Bug 678932

Summary: SELinux is preventing /usr/bin/boinc_client from read, write access on the chr_file nvidiactl.
Product: [Fedora] Fedora Reporter: Pavel Ondračka <pavel.ondracka>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 14CC: dwalsh, germano.massullo, lukpecyn, marbolangos, mgrepl, pclark
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:48041dab6db03fc33af4270210f346ebbda681bf5017efec5ab3139ad444d382
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-02-21 08:32:12 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Pavel Ondračka 2011-02-20 22:22:17 UTC 
SELinux is preventing /usr/bin/boinc_client from read, write access on the chr_file nvidiactl.

*****  Plugin device (91.4 confidence) suggests  *****************************

If you want to allow boinc_client to have read write access on the nvidiactl chr_file
Then you need to change the label on nvidiactl to a type of a similar device.
Do
# semanage fcontext -a -t SIMILAR_TYPE 'nvidiactl'
# restorecon -v 'nvidiactl'

*****  Plugin catchall (9.59 confidence) suggests  ***************************

If you believe that boinc_client should be allowed read write access on the nvidiactl chr_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep boinc_client /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:boinc_t:s0
Target Context                system_u:object_r:device_t:s0
Target Objects                nvidiactl [ chr_file ]
Source                        boinc_client
Source Path                   /usr/bin/boinc_client
Port                          <Neznámé>
Host                          (removed)
Source RPM Packages           boinc-client-6.10.58-3.r22930svn.fc14
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.7-29.fc14
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 2.6.35.11-83.fc14.i686 #1 SMP Mon
                              Feb 7 07:04:18 UTC 2011 i686 i686
Alert Count                   43
First Seen                    Ne 26. prosinec 2010, 10:31:14 CET
Last Seen                     Ne 20. únor 2011, 10:50:03 CET
Local ID                      1ba334e6-5eb9-468c-a008-ac8ae9785c13

Raw Audit Messages
type=AVC msg=audit(1298195403.341:33): avc:  denied  { read write } for  pid=2834 comm="boinc_client" name="nvidiactl" dev=devtmpfs ino=14850 scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file


type=AVC msg=audit(1298195403.341:33): avc:  denied  { open } for  pid=2834 comm="boinc_client" name="nvidiactl" dev=devtmpfs ino=14850 scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file


type=SYSCALL msg=audit(1298195403.341:33): arch=i386 syscall=open success=yes exit=ENXIO a0=bfa9fec8 a1=8002 a2=0 a3=bfa9fec8 items=0 ppid=1 pid=2834 auid=0 uid=492 gid=487 euid=492 suid=492 fsuid=492 egid=487 sgid=487 fsgid=487 tty=(none) ses=2 comm=boinc_client exe=/usr/bin/boinc_client subj=system_u:system_r:boinc_t:s0 key=(null)

Hash: boinc_client,boinc_t,device_t,chr_file,read,write

audit2allow

#============= boinc_t ==============
#!!!! The source type 'boinc_t' can write to a 'chr_file' of the following types:
# null_device_t, zero_device_t, devtty_t, initrc_devpts_t

allow boinc_t device_t:chr_file { read write open };

audit2allow -R

#============= boinc_t ==============
#!!!! The source type 'boinc_t' can write to a 'chr_file' of the following types:
# null_device_t, zero_device_t, devtty_t, initrc_devpts_t

allow boinc_t device_t:chr_file { read write open };
Comment 1 Miroslav Grepl 2011-02-21 08:32:12 UTC 
nvidiactl is mislabeled. This device got created with the wrong label.

Run:

restorecon -R -v /dev/nvidiactl

If this happens again after restorecon, please reopen.
Comment 2 Germano Massullo 2011-08-08 11:25:38 UTC 
I had this problem until now. I just entered the command you suggested.
But I am thinking about a thing... If since February nvidiactl has the same wrong label, who is responsible? nVidia?

I attach my error


















SELinux is preventing /var/lib/boinc/projects/einstein.phys.uwm.edu/einsteinbinary_BRP4_1.00_i686-pc-linux-gnu__BRP3cuda32nv270 from ioctl access on the chr_file /dev/nvidiactl.

***** Plugin restorecon (90.5 confidence) suggests *************************

If you want to fix the label.
/dev/nvidiactl default label should be xserver_misc_device_t.
Then you can run restorecon.
Do
# /sbin/restorecon -v /dev/nvidiactl

***** Plugin device (9.50 confidence) suggests *****************************

If you want to allow einsteinbinary_BRP4_1.00_i686-pc-linux-gnu__BRP3cuda32nv270 to have ioctl access on the nvidiactl chr_file
Then you need to change the label on /dev/nvidiactl to a type of a similar device.
Do
# semanage fcontext -a -t SIMILAR_TYPE '/dev/nvidiactl'
# restorecon -v '/dev/nvidiactl'

***** Plugin catchall (1.40 confidence) suggests ***************************

If you believe that einsteinbinary_BRP4_1.00_i686-pc-linux-gnu__BRP3cuda32nv270 should be allowed ioctl access on the nvidiactl chr_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep einsteinbinary_ /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Contesto della sorgente system_u:system_r:boinc_project_t:s0
Contesto target system_u:object_r:device_t:s0
Oggetti target /dev/nvidiactl [ chr_file ]
Sorgente einsteinbinary_
Percorso della sorgente /var/lib/boinc/projects/einstein.phys.uwm.edu/eins
teinbinary_BRP4_1.00_i686-pc-linux-
gnu__BRP3cuda32nv270
Porta <Sconosciuto>
Host Magic-4
Sorgente Pacchetti RPM
Pacchetti RPM target
RPM della policy selinux-policy-3.9.16-35.fc15
Selinux abilitato True
Tipo di policy targeted
Modalità Enforcing Permissive
Host Name Magic-4
Piattaforma Linux Magic-4 2.6.40-4.fc15.x86_64 #1 SMP Fri Jul
29 18:46:53 UTC 2011 x86_64 x86_64
Conteggio avvisi 2
Primo visto lun 08 ago 2011 12:22:06 CEST
Ultimo visto lun 08 ago 2011 12:22:31 CEST
ID locale 01a39def-c41a-4773-b086-e8dfd719104a

Messaggi Raw Audit
type=AVC msg=audit(1312798951.324:73): avc: denied { ioctl } for pid=2269 comm="einsteinbinary_" path="/dev/nvidiactl" dev=devtmpfs ino=19403 scontext=system_u:system_r:boinc_project_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file


type=SYSCALL msg=audit(1312798951.324:73): arch=i386 syscall=setsockopt success=yes exit=0 a0=f a1=c0104652 a2=ffdd3298 a3=f items=0 ppid=2249 pid=2269 auid=4294967295 uid=494 gid=491 euid=494 suid=494 fsuid=494 egid=491 sgid=491 fsgid=491 tty=(none) ses=4294967295 comm=einsteinbinary_ exe=/var/lib/boinc/projects/einstein.phys.uwm.edu/einsteinbinary_BRP4_1.00_i686-pc-linux-gnu__BRP3cuda32nv270 subj=system_u:system_r:boinc_project_t:s0 key=(null)

Hash: einsteinbinary_,boinc_project_t,device_t,chr_file,ioctl

audit2allow

#============= boinc_project_t ==============
allow boinc_project_t device_t:chr_file ioctl;

audit2allow -R

#============= boinc_project_t ==============
allow boinc_project_t device_t:chr_file ioctl;
Comment 3 Daniel Walsh 2011-08-08 15:29:36 UTC 
Yes nvidia is causing the device to be created and not setting the label correctl.  For some reason udev is not fixing the label.  In F16 we can tell the kernel to create the device with the correct label, so it should be fixed there.
Comment 4 Germano Massullo 2011-08-08 15:33:16 UTC 
Ok, so finally the huge list of SELinux messages about BOINC with nVidia will terminate on Fedora 16
Comment 5 Daniel Walsh 2011-08-08 15:38:39 UTC 
We hope so.  :^)
Comment 6 Miroslav Grepl 2011-08-11 08:05:08 UTC 
And not only for BOINC ;-).
Comment 7 Germano Massullo 2011-12-08 10:58:41 UTC 
Hi, now I am on Fedora 16
What about the corrected label in new kernel as wrote in comment 3?
Comment 8 Daniel Walsh 2011-12-08 20:11:51 UTC 
It should be labeled correctly if you are fully updated.
Comment 9 Germano Massullo 2011-12-08 20:27:16 UTC 
I get this message


SELinux is preventing /usr/bin/boinc_client from ioctl access on the chr_file /dev/nvidiactl.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that boinc_client should be allowed ioctl access on the nvidiactl chr_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep boinc_client /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Contesto della sorgente       system_u:system_r:boinc_t:s0
Contesto target               system_u:object_r:xserver_misc_device_t:s0
Oggetti target                /dev/nvidiactl [ chr_file ]
Sorgente                      boinc_client
Percorso della sorgente       /usr/bin/boinc_client
Porta                         <Sconosciuto>
Host                          Magic-4
Sorgente Pacchetti RPM        boinc-client-6.12.35-1.r24014svn.fc16
Pacchetti RPM target          
RPM della policy              selinux-policy-3.10.0-64.fc16
Selinux abilitato             True
Tipo di policy                targeted
Modalità Enforcing            Permissive
Host Name                     Magic-4
Piattaforma                   Linux Magic-4 3.1.4-1.fc16.x86_64 #1 SMP Tue Nov
                              29 11:37:53 UTC 2011 x86_64 x86_64
Conteggio avvisi              1
first seen                   gio 08 dic 2011 21:25:07 CET
last seen                 gio 08 dic 2011 21:25:07 CET


Messaggi Raw Audit
type=AVC msg=audit(1323375907.287:180): avc:  denied  { ioctl } for  pid=7194 comm="boinc_client" path="/dev/nvidiactl" dev=devtmpfs ino=21958 scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:object_r:xserver_misc_device_t:s0 tclass=chr_file


type=SYSCALL msg=audit(1323375907.287:180): arch=x86_64 syscall=ioctl success=yes exit=0 a0=6 a1=c04846d2 a2=7fff45ae0c60 a3=0 items=0 ppid=1 pid=7194 auid=4294967295 uid=494 gid=491 euid=494 suid=494 fsuid=494 egid=491 sgid=491 fsgid=491 tty=(none) ses=4294967295 comm=boinc_client exe=/usr/bin/boinc_client subj=system_u:system_r:boinc_t:s0 key=(null)

Hash: boinc_client,boinc_t,xserver_misc_device_t,chr_file,ioctl

audit2allow

#============= boinc_t ==============
allow boinc_t xserver_misc_device_t:chr_file ioctl;

audit2allow -R

#============= boinc_t ==============
allow boinc_t xserver_misc_device_t:chr_file ioctl;
Comment 10 Miroslav Grepl 2011-12-14 11:44:11 UTC 
F14 is no longer supported. You can allow it using 

# grep boinc_client /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

or update to a newer release.
Comment 11 Germano Massullo 2011-12-20 09:21:40 UTC 
Last my comment was about Fedora 16.
I will open a new bugreport about Fedora 16......................
Comment 12 Miroslav Grepl 2011-12-20 14:06:46 UTC 
How is labeled /usr/bin/boinc_client

# ls -Z /usr/bin/boinc_client

# matchpathcon /usr/bin/boinc_client
Comment 13 Germano Massullo 2011-12-20 15:27:18 UTC 
-rwxr-xr-x. root root system_u:object_r:boinc_exec_t:s0 /usr/bin/boinc_client

/usr/bin/boinc_client   system_u:object_r:boinc_exec_t:s0
Comment 14 Miroslav Grepl 2011-12-21 10:59:19 UTC 
Ok, I need to fix it.