Bug 704917

Summary: Tasks fail with 'computation error' due to wrong context on pki database
Product: [Fedora] Fedora Reporter: Jamie Anderson <jamie+rhbugz>
Component: boinc-clientAssignee: Milos Jakubicek <xjakub>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 14CC: cheekyboinc, mmahut, xjakub
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-08-21 07:52:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
All the AVC messages from audit.log
none
SELinux Type Enforcement file for additional permissions requested by boinc-client none

Description Jamie Anderson 2011-05-16 00:47:57 UTC 
Description of problem:
After installing boinc-client and attaching to a project (World Community Grid) tasks would download and then immediately finish with a status of 'computation error'. On a whim, I tried turning off SELinux with 'sudo setenforce 0' and then restarting the boinc-client service, and projects were able to run. Then I did the following:

jamie@kloog /var/lib/boinc/projects/www.worldcommunitygrid.org $ sudo restorecon -rv /var/lib/boinc
restorecon reset /var/lib/boinc/.pki context unconfined_u:object_r:boinc_project_var_lib_t:s0->system_u:object_r:boinc_var_lib_t:s0
restorecon reset /var/lib/boinc/.pki/nssdb context unconfined_u:object_r:boinc_project_var_lib_t:s0->system_u:object_r:boinc_var_lib_t:s0
jamie@kloog /var/lib/boinc/projects/www.worldcommunitygrid.org $ sudo setenforce 1
jamie@kloog /var/lib/boinc/projects/www.worldcommunitygrid.org $ sudo service boinc-client restart
Stopping boinc-client:                                     [  OK  ]
Starting boinc-client:                                     [  OK  ]
jamie@kloog /var/lib/boinc/projects/www.worldcommunitygrid.org $ 


After that, projects still seem to be running, although I suppose I may not know for sure until one finishes. :)


Version-Release number of selected component (if applicable):
boinc-client-6.10.58-3.r22930svn.fc14.x86_64

How reproducible:
always

Steps to Reproduce:
1. install and start boinc-client
2. attach to a project
3.
  
Actual results:
work units fail immediately with 'computation error' and 'output file absent' error messages

Expected results:
work units would run to completion and upload results to the project server

Additional info:
Comment 1 Milos Jakubicek 2011-05-16 05:47:02 UTC 
Hello,

would you please attach /var/log/audit/audit.log? It should contain SELinux AVC messages from the time when the denials occurred.
Comment 2 Jamie Anderson 2011-05-18 03:28:45 UTC 
Created attachment 499511 [details]
All the AVC messages from audit.log

selinux-policy-3.9.7-40.fc14.noarch
selinux-policy-targeted-3.9.7-40.fc14.noarch
boinc-client-6.10.58-3.r22930svn.fc14.x86_64
Comment 3 Jamie Anderson 2011-05-23 14:24:50 UTC 
After a few iterations of using audit2allow to generate a policy module and restarting the client, I ended up with things appearing to work. I will attach the type enforcement file I used to create the module for your review. As an aside, I still get an AVC related to /lib/ld-2.13.so requesting execstack whenever I restart the BOINC client, but I have not allowed that at this point.

Would it make sense to change the component on the bug from boinc-client to selinux-policy-targeted?
Comment 4 Jamie Anderson 2011-05-23 14:26:04 UTC 
Created attachment 500447 [details]
SELinux Type Enforcement file for additional permissions requested by boinc-client
Comment 5 Milos Jakubicek 2011-08-20 12:17:11 UTC 
Jamie, can you still reproduce with current selinux-policy (I can't)?
Comment 6 Jamie Anderson 2011-08-21 03:36:41 UTC 
No, I believe everything is fine now.