Bug 608504

Summary: SELinux is preventing /var/lib/boinc/projects/wuprop.boinc-af.org/data_collect_1.33_x86_64-pc-linux-gnu__nci "name_connect" access to <Unknown>.
Product: [Fedora] Fedora Reporter: Daniel Stripes <dlstripes-fedorabugs>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 13CC: dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-33.fc13 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-07-06 17:09:33 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Daniel Stripes 2010-06-27 21:41:56 UTC 
Summary:

SELinux is preventing
/var/lib/boinc/projects/wuprop.boinc-af.org/data_collect_1.33_x86_64-pc-linux-gnu__nci
"name_connect" access to <Unknown>.

Detailed Description:

[data_collect_1. has a permissive type (boinc_t). This access was not denied.]

SELinux denied access requested by
/var/lib/boinc/projects/wuprop.boinc-af.org/data_collect_1.33_x86_64-pc-linux-gnu__nci.
/var/lib/boinc/projects/wuprop.boinc-af.org/data_collect_1.33_x86_64-pc-linux-gnu__nci
is mislabeled.
/var/lib/boinc/projects/wuprop.boinc-af.org/data_collect_1.33_x86_64-pc-linux-gnu__nci
default SELinux type is boinc_var_lib_t, but its current type is boinc_var_lib_t.
Changing this file back to the default type, may fix your problem.

If you believe this is a bug, please file a bug report against this package.

Allowing Access:

You can restore the default system context to this file by executing the
restorecon command. restorecon
'/var/lib/boinc/projects/wuprop.boinc-af.org/data_collect_1.33_x86_64-pc-linux-gnu__nci'.

Fix Command:

/sbin/restorecon
'/var/lib/boinc/projects/wuprop.boinc-af.org/data_collect_1.33_x86_64-pc-linux-gnu__nci'

Additional Information:

Source Context                unconfined_u:system_r:boinc_t:s0
Target Context                system_u:object_r:boinc_port_t:s0
Target Objects                None [ tcp_socket ]
Source                        data_collect_1.
Source Path                   /var/lib/boinc/projects/wuprop.boinc-
                              af.org/data_collect_1.33_x86_64-pc-linux-gnu__nci
Port                          31416
Host                          rigel.milky.way
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.7.19-28.fc13
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   restore_source_context
Host Name                     rigel.milky.way
Platform                      Linux rigel.milky.way 2.6.33.5-124.fc13.x86_64 #1
                              SMP Fri Jun 11 09:38:12 UTC 2010 x86_64 x86_64
Alert Count                   43
First Seen                    Fri 25 Jun 2010 08:23:32 AM EDT
Last Seen                     Sun 27 Jun 2010 05:06:36 PM EDT
Local ID                      6cad3dd9-7420-463e-af22-b60358b8a01a
Line Numbers                  

Raw Audit Messages            

node=rigel.milky.way type=AVC msg=audit(1277672796.90:56025): avc:  denied  { name_connect } for  pid=3439 comm="data_collect_1." dest=31416 scontext=unconfined_u:system_r:boinc_t:s0 tcontext=system_u:object_r:boinc_port_t:s0 tclass=tcp_socket

node=rigel.milky.way type=SYSCALL msg=audit(1277672796.90:56025): arch=c000003e syscall=42 success=yes exit=0 a0=e a1=7fff1c321600 a2=10 a3=1999999999999999 items=0 ppid=3427 pid=3439 auid=500 uid=491 gid=472 euid=491 suid=491 fsuid=491 egid=472 sgid=472 fsgid=472 tty=(none) ses=1 comm="data_collect_1." exe="/var/lib/boinc/projects/wuprop.boinc-af.org/data_collect_1.33_x86_64-pc-linux-gnu__nci" subj=unconfined_u:system_r:boinc_t:s0 key=(null)

--  
How reproducible:

As long as a WUProp@Home project task is running in BOINC, this alert continues to recur every few moments.

Steps to Reproduce:

1.  Start boinc-client working on a WUProp@Home project task.
  
Actual results:

SELinux Security Alert.

Expected results:

No SELinux Security Alert.

Additional info:  

The statement "... default SELinux type is boinc_var_lib_t, but its current type is boinc_var_lib_t.
Changing this file back to the default type, may fix your problem."  obfuscates the issue for me.

I have tried restoring the context to no avail:  the denial occurs again, both before and after a reboot.
Comment 1 Miroslav Grepl 2010-06-28 11:30:15 UTC 
Dan, 
I will add

corenet_tcp_connect_boinc_port(boinc_t)
Comment 2 Miroslav Grepl 2010-06-28 14:44:10 UTC 
Fixed in selinux-policy-3.7.19-32.fc13
Comment 3 Fedora Update System 2010-06-30 19:55:18 UTC 
selinux-policy-3.7.19-33.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-33.fc13
Comment 4 Fedora Update System 2010-07-01 18:49:16 UTC 
selinux-policy-3.7.19-33.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-33.fc13
Comment 5 Fedora Update System 2010-07-06 17:07:35 UTC 
selinux-policy-3.7.19-33.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.