Bug 468358

Summary: execmem nota allowed, should it be?
Product: [Fedora] Fedora Reporter: Patrick C. F. Ernzer <pcfe>
Component: boinc-clientAssignee: Milos Jakubicek <xjakub>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: mmahut, xjakub
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-11-23 21:00:43 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Patrick C. F. Ernzer 2008-10-24 10:33:53 UTC
Description of problem:
some projects in BOINC seem to try execmem
as it stands I get avc deny messages
I am not quite sure if the boinc-client package should have a policy file that allows this or if selinux-policy-targeted should include it (reassign then) or if this is bad progogramming in the various BOINC hosted projects, considering  other projects run just fine (close bug in that case, I'll then donate my CPU cycles to projects that do not require execmem)

Version-Release number of selected component (if applicable):
boinc-client-6.2.15-1.20080818svn.fc10.x86_64
selinux-policy-targeted-3.5.13-1.fc10.noarch

How reproducible:
only on some projects

Steps to Reproduce:
1. install boinc-client
2. have SELinux in Enforcing targeted mode
3. attach to the Einstein@Home project
4. boinc-client starts at boot time
  
Actual results:
avc:  denied  { execmem }

Expected results:
project is able to run

Additional info:
here's a sample message from within sealert browser (hostnae was replaced manually with 'REMOVED' in the paste)

Summary:

SELinux is preventing einstein_S5R4_6 (initrc_t) "execmem" initrc_t.

Detailed Description:

SELinux denied access requested by einstein_S5R4_6. It is not expected that this
access is required by einstein_S5R4_6 and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:initrc_t:s0
Target Context                system_u:system_r:initrc_t:s0
Target Objects                None [ process ]
Source                        einstein_S5R4_6
Source Path                   /var/lib/boinc/projects/einstein.phys.uwm.edu/eins
                              tein_S5R4_6.02_i686-pc-linux-gnu_2
Port                          <Unknown>
Host                          REMOVED
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.5.13-1.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     REMOVED
Platform                      Linux REMOVED
                              2.6.27.3-27.rc1.fc10.x86_64 #1 SMP Sat Oct 18
                              20:24:59 EDT 2008 x86_64 x86_64
Alert Count                   229
First Seen                    Sun 19 Oct 2008 01:24:03 PM EEST
Last Seen                     Fri 24 Oct 2008 01:06:01 PM EEST
Local ID                      c18da064-43e7-46b1-a526-6b4e0f7cfb37
Line Numbers                  

Raw Audit Messages            

node=REMOVED type=AVC msg=audit(1224842761.9:192): avc:  denied  { execmem } for  pid=13968 comm="einstein_S5R4_6" scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=process

node=REMOVED type=SYSCALL msg=audit(1224842761.9:192): arch=40000003 syscall=192 per=400000 success=no exit=-13 a0=0 a1=4000 a2=7 a3=20022 items=0 ppid=3037 pid=13968 auid=4294967295 uid=492 gid=485 euid=492 suid=492 fsuid=492 egid=485 sgid=485 fsgid=485 tty=(none) ses=4294967295 comm="einstein_S5R4_6" exe="/var/lib/boinc/projects/einstein.phys.uwm.edu/einstein_S5R4_6.02_i686-pc-linux-gnu_2" subj=system_u:system_r:initrc_t:s0 key=(null)

Comment 1 Milos Jakubicek 2008-10-29 18:26:09 UTC
Hi,

I've posted this to the boinc-devel list, see the response here:

http://lists.ssl.berkeley.edu/pipermail/boinc_dev/2008-October/011948.html

...so, is it possible to extract some more detailed information (backtrace would be very nice) from SELinux?

Comment 2 Patrick C. F. Ernzer 2008-10-30 21:20:31 UTC
setting NEEDINFO on me until I get to run the requested trace, it will be up to three weeks though

Comment 3 Patrick C. F. Ernzer 2008-11-23 14:30:30 UTC
Hate it when that happens ;-)
finally got around to testing this and the error simply disappeared.

  - Machine did a few work units on it's own
  - test as per Comment #1 went just fine
  - still boinc-client-6.2.15-1.20080818svn.fc10.x86_64
  - still einstein_S5R4_6.02_i686-pc-linux-gnu_2
  - newer policy though selinux-policy-targeted-3.5.13-1.fc10.noarch

I suggest we close this as NOTABUG for now, I can always reopen in case it shows again.

Comment 4 Milos Jakubicek 2008-11-23 21:00:43 UTC
Agree, closing as NOTABUG for now.