Bug 834900
Summary: | Selinux prevents boinc client from reading log file | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | John Horne <john.horne> | ||||
Component: | boinc-client | Assignee: | Milos Jakubicek <xjakub> | ||||
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | medium | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 17 | CC: | cheekyboinc, dwalsh, mgrepl, mmahut, xjakub | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2012-07-11 23:56:15 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Thanks for spotting that, I will fix that asap. That's strange, I reverted that change and redirect the output of boinc from a wrapper script around, which is sort of what was the case with SysVInit, but I still get an AVC denied writing to file (not a symlink anymore!): SELinux is preventing /usr/bin/bash from open access on the file /var/log/boinc.log. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that bash should be allowed open access on the boinc.log file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep boinc /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:boinc_t:s0 Target Context system_u:object_r:var_log_t:s0 Target Objects /var/log/boinc.log [ file ] Source boinc Source Path /usr/bin/bash Port <Neznámé> Host ioel Source RPM Packages bash-4.2.29-1.fc17.x86_64 Target RPM Packages Policy RPM selinux-policy-3.10.0-132.fc17.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name ioel Platform Linux ioel 3.4.3-1.fc17.x86_64 #1 SMP Mon Jun 18 19:53:17 UTC 2012 x86_64 x86_64 Alert Count 1 First Seen Út 26. červen 2012, 15:14:28 CEST Last Seen Út 26. červen 2012, 15:14:28 CEST Local ID 17a578f7-984e-44f7-b9af-18a0d864b0c5 Raw Audit Messages type=AVC msg=audit(1340716468.5:755): avc: denied { open } for pid=5793 comm="boinc" name="boinc.log" dev="dm-1" ino=1311162 scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file type=SYSCALL msg=audit(1340716468.5:755): arch=x86_64 syscall=open success=no exit=EACCES a0=1f0e4a0 a1=401 a2=1b6 a3=13 items=0 ppid=5792 pid=5793 auid=4294967295 uid=104 gid=103 euid=104 suid=104 fsuid=104 egid=103 sgid=103 fsgid=103 tty=(none) ses=4294967295 comm=boinc exe=/usr/bin/bash subj=system_u:system_r:boinc_t:s0 key=(null) Hash: boinc,boinc_t,var_log_t,file,open audit2allowunable to open /sys/fs/selinux/policy: Permission denied audit2allow -Runable to open /sys/fs/selinux/policy: Permission denied CC'ing SELinux maintainers, were there any changes in handling SELinux access to /var/log files between F16 and F17? Or is it because of the SysVInit->systemd transition? You can have a look at a preliminary version here: http://koji.fedoraproject.org/koji/taskinfo?taskID=4196528 We don't have boinc log in the policy. Fixed in selinux-policy-3.10.0-134.fc17.noarch I also adde support for systemd. Miroslav, are you sure it is selinux-policy-3.10.0-134.fc17 and not selinux-policy-3.11.0-7.fc18? # git log f17 commit 880755276bfbc0a0ff0cc33c5685e0a195cccb6c Author: Miroslav Grepl <mgrepl> Date: Wed Jun 27 07:50:56 2012 +0200 Allow boinc domains to manage boinc_lib_t lnk_files commit b1f69176de44a8ce2d7fb00ae5ff89aa9f63f525 Author: Miroslav Grepl <mgrepl> Date: Wed Jun 27 07:41:46 2012 +0200 Add support for boinc-client.service unit file commit eca1500482e8f221304c9c424a275a658ba0f219 Author: Miroslav Grepl <mgrepl> Date: Wed Jun 27 07:35:06 2012 +0200 add support for boinc.log So it has been added to F17 too. Well, just checked out selinux-policy in git:
>git log f17 | grep "Allow boinc"
- Allow boinc to read passwd
- Allow boinc projects to gconf config files
- Allow boinc project to getattr on fs
- Allow boinc_project to use shm
Allow boinc_project to use shm
Allow boinc projects to execute java
So you did not push that and it is not part of selinux-policy-3.10.0-134.fc17 -- right?
Ah, I apologize .. I wanted to wrote Fixed in selinux-policy-3.10.0-135.fc17.noarch Great, right -- thanks for a fast response! boinc-client-7.0.29-1.r25790svn.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/FEDORA-2012-9859/boinc-client-7.0.29-1.r25790svn.fc17 boinc-client-7.0.29-1.r25790svn.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report. |
Created attachment 594032 [details] Selinux error msg Description of problem: Boinc has two log files in /var/log which are accessed via symbolic links in /var/lib/boinc. Selinux seems to be preventing the boinc client read access to those log files. Version-Release number of selected component (if applicable): boinc-client-6.12.43-2.r25218svn.fc17.x86_64 selinux-policy-3.10.0-132.fc17.noarch selinux-policy-targeted-3.10.0-132.fc17.noarch How reproducible: Always Steps to Reproduce: 1. start boinc using 'systemctl start boinc-client.service' 2. monitor /var/log/audit/audit.log file 3. Actual results: Attachments have the selinux details Expected results: Boinc should start up with no selinux problems Additional info: There are two log files involved: ================================ cd /var/lib/boinc ls -l std* lrwxrwxrwx. 1 boinc boinc 21 Jun 23 13:50 stderrdae.txt -> /var/log/boincerr.log lrwxrwxrwx. 1 boinc boinc 18 Jun 23 13:50 stdoutdae.txt -> /var/log/boinc.log ls -lL std* -rw-r--r--. 1 boinc boinc 0 Jun 23 14:05 stderrdae.txt -rw-r--r--. 1 boinc boinc 50961 Jun 24 18:44 stdoutdae.txt ================================