is preventing boinc from 'connectto' accesses on the unix_stream_socket 002F746D702F2E5831312D756E69782F5831. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that boinc should be allowed connectto access on the 002F746D702F2E5831312D756E69782F5831 unix_stream_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'boinc' --raw | audit2allow -M my-boinc # semodule -X 300 -i my-boinc.pp Additional Information: Source Context system_u:system_r:container_t:s0:c420,c759 Target Context unconfined_u:unconfined_r:xserver_t:s0-s0:c0.c1023 Target Objects 002F746D702F2E5831312D756E69782F5831 [ unix_stream_socket ] Source boinc Source Path boinc Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM <Unknown> Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.16.3-200.fc27.x86_64 #1 SMP Thu Apr 19 19:33:38 UTC 2018 x86_64 x86_64 Alert Count 13 First Seen 2018-04-27 17:54:55 MDT Last Seen 2018-04-27 17:55:07 MDT Local ID 48e2ead2-3a28-4539-a082-0c79d0aef598 Raw Audit Messages type=AVC msg=audit(1524873307.948:1814): avc: denied { connectto } for pid=28746 comm="boinc" path=002F746D702F2E5831312D756E69782F5831 scontext=system_u:system_r:container_t:s0:c420,c759 tcontext=unconfined_u:unconfined_r:xserver_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0 Hash: boinc,container_t,xserver_t,unix_stream_socket,connectto Additional info: component: selinux-policy reporter: libreport-2.9.3 hashmarkername: setroubleshoot kernel: 4.16.3-200.fc27.x86_64 type: libreport