Bug 789279
| Summary: | SELinux makes BOINC fail GPU calculus | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Germano Massullo (Thetra) <germano.massullo> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | high | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 16 | CC: | dominick.grift, dwalsh, mgrepl |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.10.0-84.fc16 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-04-22 03:36:09 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Germano Massullo (Thetra)
2012-02-10 09:37:53 UTC
Is auditd daemon running? $ systemctl status auditd.status If yes what does $ ausearch -m user_avc $ systemctl status auditd.status Failed to issue method call: Unit name auditd.status is not valid. Grift in #fedora-selinux suggested me to do:
emodule -DB, reproduce the bug by switching in enforcing mode,semodule -B, ausearch -m avc -ts recent and this is the output
----
time->Fri Feb 10 18:08:33 2012
type=SYSCALL msg=audit(1328893713.748:183): arch=c000003e syscall=59 success=yes exit=0 a0=7f109166aa40 a1=7f109cddc9c0 a2=0 a3=662f73747865746e items=0 ppid=6849 pid=6870 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="setfiles" exe="/sbin/setfiles" subj=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1328893713.748:183): avc: denied { noatsecure } for pid=6870 comm="setfiles" scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1328893713.748:183): avc: denied { siginh } for pid=6870 comm="setfiles" scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1328893713.748:183): avc: denied { rlimitinh } for pid=6870 comm="setfiles" scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=process
----
time->Fri Feb 10 18:08:47 2012
type=SYSCALL msg=audit(1328893727.250:184): arch=c000003e syscall=59 success=yes exit=0 a0=170c850 a1=170c770 a2=170b010 a3=15 items=0 ppid=6874 pid=6875 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="fprintd" exe="/usr/libexec/fprintd" subj=system_u:system_r:fprintd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1328893727.250:184): avc: denied { noatsecure } for pid=6875 comm="fprintd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:fprintd_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1328893727.250:184): avc: denied { siginh } for pid=6875 comm="fprintd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:fprintd_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1328893727.250:184): avc: denied { rlimitinh } for pid=6875 comm="fprintd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:fprintd_t:s0-s0:c0.c1023 tclass=process
----
time->Fri Feb 10 18:09:01 2012
type=SYSCALL msg=audit(1328893741.133:189): arch=c000003e syscall=59 success=yes exit=0 a0=1bdef70 a1=1bdf250 a2=1bddf00 a3=18 items=0 ppid=6883 pid=6885 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="semodule" exe="/usr/sbin/semodule" subj=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1328893741.133:189): avc: denied { write } for pid=6885 comm="semodule" path="/home/caterpillar/.xsession-errors" dev=sdd1 ino=262413 scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:xdm_home_t:s0 tclass=file
----
time->Fri Feb 10 18:09:48 2012
type=SYSCALL msg=audit(1328893788.019:197): arch=c000003e syscall=59 success=yes exit=0 a0=7fff25cb15c0 a1=7fff25cb0e80 a2=183bab0 a3=732f73652e736976 items=0 ppid=6945 pid=6956 auid=4294967295 uid=494 gid=491 euid=494 suid=494 fsuid=494 egid=491 sgid=491 fsgid=491 tty=(none) ses=4294967295 comm="sanidad_1.01_i6" exe="/var/lib/boinc/projects/registro.ibercivis.es/sanidad_1.01_i686-pc-linux-gnu" subj=system_u:system_r:boinc_project_t:s0 key=(null)
type=AVC msg=audit(1328893788.019:197): avc: denied { noatsecure } for pid=6956 comm="sanidad_1.01_i6" scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:system_r:boinc_project_t:s0 tclass=process
type=AVC msg=audit(1328893788.019:197): avc: denied { siginh } for pid=6956 comm="sanidad_1.01_i6" scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:system_r:boinc_project_t:s0 tclass=process
type=AVC msg=audit(1328893788.019:197): avc: denied { rlimitinh } for pid=6956 comm="sanidad_1.01_i6" scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:system_r:boinc_project_t:s0 tclass=process
type=AVC msg=audit(1328893788.019:197): avc: denied { read write } for pid=6956 comm="sanidad_1.01_i6" path="socket:[128625]" dev=sockfs ino=128625 scontext=system_u:system_r:boinc_project_t:s0 tcontext=system_u:system_r:boinc_t:s0 tclass=udp_socket
----
time->Fri Feb 10 18:09:48 2012
type=SYSCALL msg=audit(1328893788.016:198): arch=c000003e syscall=59 success=yes exit=0 a0=7fff25cb15c0 a1=7fff25cb0e80 a2=1822810 a3=6e696c2d63702d36 items=0 ppid=6945 pid=6955 auid=4294967295 uid=494 gid=491 euid=494 suid=494 fsuid=494 egid=491 sgid=491 fsgid=491 tty=(none) ses=4294967295 comm="wcgrid_cep2_6.4" exe="/var/lib/boinc/projects/www.worldcommunitygrid.org/wcgrid_cep2_6.40_i686-pc-linux-gnu" subj=system_u:system_r:boinc_project_t:s0 key=(null)
type=AVC msg=audit(1328893788.016:198): avc: denied { noatsecure } for pid=6955 comm="wcgrid_cep2_6.4" scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:system_r:boinc_project_t:s0 tclass=process
type=AVC msg=audit(1328893788.016:198): avc: denied { siginh } for pid=6955 comm="wcgrid_cep2_6.4" scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:system_r:boinc_project_t:s0 tclass=process
type=AVC msg=audit(1328893788.016:198): avc: denied { rlimitinh } for pid=6955 comm="wcgrid_cep2_6.4" scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:system_r:boinc_project_t:s0 tclass=process
type=AVC msg=audit(1328893788.016:198): avc: denied { read write } for pid=6955 comm="wcgrid_cep2_6.4" path="socket:[128625]" dev=sockfs ino=128625 scontext=system_u:system_r:boinc_project_t:s0 tcontext=system_u:system_r:boinc_t:s0 tclass=udp_socket
----
time->Fri Feb 10 18:09:48 2012
type=SYSCALL msg=audit(1328893788.300:199): arch=c000003e syscall=59 success=yes exit=0 a0=7fff25cb15c0 a1=7fff25cb0e80 a2=183bc70 a3=2d63702d36383669 items=0 ppid=6945 pid=6960 auid=4294967295 uid=494 gid=491 euid=494 suid=494 fsuid=494 egid=491 sgid=491 fsgid=491 tty=(none) ses=4294967295 comm="einsteinbinary_" exe="/var/lib/boinc/projects/einstein.phys.uwm.edu/einsteinbinary_BRP4_1.00_i686-pc-linux-gnu__BRP3cuda32nv270" subj=system_u:system_r:boinc_project_t:s0 key=(null)
type=AVC msg=audit(1328893788.300:199): avc: denied { noatsecure } for pid=6960 comm="einsteinbinary_" scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:system_r:boinc_project_t:s0 tclass=process
type=AVC msg=audit(1328893788.300:199): avc: denied { siginh } for pid=6960 comm="einsteinbinary_" scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:system_r:boinc_project_t:s0 tclass=process
type=AVC msg=audit(1328893788.300:199): avc: denied { rlimitinh } for pid=6960 comm="einsteinbinary_" scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:system_r:boinc_project_t:s0 tclass=process
type=AVC msg=audit(1328893788.300:199): avc: denied { read write } for pid=6960 comm="einsteinbinary_" path="socket:[128625]" dev=sockfs ino=128625 scontext=system_u:system_r:boinc_project_t:s0 tcontext=system_u:system_r:boinc_t:s0 tclass=udp_socket
----
time->Fri Feb 10 18:09:49 2012
type=SYSCALL msg=audit(1328893789.874:201): arch=c000003e syscall=59 success=yes exit=0 a0=7fff25cb15c0 a1=7fff25cb0e80 a2=1822780 a3=2d63702d36383669 items=0 ppid=6945 pid=6966 auid=4294967295 uid=494 gid=491 euid=494 suid=494 fsuid=494 egid=491 sgid=491 fsgid=491 tty=(none) ses=4294967295 comm="einsteinbinary_" exe="/var/lib/boinc/projects/einstein.phys.uwm.edu/einsteinbinary_BRP4_1.00_i686-pc-linux-gnu__BRP3cuda32nv270" subj=system_u:system_r:boinc_project_t:s0 key=(null)
type=AVC msg=audit(1328893789.874:201): avc: denied { noatsecure } for pid=6966 comm="einsteinbinary_" scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:system_r:boinc_project_t:s0 tclass=process
type=AVC msg=audit(1328893789.874:201): avc: denied { siginh } for pid=6966 comm="einsteinbinary_" scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:system_r:boinc_project_t:s0 tclass=process
type=AVC msg=audit(1328893789.874:201): avc: denied { rlimitinh } for pid=6966 comm="einsteinbinary_" scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:system_r:boinc_project_t:s0 tclass=process
type=AVC msg=audit(1328893789.874:201): avc: denied { read write } for pid=6966 comm="einsteinbinary_" path="socket:[126907]" dev=sockfs ino=126907 scontext=system_u:system_r:boinc_project_t:s0 tcontext=system_u:system_r:boinc_t:s0 tclass=tcp_socket
type=AVC msg=audit(1328893789.874:201): avc: denied { read write } for pid=6966 comm="einsteinbinary_" path="socket:[128625]" dev=sockfs ino=128625 scontext=system_u:system_r:boinc_project_t:s0 tcontext=system_u:system_r:boinc_t:s0 tclass=udp_socket
----
time->Fri Feb 10 18:09:51 2012
type=SYSCALL msg=audit(1328893791.348:202): arch=c000003e syscall=59 success=yes exit=0 a0=7fff25cb15c0 a1=7fff25cb0e80 a2=183cd20 a3=2d63702d36383669 items=0 ppid=6945 pid=6968 auid=4294967295 uid=494 gid=491 euid=494 suid=494 fsuid=494 egid=491 sgid=491 fsgid=491 tty=(none) ses=4294967295 comm="einsteinbinary_" exe="/var/lib/boinc/projects/einstein.phys.uwm.edu/einsteinbinary_BRP4_1.00_i686-pc-linux-gnu__BRP3cuda32nv270" subj=system_u:system_r:boinc_project_t:s0 key=(null)
type=AVC msg=audit(1328893791.348:202): avc: denied { noatsecure } for pid=6968 comm="einsteinbinary_" scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:system_r:boinc_project_t:s0 tclass=process
type=AVC msg=audit(1328893791.348:202): avc: denied { siginh } for pid=6968 comm="einsteinbinary_" scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:system_r:boinc_project_t:s0 tclass=process
type=AVC msg=audit(1328893791.348:202): avc: denied { rlimitinh } for pid=6968 comm="einsteinbinary_" scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:system_r:boinc_project_t:s0 tclass=process
type=AVC msg=audit(1328893791.348:202): avc: denied { read write } for pid=6968 comm="einsteinbinary_" path="socket:[128633]" dev=sockfs ino=128633 scontext=system_u:system_r:boinc_project_t:s0 tcontext=system_u:system_r:boinc_t:s0 tclass=tcp_socket
type=AVC msg=audit(1328893791.348:202): avc: denied { read write } for pid=6968 comm="einsteinbinary_" path="socket:[126907]" dev=sockfs ino=126907 scontext=system_u:system_r:boinc_project_t:s0 tcontext=system_u:system_r:boinc_t:s0 tclass=tcp_socket
type=AVC msg=audit(1328893791.348:202): avc: denied { read write } for pid=6968 comm="einsteinbinary_" path="socket:[128625]" dev=sockfs ino=128625 scontext=system_u:system_r:boinc_project_t:s0 tcontext=system_u:system_r:boinc_t:s0 tclass=udp_socket
----
time->Fri Feb 10 18:09:52 2012
type=SYSCALL msg=audit(1328893792.741:204): arch=c000003e syscall=59 success=yes exit=0 a0=7fff25cb15c0 a1=7fff25cb0e80 a2=1838ed0 a3=2d63702d36383669 items=0 ppid=6945 pid=6969 auid=4294967295 uid=494 gid=491 euid=494 suid=494 fsuid=494 egid=491 sgid=491 fsgid=491 tty=(none) ses=4294967295 comm="einsteinbinary_" exe="/var/lib/boinc/projects/einstein.phys.uwm.edu/einsteinbinary_BRP4_1.00_i686-pc-linux-gnu__BRP3cuda32nv270" subj=system_u:system_r:boinc_project_t:s0 key=(null)
type=AVC msg=audit(1328893792.741:204): avc: denied { noatsecure } for pid=6969 comm="einsteinbinary_" scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:system_r:boinc_project_t:s0 tclass=process
type=AVC msg=audit(1328893792.741:204): avc: denied { siginh } for pid=6969 comm="einsteinbinary_" scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:system_r:boinc_project_t:s0 tclass=process
type=AVC msg=audit(1328893792.741:204): avc: denied { rlimitinh } for pid=6969 comm="einsteinbinary_" scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:system_r:boinc_project_t:s0 tclass=process
type=AVC msg=audit(1328893792.741:204): avc: denied { read write } for pid=6969 comm="einsteinbinary_" path="socket:[128633]" dev=sockfs ino=128633 scontext=system_u:system_r:boinc_project_t:s0 tcontext=system_u:system_r:boinc_t:s0 tclass=tcp_socket
type=AVC msg=audit(1328893792.741:204): avc: denied { read write } for pid=6969 comm="einsteinbinary_" path="socket:[126907]" dev=sockfs ino=126907 scontext=system_u:system_r:boinc_project_t:s0 tcontext=system_u:system_r:boinc_t:s0 tclass=tcp_socket
type=AVC msg=audit(1328893792.741:204): avc: denied { read write } for pid=6969 comm="einsteinbinary_" path="socket:[128625]" dev=sockfs ino=128625 scontext=system_u:system_r:boinc_project_t:s0 tcontext=system_u:system_r:boinc_t:s0 tclass=udp_socket
----
time->Fri Feb 10 18:09:55 2012
type=SYSCALL msg=audit(1328893795.564:206): arch=c000003e syscall=59 success=yes exit=0 a0=7fff25cb15c0 a1=7fff25cb0e80 a2=1836b90 a3=2d63702d36383669 items=0 ppid=6945 pid=6972 auid=4294967295 uid=494 gid=491 euid=494 suid=494 fsuid=494 egid=491 sgid=491 fsgid=491 tty=(none) ses=4294967295 comm="einsteinbinary_" exe="/var/lib/boinc/projects/einstein.phys.uwm.edu/einsteinbinary_BRP4_1.00_i686-pc-linux-gnu__BRP3cuda32nv270" subj=system_u:system_r:boinc_project_t:s0 key=(null)
type=AVC msg=audit(1328893795.564:206): avc: denied { noatsecure } for pid=6972 comm="einsteinbinary_" scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:system_r:boinc_project_t:s0 tclass=process
type=AVC msg=audit(1328893795.564:206): avc: denied { siginh } for pid=6972 comm="einsteinbinary_" scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:system_r:boinc_project_t:s0 tclass=process
type=AVC msg=audit(1328893795.564:206): avc: denied { rlimitinh } for pid=6972 comm="einsteinbinary_" scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:system_r:boinc_project_t:s0 tclass=process
type=AVC msg=audit(1328893795.564:206): avc: denied { read write } for pid=6972 comm="einsteinbinary_" path="socket:[128633]" dev=sockfs ino=128633 scontext=system_u:system_r:boinc_project_t:s0 tcontext=system_u:system_r:boinc_t:s0 tclass=tcp_socket
type=AVC msg=audit(1328893795.564:206): avc: denied { read write } for pid=6972 comm="einsteinbinary_" path="socket:[126907]" dev=sockfs ino=126907 scontext=system_u:system_r:boinc_project_t:s0 tcontext=system_u:system_r:boinc_t:s0 tclass=tcp_socket
type=AVC msg=audit(1328893795.564:206): avc: denied { read write } for pid=6972 comm="einsteinbinary_" path="socket:[128625]" dev=sockfs ino=128625 scontext=system_u:system_r:boinc_project_t:s0 tcontext=system_u:system_r:boinc_t:s0 tclass=udp_socket
----
time->Fri Feb 10 18:09:54 2012
type=SYSCALL msg=audit(1328893794.176:205): arch=c000003e syscall=59 success=yes exit=0 a0=7fff25cb15c0 a1=7fff25cb0e80 a2=183a610 a3=2d63702d36383669 items=0 ppid=6945 pid=6971 auid=4294967295 uid=494 gid=491 euid=494 suid=494 fsuid=494 egid=491 sgid=491 fsgid=491 tty=(none) ses=4294967295 comm="einsteinbinary_" exe="/var/lib/boinc/projects/einstein.phys.uwm.edu/einsteinbinary_BRP4_1.00_i686-pc-linux-gnu__BRP3cuda32nv270" subj=system_u:system_r:boinc_project_t:s0 key=(null)
type=AVC msg=audit(1328893794.176:205): avc: denied { noatsecure } for pid=6971 comm="einsteinbinary_" scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:system_r:boinc_project_t:s0 tclass=process
type=AVC msg=audit(1328893794.176:205): avc: denied { siginh } for pid=6971 comm="einsteinbinary_" scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:system_r:boinc_project_t:s0 tclass=process
type=AVC msg=audit(1328893794.176:205): avc: denied { rlimitinh } for pid=6971 comm="einsteinbinary_" scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:system_r:boinc_project_t:s0 tclass=process
type=AVC msg=audit(1328893794.176:205): avc: denied { read write } for pid=6971 comm="einsteinbinary_" path="socket:[128633]" dev=sockfs ino=128633 scontext=system_u:system_r:boinc_project_t:s0 tcontext=system_u:system_r:boinc_t:s0 tclass=tcp_socket
type=AVC msg=audit(1328893794.176:205): avc: denied { read write } for pid=6971 comm="einsteinbinary_" path="socket:[126907]" dev=sockfs ino=126907 scontext=system_u:system_r:boinc_project_t:s0 tcontext=system_u:system_r:boinc_t:s0 tclass=tcp_socket
type=AVC msg=audit(1328893794.176:205): avc: denied { read write } for pid=6971 comm="einsteinbinary_" path="socket:[128625]" dev=sockfs ino=128625 scontext=system_u:system_r:boinc_project_t:s0 tcontext=system_u:system_r:boinc_t:s0 tclass=udp_socket
----
time->Fri Feb 10 18:10:58 2012
type=SYSCALL msg=audit(1328893858.743:207): arch=c000003e syscall=59 success=yes exit=0 a0=7f2e81cfa710 a1=7f2e81cfa480 a2=0 a3=7fff0d9274c0 items=0 ppid=6976 pid=6978 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="load_policy" exe="/sbin/load_policy" subj=unconfined_u:unconfined_r:load_policy_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1328893858.743:207): avc: denied { noatsecure } for pid=6978 comm="load_policy" scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:load_policy_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1328893858.743:207): avc: denied { siginh } for pid=6978 comm="load_policy" scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:load_policy_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1328893858.743:207): avc: denied { rlimitinh } for pid=6978 comm="load_policy" scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:load_policy_t:s0-s0:c0.c1023 tclass=process
Grift fixed the bug, here the chat log so you can read how we get it
[18:14:59] <grift> ok lets try something:
[18:16:04] <Caterpillar> ok
[18:16:53] <grift> mkdir ~/mytest; cd ~/mytest; echo "policy_module(mytest, 1.0.0) gen_require(\` type boinc_project_t, boinc_t; ') allow boinc_project_t boinc_t:tcp_socket { read write };" > mytest,te;
[18:17:09] <grift> make -f /usr/share/selinux/devel/Makefile mytest.pp
[18:17:17] <grift> sudo semodule -i mytest.pp
[18:17:21] <grift> setenforce 1
[18:17:26] <grift> test again see if it works
[18:18:16] <Caterpillar> no rules to generate <<mytest.pp>>. Stop
[18:18:24] <Caterpillar> at the second command you gave me
[18:18:34] <Caterpillar> $
[18:19:06] <grift> cd ~/mytest; make -f /usr/share/selinux/devel/Makefile mytest.pp
[18:19:37] <grift> o is that a comma or dot in mytest.te?
[18:19:44] <Caterpillar> comma
[18:19:45] <Caterpillar> :D
[18:19:53] <grift> mv mytest,te mytest.te
[18:20:08] <grift> make -f /usr/share/selinux/devel/Makefile mytest.pp
[18:22:39] <Caterpillar> grift: same as before
[18:22:50] <Caterpillar> calculus failure
[18:22:57] <grift> ok open the mytest.te
[18:23:03] <grift> and add below:
[18:23:43] <grift> allow boinc_project_t boinc_t:udp_socket { read write };
[18:23:48] <grift> then:
[18:23:52] <grift> make -f /usr/share/selinux/devel/Makefile mytest.pp
[18:24:00] <grift> sudo semodule -i mytest.pp
[18:24:04] <grift> and test again
[18:24:14] <grift> make sure you restart boince
[18:28:44] <Caterpillar> boinc is downloading new working units, please wait
[18:28:45] <Caterpillar> :)
[18:29:00] <grift> ok so now it works?
[18:29:14] <Caterpillar> we have to wait until it finishes to download
[18:29:19] <grift> k
[18:29:51] <Caterpillar> GPU working units have a lot of megabytes
[18:30:23] <grift> ok that sounds like its atleast less than a gigabyte
[18:31:04] <Caterpillar> no, for Einstein@home there are a lot of little pieces of 4mb each
[18:31:25] <Caterpillar> Calculus failure again
[18:32:00] <grift> ok open mytest.te
[18:32:04] <grift> add:
[18:32:46] <grift> allow boinc_t boinc_project_t:process noatsecure;
[18:32:53] <grift> make -f /usr/share/selinux/devel/Makefile mytest.pp
[18:32:58] <grift> sudo semodule -i mytest.pp
[18:33:01] <grift> test again
[18:33:06] <grift> make sure to restart boinc
[18:33:27] <Caterpillar> of course
[18:36:07] <Caterpillar> grift: uh it works
[18:36:15] <grift> ok open mytest,te
[18:36:42] <grift> comment out the two lines that start with " allow" except the last one 9the one that as the noatsecure
[18:36:51] <grift> then:
[18:36:55] <grift> make -f /usr/share/selinux/devel/Makefile mytest.pp
[18:36:58] <grift> sudo semodule -i mytest.pp
[18:37:02] <grift> test again
[18:37:08] <grift> make sure to restart boinc
[18:37:27] <grift> so the lines with udp_scoket and tcp-socket
[18:37:32] <grift> need to be commented out
[18:37:58] <Caterpillar> in mytest,te I have
[18:38:00] <Caterpillar> policy_module(mytest, 1.0.0) gen_require(` type boinc_project_t, boinc_t; ') allow boinc_project_t boinc_t:tcp_socket { read write };
[18:38:00] <Caterpillar> allow boinc_project_t boinc_t:udp_socket { read write };
[18:38:00] <Caterpillar> allow boinc_t boinc_project_t:process noatsecure;
[18:38:11] <grift> comment out:
[18:38:19] <grift> allow boinc_project_t boinc_t:tcp_socket { read write };
[18:38:29] <grift> allow boinc_project_t boinc_t:udp_socket { read write };
[18:38:37] <Caterpillar> I have to comment it with # or with // ?
[18:38:38] <grift> put a # in front of those lines
[18:38:41] <Caterpillar> ok
[18:38:43] <grift> a #
[18:39:01] <Caterpillar> policy_module(mytest, 1.0.0) gen_require(` type boinc_project_t, boinc_t; ') #allow boinc_project_t boinc_t:tcp_socket { read write };
[18:39:01] <Caterpillar> #allow boinc_project_t boinc_t:udp_socket { read write };
[18:39:01] <Caterpillar> allow boinc_t boinc_project_t:process noatsecure;
[18:39:04] <Caterpillar> it's okay?
[18:39:15] <grift> yes
[18:39:25] <grift> err
[18:39:34] <grift> i guess it is
[18:39:48] <grift> try it
[18:40:07] <grift> but i am pretty sure i know what the culprit is
[18:41:21] <Caterpillar> it works
[18:41:32] <grift> ok so the fix is this rule:
[18:41:40] <grift> allow boinc_t boinc_project_t:process noatsecure;
[18:41:54] <grift> that needs to be added to policy
[18:42:34] <grift> make sure to run semodule -B if you havent done so already
[18:42:53] <grift> also make sure you are enforcing if you havent done so alreay (setenforce 1)
[18:43:22] <Caterpillar> don't know how to apply allow boinc_t boinc_project_t:process noatsecure;
[18:43:39] <grift> you already have
[18:43:51] <grift> just put in the bugzilla that that needs to be added
[18:44:01] <Caterpillar> I would like to post this chat log to let others know about the fix
[18:44:10] <grift> k
[18:44:14] <grift> whatever
[18:44:24] <grift> but also add the fix to your bugzilla
[18:44:30] <grift> so that miroslav can fix it
I am doing a lot of fixes for boinc and I am adding this fix too. Thank you. selinux-policy-3.10.0-84.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-84.fc16 selinux-policy-3.10.0-84.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report. |