Bug 834900

Summary: Selinux prevents boinc client from reading log file
Product: [Fedora] Fedora Reporter: John Horne <john.horne>
Component: boinc-clientAssignee: Milos Jakubicek <xjakub>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 17CC: cheekyboinc, dwalsh, mgrepl, mmahut, xjakub
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-07-11 23:56:15 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Selinux error msg none

Description John Horne 2012-06-24 18:01:26 UTC 
Created attachment 594032 [details]
Selinux error msg

Description of problem:
Boinc has two log files in /var/log which are accessed via symbolic links in /var/lib/boinc. Selinux seems to be preventing the boinc client read access to those log files.


Version-Release number of selected component (if applicable):
boinc-client-6.12.43-2.r25218svn.fc17.x86_64
selinux-policy-3.10.0-132.fc17.noarch
selinux-policy-targeted-3.10.0-132.fc17.noarch


How reproducible:
Always

Steps to Reproduce:
1. start boinc using 'systemctl start boinc-client.service'
2. monitor /var/log/audit/audit.log file
3.
  
Actual results:
Attachments have the selinux details

Expected results:
Boinc should start up with no selinux problems

Additional info:
There are two log files involved:

================================
cd /var/lib/boinc
ls -l std*
lrwxrwxrwx. 1 boinc boinc 21 Jun 23 13:50 stderrdae.txt -> /var/log/boincerr.log
lrwxrwxrwx. 1 boinc boinc 18 Jun 23 13:50 stdoutdae.txt -> /var/log/boinc.log
ls -lL std*
-rw-r--r--. 1 boinc boinc     0 Jun 23 14:05 stderrdae.txt
-rw-r--r--. 1 boinc boinc 50961 Jun 24 18:44 stdoutdae.txt
================================
Comment 1 Milos Jakubicek 2012-06-24 18:13:20 UTC 
Thanks for spotting that, I will fix that asap.
Comment 2 Milos Jakubicek 2012-06-26 13:18:00 UTC 
That's strange, I reverted that change and redirect the output of boinc from a wrapper script around, which is sort of what was the case with SysVInit, but I still get an AVC denied writing to file (not a symlink anymore!):

SELinux is preventing /usr/bin/bash from open access on the file /var/log/boinc.log.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that bash should be allowed open access on the boinc.log file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep boinc /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:boinc_t:s0
Target Context                system_u:object_r:var_log_t:s0
Target Objects                /var/log/boinc.log [ file ]
Source                        boinc
Source Path                   /usr/bin/bash
Port                          <Neznámé>
Host                          ioel
Source RPM Packages           bash-4.2.29-1.fc17.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.10.0-132.fc17.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     ioel
Platform                      Linux ioel 3.4.3-1.fc17.x86_64 #1 SMP Mon Jun 18
                              19:53:17 UTC 2012 x86_64 x86_64
Alert Count                   1
First Seen                    Út 26. červen 2012, 15:14:28 CEST
Last Seen                     Út 26. červen 2012, 15:14:28 CEST
Local ID                      17a578f7-984e-44f7-b9af-18a0d864b0c5

Raw Audit Messages
type=AVC msg=audit(1340716468.5:755): avc:  denied  { open } for  pid=5793 comm="boinc" name="boinc.log" dev="dm-1" ino=1311162 scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file


type=SYSCALL msg=audit(1340716468.5:755): arch=x86_64 syscall=open success=no exit=EACCES a0=1f0e4a0 a1=401 a2=1b6 a3=13 items=0 ppid=5792 pid=5793 auid=4294967295 uid=104 gid=103 euid=104 suid=104 fsuid=104 egid=103 sgid=103 fsgid=103 tty=(none) ses=4294967295 comm=boinc exe=/usr/bin/bash subj=system_u:system_r:boinc_t:s0 key=(null)

Hash: boinc,boinc_t,var_log_t,file,open

audit2allowunable to open /sys/fs/selinux/policy:  Permission denied


audit2allow -Runable to open /sys/fs/selinux/policy:  Permission denied

CC'ing SELinux maintainers, were there any changes in handling SELinux access to  /var/log files between F16 and F17? Or is it because of the SysVInit->systemd transition? You can have a look at a preliminary version here:
http://koji.fedoraproject.org/koji/taskinfo?taskID=4196528
Comment 3 Miroslav Grepl 2012-06-27 05:32:15 UTC 
We don't have boinc log in the policy.
Comment 4 Miroslav Grepl 2012-06-27 05:35:58 UTC 
Fixed in selinux-policy-3.10.0-134.fc17.noarch
Comment 5 Miroslav Grepl 2012-06-27 05:43:23 UTC 
I also adde support for systemd.
Comment 6 Milos Jakubicek 2012-06-27 15:38:56 UTC 
Miroslav, are you sure it is selinux-policy-3.10.0-134.fc17 and not selinux-policy-3.11.0-7.fc18?
Comment 7 Miroslav Grepl 2012-06-28 11:22:42 UTC 
# git log f17

commit 880755276bfbc0a0ff0cc33c5685e0a195cccb6c
Author: Miroslav Grepl <mgrepl>
Date:   Wed Jun 27 07:50:56 2012 +0200

    Allow boinc domains to manage boinc_lib_t lnk_files

commit b1f69176de44a8ce2d7fb00ae5ff89aa9f63f525
Author: Miroslav Grepl <mgrepl>
Date:   Wed Jun 27 07:41:46 2012 +0200

    Add support for boinc-client.service unit file

commit eca1500482e8f221304c9c424a275a658ba0f219
Author: Miroslav Grepl <mgrepl>
Date:   Wed Jun 27 07:35:06 2012 +0200

    add support for boinc.log


So it has been added to F17 too.
Comment 8 Milos Jakubicek 2012-06-28 13:24:09 UTC 
Well, just checked out selinux-policy in git:

>git log f17 | grep "Allow boinc"
    - Allow boinc to read passwd
    - Allow boinc projects to gconf config files
    - Allow boinc project to getattr on fs
    - Allow boinc_project to use shm
    Allow boinc_project to use shm
    Allow boinc projects to execute java

So you did not push that and it is not part of selinux-policy-3.10.0-134.fc17 -- right?
Comment 9 Miroslav Grepl 2012-06-28 13:36:18 UTC 
Ah, I apologize .. I wanted to wrote

Fixed in selinux-policy-3.10.0-135.fc17.noarch
Comment 10 Milos Jakubicek 2012-06-28 14:07:05 UTC 
Great, right -- thanks for a fast response!
Comment 11 Fedora Update System 2012-07-10 07:28:51 UTC 
boinc-client-7.0.29-1.r25790svn.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/FEDORA-2012-9859/boinc-client-7.0.29-1.r25790svn.fc17
Comment 12 Fedora Update System 2012-07-11 23:56:15 UTC 
boinc-client-7.0.29-1.r25790svn.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.