Bug 650293

Summary: SELinux empêche l'accès en « read » à /var/lib/boinc/projects/www.worldcommunitygrid.org/wcgrid_cep2_qchem_6.19_i686-pc-linux-gnu on /etc/
Product: [Fedora] Fedora Reporter: Nicolas Berrehouc <nberrehouc>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 14CC: dwalsh, kvikende, mgrepl, nberrehouc, pavel.ondracka
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:7c17f4dd969a873bdfc50d837e917825c2a904d54ea10ae1533abb586eccc23c
Fixed In Version: selinux-policy-3.9.7-16.fc14 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-12-13 20:12:31 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Nicolas Berrehouc 2010-11-05 17:42:18 UTC 
Résumé:

SELinux empêche l'accès en « read » à
/var/lib/boinc/projects/www.worldcommunitygrid.org/wcgrid_cep2_qchem_6.19_i686-pc-linux-gnu
on /etc/

Description détaillée:

[wcgrid_cep2_qch a un type permissif (boinc_project_t). Cet accès n'a pas été
refusé.]

SELinux a refusé l'accès demandé par wcgrid_cep2_qch. Il n'est pas prévu que cet
accès soit requis par wcgrid_cep2_qch et cet accès peut signaler une tentative
d'intrusion. Il est également possible que cette version ou cette configuration
spécifique de l'application provoque cette demande d'accès supplémenta

Autoriser l'accès:

Vous pouvez créer un module de stratégie locale pour autoriser cet accès - lisez
la FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Merci de
remplir un rapport de bogue.

Informations complémentaires:

Contexte source               system_u:system_r:boinc_project_t:s0
Contexte cible                unconfined_u:object_r:etc_runtime_t:s0
Objets du contexte            /etc/mtab [ file ]
source                        wcgrid_cep2_qch
Chemin de la source           /var/lib/boinc/projects/www.worldcommunitygrid.org
                              /wcgrid_cep2_qchem_6.19_i686-pc-linux-gnu
Port                          <Inconnu>
Hôte                          (supprimé)
Paquetages RPM source         
Paquetages RPM cible          setup-2.8.23-1.fc14
Politique RPM                 selinux-policy-3.9.7-7.fc14
Selinux activé                True
Type de politique             targeted
Mode strict                   Enforcing
Nom du plugin                 catchall
Nom de l'hôte                 (supprimé)
Plateforme                    Linux (supprimé) 2.6.35.6-48.fc14.x86_64 #1 SMP Fri
                              Oct 22 15:36:08 UTC 2010 x86_64 x86_64
Compteur d'alertes            12
Première alerte               ven. 05 nov. 2010 12:08:53 CET
Dernière alerte               ven. 05 nov. 2010 13:13:19 CET
ID local                      fcc1878e-fd84-4da1-8247-3be427d26fca
Numéros des lignes            

Messages d'audit bruts        

node=(supprimé) type=AVC msg=audit(1288959199.318:92224): avc:  denied  { read } for  pid=6210 comm="wcgrid_cep2_qch" name="mtab" dev=dm-1 ino=270220 scontext=system_u:system_r:boinc_project_t:s0 tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=file

node=(supprimé) type=AVC msg=audit(1288959199.318:92224): avc:  denied  { open } for  pid=6210 comm="wcgrid_cep2_qch" name="mtab" dev=dm-1 ino=270220 scontext=system_u:system_r:boinc_project_t:s0 tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=file

node=(supprimé) type=SYSCALL msg=audit(1288959199.318:92224): arch=40000003 syscall=5 per=400000 success=yes exit=7 a0=daf4c68 a1=0 a2=1b6 a3=0 items=0 ppid=6204 pid=6210 auid=4294967295 uid=494 gid=489 euid=494 suid=494 fsuid=494 egid=489 sgid=489 fsgid=489 tty=(none) ses=4294967295 comm="wcgrid_cep2_qch" exe="/var/lib/boinc/projects/www.worldcommunitygrid.org/wcgrid_cep2_qchem_6.19_i686-pc-linux-gnu" subj=system_u:system_r:boinc_project_t:s0 key=(null)



Hash String generated from  catchall,wcgrid_cep2_qch,boinc_project_t,etc_runtime_t,file,read
audit2allow suggests:

#============= boinc_project_t ==============
allow boinc_project_t etc_runtime_t:file { read open };
Comment 1 Miroslav Grepl 2010-11-08 07:59:36 UTC 
*** Bug 650294 has been marked as a duplicate of this bug. ***
Comment 2 Fedora Admin XMLRPC Client 2010-11-08 21:53:20 UTC 
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 3 Fedora Admin XMLRPC Client 2010-11-08 21:55:32 UTC 
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 4 Fedora Admin XMLRPC Client 2010-11-08 21:56:32 UTC 
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 5 Miroslav Grepl 2010-12-09 11:26:32 UTC 
Fixed in selinux-policy-3.9.7-16.fc14
Comment 6 Fedora Update System 2010-12-10 13:54:23 UTC 
selinux-policy-3.9.7-16.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-16.fc14
Comment 7 Fedora Update System 2010-12-10 20:28:49 UTC 
selinux-policy-3.9.7-16.fc14 has been pushed to the Fedora 14 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-16.fc14
Comment 8 Nicolas Berrehouc 2010-12-12 13:05:45 UTC 
Thanks, works fine for me... no more log in /var/log/messages and selinux alert.
Good job !
Comment 9 Daniel Walsh 2010-12-13 14:36:37 UTC 
Please update karma.
Comment 10 Fedora Update System 2010-12-13 20:11:31 UTC 
selinux-policy-3.9.7-16.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.