Bug 770148

Summary: SELinux is preventing /var/lib/boinc/projects/einstein.phys.uwm.edu/einstein_S6Bucket_1.01_x86_64-pc-linux-gnu from 'getattr' accesses on the file /etc/localtime.
Product: [Fedora] Fedora Reporter: Robert Kief <robert.l.kief>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 16CC: devonjanitz, dominick.grift, dwalsh, germano.massullo, jorti, marco, mattia.verga, mgrepl, trweniger, westbb
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:fdff591905713c090c129151df423c8444067e9267865fac12d3477550c4c44c
Fixed In Version: selinux-policy-3.10.0-69.fc16 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-12-30 01:01:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Robert Kief 2011-12-23 16:11:07 UTC 
libreport version: 2.0.8
executable:     /usr/bin/python
hashmarkername: setroubleshoot
kernel:         3.1.5-2.fc16.x86_64
reason:         SELinux is preventing /var/lib/boinc/projects/einstein.phys.uwm.edu/einstein_S6Bucket_1.01_x86_64-pc-linux-gnu from 'getattr' accesses on the file /etc/localtime.
time:           Fri 23 Dec 2011 10:10:33 AM CST

description:
:SELinux is preventing /var/lib/boinc/projects/einstein.phys.uwm.edu/einstein_S6Bucket_1.01_x86_64-pc-linux-gnu from 'getattr' accesses on the file /etc/localtime.
:
:*****  Plugin catchall (100. confidence) suggests  ***************************
:
:If you believe that einstein_S6Bucket_1.01_x86_64-pc-linux-gnu should be allowed getattr access on the localtime file by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:Do
:allow this access for now by executing:
:# grep einstein_S6Buck /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                system_u:system_r:boinc_project_t:s0
:Target Context                system_u:object_r:locale_t:s0
:Target Objects                /etc/localtime [ file ]
:Source                        einstein_S6Buck
:Source Path                   /var/lib/boinc/projects/einstein.phys.uwm.edu/eins
:                              tein_S6Bucket_1.01_x86_64-pc-linux-gnu
:Port                          <Unknown>
:Host                          (removed)
:Source RPM Packages           
:Target RPM Packages           glibc-2.14.90-21
:Policy RPM                    selinux-policy-3.10.0-67.fc16
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed) 3.1.5-2.fc16.x86_64 #1 SMP
:                              Mon Dec 12 21:25:51 UTC 2011 x86_64 x86_64
:Alert Count                   2
:First Seen                    Fri 23 Dec 2011 09:55:52 AM CST
:Last Seen                     Fri 23 Dec 2011 09:55:54 AM CST
:Local ID                      bef0c3ce-57c9-4b35-89cb-8cd31dcc6736
:
:Raw Audit Messages
:type=AVC msg=audit(1324655754.940:1391): avc:  denied  { getattr } for  pid=28884 comm="einstein_S6Buck" path="/etc/localtime" dev=dm-1 ino=1719485 scontext=system_u:system_r:boinc_project_t:s0 tcontext=system_u:object_r:locale_t:s0 tclass=file
:
:
:type=SYSCALL msg=audit(1324655754.940:1391): arch=x86_64 syscall=stat success=no exit=EACCES a0=3a2777208a a1=7fff2af03e80 a2=7fff2af03e80 a3=0 items=0 ppid=11638 pid=28884 auid=4294967295 uid=992 gid=989 euid=992 suid=992 fsuid=992 egid=989 sgid=989 fsgid=989 tty=(none) ses=4294967295 comm=einstein_S6Buck exe=/var/lib/boinc/projects/einstein.phys.uwm.edu/einstein_S6Bucket_1.01_x86_64-pc-linux-gnu subj=system_u:system_r:boinc_project_t:s0 key=(null)
:
:Hash: einstein_S6Buck,boinc_project_t,locale_t,file,getattr
:
:audit2allow
:
:#============= boinc_project_t ==============
:allow boinc_project_t locale_t:file getattr;
:
:audit2allow -R
:
:#============= boinc_project_t ==============
:allow boinc_project_t locale_t:file getattr;
:
Comment 1 Miroslav Grepl 2011-12-25 18:12:47 UTC 
I apologize, there is a bug in the boinc policy which has been re-written. I am fixing it right now.
Comment 2 Miroslav Grepl 2011-12-25 18:13:14 UTC 
*** Bug 770149 has been marked as a duplicate of this bug. ***
Comment 3 Miroslav Grepl 2011-12-25 18:14:47 UTC 
*** Bug 770150 has been marked as a duplicate of this bug. ***
Comment 4 Miroslav Grepl 2011-12-25 18:15:09 UTC 
*** Bug 770175 has been marked as a duplicate of this bug. ***
Comment 5 Miroslav Grepl 2011-12-25 18:15:30 UTC 
*** Bug 770176 has been marked as a duplicate of this bug. ***
Comment 6 Miroslav Grepl 2011-12-25 18:15:48 UTC 
*** Bug 770205 has been marked as a duplicate of this bug. ***
Comment 7 Miroslav Grepl 2011-12-25 18:16:14 UTC 
*** Bug 770225 has been marked as a duplicate of this bug. ***
Comment 8 Miroslav Grepl 2011-12-25 18:16:38 UTC 
*** Bug 770226 has been marked as a duplicate of this bug. ***
Comment 9 Miroslav Grepl 2011-12-25 18:17:18 UTC 
*** Bug 770151 has been marked as a duplicate of this bug. ***
Comment 10 Miroslav Grepl 2011-12-25 18:17:52 UTC 
*** Bug 770241 has been marked as a duplicate of this bug. ***
Comment 11 Miroslav Grepl 2011-12-25 19:25:14 UTC 
You can use a new build from koji for now

http://koji.fedoraproject.org/koji/buildinfo?buildID=280140
Comment 12 Miroslav Grepl 2011-12-25 22:38:23 UTC 
*** Bug 770297 has been marked as a duplicate of this bug. ***
Comment 13 Fedora Update System 2011-12-25 22:41:52 UTC 
selinux-policy-3.10.0-69.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-69.fc16
Comment 14 Robert Kief 2011-12-26 04:19:29 UTC 
Regarding comment 11, I attempted to update selinux-policy-3.10.0-67.fc16 to selinux-policy-3.10.0-69.fc16.  My install includes selinux-policy-3.10.0-67.fc16.noarch and selinux-policy-targeted-3.10.0-67.fc16.noarch only.  I attempted to install selinux-policy-3.10.0-69.fc16.noarch.rpm which failed, resulting in this error message:

selinux-policy-targeted-3.10.0-67.fc16.noarch requires selinux-policy = 3.10.0-67.fc16

I also attempted to install selinux-policy-3.10.0-69.fc16.src.rpm which failed with this error message:

The package that is trying to be installed is incompatible with this system.

Package /tmp/selinux-policy-3.10.0-69.fc16.src-1.rpm has incompatible architecture src. Valid architectures are ['ia32e', 'x86_64', 'athlon', 'i686', 'i586', 'i486', 'i386', 'noarch']

Please advise.

Thank you,

RLK
Comment 15 Fedora Update System 2011-12-26 19:18:57 UTC 
Package selinux-policy-3.10.0-69.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-69.fc16'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2011-17464/selinux-policy-3.10.0-69.fc16
then log in and leave karma (feedback).
Comment 16 Robert Kief 2011-12-26 19:29:48 UTC 
The update isn't available right now, but I'll keep checking and install it ASAP.

Thanks,

RLK
Comment 17 Miroslav Grepl 2011-12-26 22:30:12 UTC 
*** Bug 770457 has been marked as a duplicate of this bug. ***
Comment 18 Miroslav Grepl 2011-12-26 22:30:36 UTC 
*** Bug 770456 has been marked as a duplicate of this bug. ***
Comment 19 Miroslav Grepl 2011-12-26 22:31:14 UTC 
*** Bug 770454 has been marked as a duplicate of this bug. ***
Comment 20 Miroslav Grepl 2011-12-26 22:31:49 UTC 
*** Bug 770453 has been marked as a duplicate of this bug. ***
Comment 21 Miroslav Grepl 2011-12-26 22:32:19 UTC 
*** Bug 770452 has been marked as a duplicate of this bug. ***
Comment 22 Miroslav Grepl 2011-12-26 22:32:43 UTC 
*** Bug 770323 has been marked as a duplicate of this bug. ***
Comment 23 Miroslav Grepl 2011-12-26 22:33:36 UTC 
*** Bug 770322 has been marked as a duplicate of this bug. ***
Comment 24 Miroslav Grepl 2011-12-26 22:34:49 UTC 
*** Bug 770320 has been marked as a duplicate of this bug. ***
Comment 25 Miroslav Grepl 2011-12-26 22:35:17 UTC 
*** Bug 770319 has been marked as a duplicate of this bug. ***
Comment 26 Miroslav Grepl 2011-12-26 22:38:43 UTC 
*** Bug 770318 has been marked as a duplicate of this bug. ***
Comment 27 Miroslav Grepl 2011-12-26 22:39:22 UTC 
*** Bug 770317 has been marked as a duplicate of this bug. ***
Comment 28 Miroslav Grepl 2011-12-26 22:40:00 UTC 
*** Bug 770315 has been marked as a duplicate of this bug. ***
Comment 29 Miroslav Grepl 2011-12-26 22:40:25 UTC 
*** Bug 770316 has been marked as a duplicate of this bug. ***
Comment 30 Miroslav Grepl 2011-12-26 22:41:20 UTC 
*** Bug 770242 has been marked as a duplicate of this bug. ***
Comment 31 Miroslav Grepl 2011-12-26 22:41:43 UTC 
*** Bug 770224 has been marked as a duplicate of this bug. ***
Comment 32 Robert Kief 2011-12-27 06:24:45 UTC 
I just finished installing the update per Comment 15.  When the install completed, my H/D finally stopped rattling and BOINC is back and apparently running normally.  The nine alerts have slowly disappeared from the Alert Browser.  I'll check it again in the morning.

Thank you,

RLK
Comment 33 Robert Kief 2011-12-28 18:32:01 UTC 
BOINC appears to be running normally with the possible exception of Einstein@Home.  The Einstein@Home project on my computer has displayed "Communication Deferred" since I installed the updates.  The other two projects are functioning normally.  On the Einstein@Home site, they indicate three "Work Generator" servers down, but one is up and running.  All of their other servers are functioning normally.  I don't know if the "Communication Deferred" message is an Einstein@Home issue or a continuing problem caused by this bug.

No new SELinux bugs have appeared since I installed the updates.

RLK
Comment 34 Fedora Update System 2011-12-30 01:01:59 UTC 
selinux-policy-3.10.0-69.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 35 Devon Janitz 2012-06-06 04:46:27 UTC 
I may not have this right, but I think it is still a problem under Fedora 17.

SELinux is preventing /usr/lib/virtualbox/VBoxManage from execute_no_trans access on the file /usr/lib/virtualbox/VBoxManage.

*****  Plugin restorecon (93.9 confidence) suggests  *************************

If you want to fix the label. 
/usr/lib/virtualbox/VBoxManage default label should be bin_t.
Then you can run restorecon.
Do
# /sbin/restorecon -v /usr/lib/virtualbox/VBoxManage

*****  Plugin leaks (6.10 confidence) suggests  ******************************

If you want to ignore VBoxManage trying to execute_no_trans access the VBoxManage file, because you believe it should not need this access.
Then you should report this as a bug.  
You can generate a local policy module to dontaudit this access.
Do
# grep /usr/lib/virtualbox/VBoxManage /var/log/audit/audit.log | audit2allow -D -M mypol
# semodule -i mypol.pp

*****  Plugin catchall (1.43 confidence) suggests  ***************************

If you believe that VBoxManage should be allowed execute_no_trans access on the VBoxManage file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep VBoxManage /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:boinc_t:s0
Target Context                system_u:object_r:textrel_shlib_t:s0
Target Objects                /usr/lib/virtualbox/VBoxManage [ file ]
Source                        VBoxManage
Source Path                   /usr/lib/virtualbox/VBoxManage
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           VirtualBox-4.1-4.1.16_78094_fedora17-1.x86_64
Target RPM Packages           VirtualBox-4.1-4.1.16_78094_fedora17-1.x86_64
Policy RPM                    selinux-policy-3.10.0-128.fc17.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux fisc-dcj-xpsf 3.3.7-1.fc17.x86_64 #1 SMP Mon
                              May 21 22:32:19 UTC 2012 x86_64 x86_64
Alert Count                   1
First Seen                    Wed 06 Jun 2012 12:39:33 AM EDT
Last Seen                     Wed 06 Jun 2012 12:39:33 AM EDT
Local ID                      6c53e056-a53d-4283-b58d-7ae61a287d02

Raw Audit Messages
type=AVC msg=audit(1338957573.947:96): avc:  denied  { execute_no_trans } for  pid=2120 comm="sh" path="/usr/lib/virtualbox/VBoxManage" dev="dm-1" ino=3158964 scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:object_r:textrel_shlib_t:s0 tclass=file


type=SYSCALL msg=audit(1338957573.947:96): arch=x86_64 syscall=execve success=yes exit=0 a0=2172180 a1=21720d0 a2=2171100 a3=18 items=0 ppid=2115 pid=2120 auid=4294967295 uid=992 gid=989 euid=992 suid=992 fsuid=992 egid=989 sgid=989 fsgid=989 tty=(none) ses=4294967295 comm=VBoxManage exe=/usr/lib/virtualbox/VBoxManage subj=system_u:system_r:boinc_t:s0 key=(null)

Hash: VBoxManage,boinc_t,textrel_shlib_t,file,execute_no_trans

audit2allowunable to open /sys/fs/selinux/policy:  Permission denied


audit2allow -Runable to open /sys/fs/selinux/policy:  Permission denied