Bug 623533

Summary:	SELinux empêche l'accès en "write" à /var/lib/boinc/projects/www.worldcommunitygrid.org/wcg_hfcc_autodock_6.11_i686-pc-linux-gnu on fifo_fi
Product:	[Fedora] Fedora	Reporter:	Nicolas Berrehouc <nberrehouc>
Component:	selinux-policy	Assignee:	Miroslav Grepl <mgrepl>
Status:	CLOSED ERRATA	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	medium	Docs Contact:
Priority:	low
Version:	13	CC:	dwalsh, mgrepl
Target Milestone:	---
Target Release:	---
Hardware:	i386
OS:	Linux
Whiteboard:	setroubleshoot_trace_hash:d2fcf9cc579fc86cc9daa47e08caf8abfc027139da718c7d4bee1078eb966731
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2011-06-01 11:42:29 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Nicolas Berrehouc 2010-08-12 04:13:48 UTC

Résumé:

SELinux empêche l'accès en "write" à
/var/lib/boinc/projects/www.worldcommunitygrid.org/wcg_hfcc_autodock_6.11_i686-pc-linux-gnu
on fifo_fi

Description détaillée:

[wcg_faah_autodo a un type permissif (boinc_project_t). Cet accès n'a pas été
refusé.]

SELinux a refusé l'accès demandé par wcg_hfcc_autodo. Il n'est pas prévu que
cet accès soit requis par wcg_hfcc_autodo et cet accès peut signaler une
tentative d'intrusion. Il est également possible que cette version ou cette
configuration spécifique de l'application provoque cette demande d'accès
supplémenta

Autoriser l'accès:

Vous pouvez créer un module de stratégie locale pour autoriser cet accès -
lisez la FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Merci de
remplir un rapport de bogue.

Informations complémentaires:

Contexte source               system_u:system_r:boinc_project_t:s0
Contexte cible                system_u:system_r:boinc_project_t:s0
Objets du contexte            fifo_file [ fifo_file ]
source                        wcg_faah_autodo
Chemin de la source           /var/lib/boinc/projects/www.worldcommunitygrid.org
                              /wcg_faah_autodock_6.07_i686-pc-linux-gnu
Port                          <Inconnu>
Hôte                         (supprimé)
Paquetages RPM source         
Paquetages RPM cible          
Politique RPM                 selinux-policy-3.7.19-44.fc13
Selinux activé               True
Type de politique             targeted
Mode strict                   Enforcing
Nom du plugin                 catchall
Nom de l'hôte                (supprimé)
Plateforme                    Linux (supprimé) 2.6.33.6-147.2.4.fc13.i686.PAE #1
                              SMP Fri Jul 23 17:21:06 UTC 2010 i686 i686
Compteur d'alertes            31
Première alerte              mer. 11 août 2010 06:36:09 CEST
Dernière alerte              jeu. 12 août 2010 06:09:53 CEST
ID local                      13a7b866-b604-42bc-baed-d4f416250031
Numéros des lignes           

Messages d'audit bruts        

node=(supprimé) type=AVC msg=audit(1281586193.815:130): avc:  denied  { write } for  pid=2767 comm="wcg_hfcc_autodo" path="pipe:[29429]" dev=pipefs ino=29429 scontext=system_u:system_r:boinc_project_t:s0 tcontext=system_u:system_r:boinc_project_t:s0 tclass=fifo_file

node=(supprimé) type=SYSCALL msg=audit(1281586193.815:130): arch=40000003 syscall=4 success=yes exit=148 a0=8 a1=bf935320 a2=94 a3=bf935320 items=0 ppid=1489 pid=2767 auid=4294967295 uid=492 gid=480 euid=492 suid=492 fsuid=492 egid=480 sgid=480 fsgid=480 tty=(none) ses=4294967295 comm="wcg_hfcc_autodo" exe="/var/lib/boinc/projects/www.worldcommunitygrid.org/wcg_hfcc_autodock_6.11_i686-pc-linux-gnu" subj=system_u:system_r:boinc_project_t:s0 key=(null)



Hash String generated from  catchall,wcg_faah_autodo,boinc_project_t,boinc_project_t,fifo_file,write
audit2allow suggests:

#============= boinc_project_t ==============
allow boinc_project_t self:fifo_file write;

Comment 1 Nicolas Berrehouc 2010-08-12 04:26:30 UTC

Boinc_client seems to work fine but SELinux always show this message.
/var/log/messages contains a lot of alert like.

Aug 12 06:09:20 Hostname setroubleshoot: SELinux empêche l'accès en "read" à /var/lib/boinc/projects/www.worldcommunitygrid.org/wcg_hfcc_autodock_6.11_i686-pc-linux-gnu on fifo_file. For complete SELinux messages. run sealert -l 62c337c0-553a-4c1e-ae33-370045505045
Aug 12 06:10:08 Hostname setroubleshoot: [dbus.proxies.ERROR] Introspect error on :1.65:/org/fedoraproject/Setroubleshootd: dbus.exceptions.DBusException: org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.
Aug 12 06:10:15 Hostname setroubleshoot: SELinux empêche l'accès en "write" à /var/lib/boinc/projects/www.worldcommunitygrid.org/wcg_hfcc_autodock_6.11_i686-pc-linux-gnu on fifo_file. For complete SELinux messages. run sealert -l 13a7b866-b604-42bc-baed-d4f416250031
Aug 12 06:10:16 Hostname setroubleshoot: SELinux empêche l'accès en "read" à /var/lib/boinc/projects/www.worldcommunitygrid.org/wcg_hfcc_autodock_6.11_i686-pc-linux-gnu on fifo_file. For complete SELinux messages. run sealert -l 62c337c0-553a-4c1e-ae33-370045505045

Before the last update all was working fine without Setroubleshoot message.

Comment 2 Miroslav Grepl 2010-08-12 08:18:55 UTC

*** Bug 623534 has been marked as a duplicate of this bug. ***

Comment 3 Miroslav Grepl 2010-08-12 08:23:10 UTC

Boinc runs as permissive domain so nothing is blocked. Thanks for reporting.

Fixed in selinux-policy-3.7.19-46.fc13.

This update is available from koji for now

http://koji.fedoraproject.org/koji/buildinfo?buildID=189375

Comment 4 Nicolas Berrehouc 2010-08-14 14:02:14 UTC

Good job, update works fine.

# yum --enablerepo=updates-testing update selinux-policy

Bug can be closed.

Comment 5 Daniel Walsh 2010-08-15 12:13:05 UTC

Update karma.

Comment 6 Fedora Admin XMLRPC Client 2010-11-08 21:51:00 UTC

This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.

Comment 7 Fedora Admin XMLRPC Client 2010-11-08 21:52:16 UTC

This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.

Comment 8 Fedora Admin XMLRPC Client 2010-11-08 21:53:38 UTC

This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.

Comment 9 Bug Zapper 2011-06-01 11:37:21 UTC

This message is a reminder that Fedora 13 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 13.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '13'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 13's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 13 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping