Bug 770148
Summary: | SELinux is preventing /var/lib/boinc/projects/einstein.phys.uwm.edu/einstein_S6Bucket_1.01_x86_64-pc-linux-gnu from 'getattr' accesses on the file /etc/localtime. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Robert Kief <robert.l.kief> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 16 | CC: | devonjanitz, dominick.grift, dwalsh, germano.massullo, jorti, marco, mattia.verga, mgrepl, trweniger, westbb |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Unspecified | ||
Whiteboard: | abrt_hash:fdff591905713c090c129151df423c8444067e9267865fac12d3477550c4c44c | ||
Fixed In Version: | selinux-policy-3.10.0-69.fc16 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2011-12-30 01:01:59 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Robert Kief
2011-12-23 16:11:07 UTC
I apologize, there is a bug in the boinc policy which has been re-written. I am fixing it right now. *** Bug 770149 has been marked as a duplicate of this bug. *** *** Bug 770150 has been marked as a duplicate of this bug. *** *** Bug 770175 has been marked as a duplicate of this bug. *** *** Bug 770176 has been marked as a duplicate of this bug. *** *** Bug 770205 has been marked as a duplicate of this bug. *** *** Bug 770225 has been marked as a duplicate of this bug. *** *** Bug 770226 has been marked as a duplicate of this bug. *** *** Bug 770151 has been marked as a duplicate of this bug. *** *** Bug 770241 has been marked as a duplicate of this bug. *** You can use a new build from koji for now http://koji.fedoraproject.org/koji/buildinfo?buildID=280140 *** Bug 770297 has been marked as a duplicate of this bug. *** selinux-policy-3.10.0-69.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-69.fc16 Regarding comment 11, I attempted to update selinux-policy-3.10.0-67.fc16 to selinux-policy-3.10.0-69.fc16. My install includes selinux-policy-3.10.0-67.fc16.noarch and selinux-policy-targeted-3.10.0-67.fc16.noarch only. I attempted to install selinux-policy-3.10.0-69.fc16.noarch.rpm which failed, resulting in this error message: selinux-policy-targeted-3.10.0-67.fc16.noarch requires selinux-policy = 3.10.0-67.fc16 I also attempted to install selinux-policy-3.10.0-69.fc16.src.rpm which failed with this error message: The package that is trying to be installed is incompatible with this system. Package /tmp/selinux-policy-3.10.0-69.fc16.src-1.rpm has incompatible architecture src. Valid architectures are ['ia32e', 'x86_64', 'athlon', 'i686', 'i586', 'i486', 'i386', 'noarch'] Please advise. Thank you, RLK Package selinux-policy-3.10.0-69.fc16: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-69.fc16' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2011-17464/selinux-policy-3.10.0-69.fc16 then log in and leave karma (feedback). The update isn't available right now, but I'll keep checking and install it ASAP. Thanks, RLK *** Bug 770457 has been marked as a duplicate of this bug. *** *** Bug 770456 has been marked as a duplicate of this bug. *** *** Bug 770454 has been marked as a duplicate of this bug. *** *** Bug 770453 has been marked as a duplicate of this bug. *** *** Bug 770452 has been marked as a duplicate of this bug. *** *** Bug 770323 has been marked as a duplicate of this bug. *** *** Bug 770322 has been marked as a duplicate of this bug. *** *** Bug 770320 has been marked as a duplicate of this bug. *** *** Bug 770319 has been marked as a duplicate of this bug. *** *** Bug 770318 has been marked as a duplicate of this bug. *** *** Bug 770317 has been marked as a duplicate of this bug. *** *** Bug 770315 has been marked as a duplicate of this bug. *** *** Bug 770316 has been marked as a duplicate of this bug. *** *** Bug 770242 has been marked as a duplicate of this bug. *** *** Bug 770224 has been marked as a duplicate of this bug. *** I just finished installing the update per Comment 15. When the install completed, my H/D finally stopped rattling and BOINC is back and apparently running normally. The nine alerts have slowly disappeared from the Alert Browser. I'll check it again in the morning. Thank you, RLK BOINC appears to be running normally with the possible exception of Einstein@Home. The Einstein@Home project on my computer has displayed "Communication Deferred" since I installed the updates. The other two projects are functioning normally. On the Einstein@Home site, they indicate three "Work Generator" servers down, but one is up and running. All of their other servers are functioning normally. I don't know if the "Communication Deferred" message is an Einstein@Home issue or a continuing problem caused by this bug. No new SELinux bugs have appeared since I installed the updates. RLK selinux-policy-3.10.0-69.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report. I may not have this right, but I think it is still a problem under Fedora 17. SELinux is preventing /usr/lib/virtualbox/VBoxManage from execute_no_trans access on the file /usr/lib/virtualbox/VBoxManage. ***** Plugin restorecon (93.9 confidence) suggests ************************* If you want to fix the label. /usr/lib/virtualbox/VBoxManage default label should be bin_t. Then you can run restorecon. Do # /sbin/restorecon -v /usr/lib/virtualbox/VBoxManage ***** Plugin leaks (6.10 confidence) suggests ****************************** If you want to ignore VBoxManage trying to execute_no_trans access the VBoxManage file, because you believe it should not need this access. Then you should report this as a bug. You can generate a local policy module to dontaudit this access. Do # grep /usr/lib/virtualbox/VBoxManage /var/log/audit/audit.log | audit2allow -D -M mypol # semodule -i mypol.pp ***** Plugin catchall (1.43 confidence) suggests *************************** If you believe that VBoxManage should be allowed execute_no_trans access on the VBoxManage file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep VBoxManage /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:boinc_t:s0 Target Context system_u:object_r:textrel_shlib_t:s0 Target Objects /usr/lib/virtualbox/VBoxManage [ file ] Source VBoxManage Source Path /usr/lib/virtualbox/VBoxManage Port <Unknown> Host (removed) Source RPM Packages VirtualBox-4.1-4.1.16_78094_fedora17-1.x86_64 Target RPM Packages VirtualBox-4.1-4.1.16_78094_fedora17-1.x86_64 Policy RPM selinux-policy-3.10.0-128.fc17.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux fisc-dcj-xpsf 3.3.7-1.fc17.x86_64 #1 SMP Mon May 21 22:32:19 UTC 2012 x86_64 x86_64 Alert Count 1 First Seen Wed 06 Jun 2012 12:39:33 AM EDT Last Seen Wed 06 Jun 2012 12:39:33 AM EDT Local ID 6c53e056-a53d-4283-b58d-7ae61a287d02 Raw Audit Messages type=AVC msg=audit(1338957573.947:96): avc: denied { execute_no_trans } for pid=2120 comm="sh" path="/usr/lib/virtualbox/VBoxManage" dev="dm-1" ino=3158964 scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:object_r:textrel_shlib_t:s0 tclass=file type=SYSCALL msg=audit(1338957573.947:96): arch=x86_64 syscall=execve success=yes exit=0 a0=2172180 a1=21720d0 a2=2171100 a3=18 items=0 ppid=2115 pid=2120 auid=4294967295 uid=992 gid=989 euid=992 suid=992 fsuid=992 egid=989 sgid=989 fsgid=989 tty=(none) ses=4294967295 comm=VBoxManage exe=/usr/lib/virtualbox/VBoxManage subj=system_u:system_r:boinc_t:s0 key=(null) Hash: VBoxManage,boinc_t,textrel_shlib_t,file,execute_no_trans audit2allowunable to open /sys/fs/selinux/policy: Permission denied audit2allow -Runable to open /sys/fs/selinux/policy: Permission denied |