Bug 799577

Summary: SELinux is preventing /var/lib/boinc/projects/einstein.phys.uwm.edu/einsteinbinary_BRP4_1.22_i686-pc-linux-gnu__BRP4cuda32nv270 from write access on the cartella /var/lib/boinc/.nv/ComputeCache
Product: [Fedora] Fedora Reporter: Germano Massullo <germano.massullo>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 16CC: dominick.grift, dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.10.0-84.fc16 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-04-22 03:36:58 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Germano Massullo 2012-03-03 08:03:29 UTC 
Just had this warning while running BOINC project Einstein@home on nVidia GPU




SELinux is preventing /var/lib/boinc/projects/einstein.phys.uwm.edu/einsteinbinary_BRP4_1.22_i686-pc-linux-gnu__BRP4cuda32nv270 from write access on the cartella /var/lib/boinc/.nv/ComputeCache.

***** Plugin catchall (100. confidence) suggerisce****************************

Seyou believe that einsteinbinary_BRP4_1.22_i686-pc-linux-gnu__BRP4cuda32nv270 should be allowed write access on the ComputeCache directory by default.
Quindiyou should report this as a bug.
You can generate a local policy module to allow this access.
Fai
allow this access for now by executing:
# grep einsteinbinary_ /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Informazioni addizionali:
Contesto della sorgente       system_u:system_r:boinc_project_t:s0
Contesto target               system_u:object_r:boinc_var_lib_t:s0
Oggetti target                /var/lib/boinc/.nv/ComputeCache [ dir ]
Sorgente                      einsteinbinary_
Percorso della sorgente       /var/lib/boinc/projects/einstein.phys.uwm.edu/eins
                              teinbinary_BRP4_1.22_i686-pc-linux-
                              gnu__BRP4cuda32nv270
Porta                         <Sconosciuto>
Host                          Magic-4
Sorgente Pacchetti RPM        
Pacchetti RPM target          
RPM della policy              selinux-policy-3.10.0-75.fc16.noarch
Selinux abilitato             True
Tipo di policy                targeted
Modalità Enforcing            Enforcing
Host Name                     Magic-4
Piattaforma                   Linux Magic-4 3.2.7-1.fc16.x86_64 #1 SMP Tue Feb
                              21 01:40:47 UTC 2012 x86_64 x86_64
Conteggio avvisi              4
Primo visto                   sab 03 mar 2012 08:51:46 CET
Ultimo visto                  sab 03 mar 2012 08:59:08 CET
ID locale                    

Messaggi Raw Audit
type=AVC msg=audit(1330761548.289:117): avc:  denied  { write } for  pid=3387 comm="einsteinbinary_" name="ComputeCache" dev=sdd1 ino=3801106 scontext=system_u:system_r:boinc_project_t:s0 tcontext=system_u:object_r:boinc_var_lib_t:s0 tclass=dir


type=SYSCALL msg=audit(1330761548.289:117): arch=i386 syscall=getpid success=no exit=4294967283 a0=9f36f70 a1=1c0 a2=23 a3=9f36f90 items=0 ppid=2828 pid=3387 auid=4294967295 uid=494 gid=491 euid=494 suid=494 fsuid=494 egid=491 sgid=491 fsgid=491 tty=(none) ses=4294967295 comm=einsteinbinary_ exe=/var/lib/boinc/projects/einstein.phys.uwm.edu/einsteinbinary_BRP4_1.22_i686-pc-linux-gnu__BRP4cuda32nv270 subj=system_u:system_r:boinc_project_t:s0 key=(null)

Hash: einsteinbinary_,boinc_project_t,boinc_var_lib_t,dir,write

audit2allow

#============= boinc_project_t ==============
#!!!! The source type 'boinc_project_t' can write to a 'dir' of the following types:
# boinc_project_tmp_t, var_lib_t, boinc_project_var_lib_t, tmp_t

allow boinc_project_t boinc_var_lib_t:dir write;

audit2allow -R

#============= boinc_project_t ==============
#!!!! The source type 'boinc_project_t' can write to a 'dir' of the following types:
# boinc_project_tmp_t, var_lib_t, boinc_project_var_lib_t, tmp_t

allow boinc_project_t boinc_var_lib_t:dir write;
Comment 1 Germano Massullo 2012-03-04 19:16:14 UTC 
Grift on #fedora-selinux found out a fix, here the procedure:


#semanage permissive -a boinc_project_t
so waited for another warning and then I did
#semanage permissive -d boinc_project_t

the paste of the warning is







----
time->Sun Mar  4 19:56:12 2012
type=SYSCALL msg=audit(1330887372.400:347): arch=40000003 syscall=39 success=yes exit=0 a0=a39b770 a1=1c0 a2=23 a3=a39b790 items=0 ppid=3590 pid=9766 auid=4294967295 uid=494 gid=491 euid=494 suid=494 fsuid=494 egid=491 sgid=491 fsgid=491 tty=(none) ses=4294967295 comm="einsteinbinary_" exe="/var/lib/boinc/projects/einstein.phys.uwm.edu/einsteinbinary_BRP4_1.23_i686-pc-linux-gnu__BRP4cuda32nv270" subj=system_u:system_r:boinc_project_t:s0 key=(null)
type=AVC msg=audit(1330887372.400:347): avc:  denied  { create } for  pid=9766 comm="einsteinbinary_" name="9" scontext=system_u:system_r:boinc_project_t:s0 tcontext=system_u:object_r:boinc_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1330887372.400:347): avc:  denied  { add_name } for  pid=9766 comm="einsteinbinary_" name="9" scontext=system_u:system_r:boinc_project_t:s0 tcontext=system_u:object_r:boinc_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1330887372.400:347): avc:  denied  { write } for  pid=9766 comm="einsteinbinary_" name="ComputeCache" dev=sdd1 ino=3801106 scontext=system_u:system_r:boinc_project_t:s0 tcontext=system_u:object_r:boinc_var_lib_t:s0 tclass=dir
----
time->Sun Mar  4 19:56:12 2012
type=SYSCALL msg=audit(1330887372.427:348): arch=40000003 syscall=5 success=yes exit=26 a0=a39b740 a1=241 a2=1b6 a3=0 items=0 ppid=3590 pid=9766 auid=4294967295 uid=494 gid=491 euid=494 suid=494 fsuid=494 egid=491 sgid=491 fsgid=491 tty=(none) ses=4294967295 comm="einsteinbinary_" exe="/var/lib/boinc/projects/einstein.phys.uwm.edu/einsteinbinary_BRP4_1.23_i686-pc-linux-gnu__BRP4cuda32nv270" subj=system_u:system_r:boinc_project_t:s0 key=(null)
type=AVC msg=audit(1330887372.427:348): avc:  denied  { create } for  pid=9766 comm="einsteinbinary_" name="626ce3" scontext=system_u:system_r:boinc_project_t:s0 tcontext=system_u:object_r:boinc_var_lib_t:s0 tclass=file











$mkdir ~/myboinc; cd ~/myboinc
$echo "policy_module(myboinc, 1.0.0) gen_require(\` type boinc_project_t, boinc_var_lib_t; ') create_files_pattern(boinc_project_t, boinc_var_lib_t, boinc_var_lib_t) allow boinc_project_t boinc_var_lib_t:dir create_dir_perms;" > myboinc.te
#semodule -i myboinc.pp
Comment 2 Miroslav Grepl 2012-03-05 09:32:35 UTC 
Yes, we know about this issue. I am planning to fix up boinc policy.
Comment 3 Miroslav Grepl 2012-03-16 11:20:31 UTC 
Fixed in selinux-policy-3.10.0-81.fc16
Comment 4 Fedora Update System 2012-04-18 12:54:49 UTC 
selinux-policy-3.10.0-84.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-84.fc16
Comment 5 Fedora Update System 2012-04-22 03:36:58 UTC 
selinux-policy-3.10.0-84.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.