Bug 1397476 - SELinux is preventing boinc_client from 'read' accesses on the file mmap_min_addr.
Summary: SELinux is preventing boinc_client from 'read' accesses on the file mmap_min_...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 25
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Ben Levenson
URL:
Whiteboard: abrt_hash:ee835ebddf29c5538afb59122c2...
: 1403493 1403494 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-11-22 15:52 UTC by Jia Yuan Lo
Modified: 2017-12-09 03:29 UTC (History)
14 users (show)

Fixed In Version: boinc-client-7.8.4-1.fc27 boinc-client-7.8.4-1.fc26 boinc-client-7.8.4-1.fc25
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-12-09 03:29:03 UTC
Type: ---


Attachments (Terms of Use)

Description Jia Yuan Lo 2016-11-22 15:52:08 UTC
Description of problem:
SELinux is preventing boinc_client from 'read' accesses on the file mmap_min_addr.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that boinc_client should be allowed read access on the mmap_min_addr file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'boinc_client' --raw | audit2allow -M my-boincclient
# semodule -X 300 -i my-boincclient.pp

Additional Information:
Source Context                system_u:system_r:boinc_t:s0
Target Context                system_u:object_r:sysctl_vm_t:s0
Target Objects                mmap_min_addr [ file ]
Source                        boinc_client
Source Path                   boinc_client
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-224.fc25.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.8.8-300.fc25.x86_64 #1 SMP Tue
                              Nov 15 18:10:06 UTC 2016 x86_64 x86_64
Alert Count                   2
First Seen                    2016-11-23 23:49:12 MYT
Last Seen                     2016-11-23 23:49:12 MYT
Local ID                      248dd580-4e41-42dc-84b0-1ba0f2464d24

Raw Audit Messages
type=AVC msg=audit(1479916152.856:524): avc:  denied  { read } for  pid=5263 comm="boinc_client" name="mmap_min_addr" dev="proc" ino=33171 scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:object_r:sysctl_vm_t:s0 tclass=file permissive=0


Hash: boinc_client,boinc_t,sysctl_vm_t,file,read

Version-Release number of selected component:
selinux-policy-3.13.1-224.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.8-300.fc25.x86_64
type:           libreport

Comment 1 Lukas Vrabec 2016-11-23 12:26:33 UTC
Boinc folks, 
Do you know what happened here? 

Thanks.

Comment 2 Jia Yuan Lo 2016-11-23 16:35:25 UTC
Update: Sorry, I think I forget to update permission for files inside /var/lib/boinc. Update permission for /var/lib/boinc folder only seems not enough.

After this BOINC works normally and no more SELinux alerts...

But I think BOINC should do all this permission setting automatically without manual user intervention.

I think this bug is all good now since it is the current BOINC's behaviour

Comment 3 Germano Massullo 2016-11-23 16:41:03 UTC
Could you please explain what do you mean with:

> Update: Sorry, I think I forget to update permission for files inside
> /var/lib/boinc. Update permission for /var/lib/boinc folder only seems not
> enough.

Comment 4 Jia Yuan Lo 2016-11-23 16:46:37 UTC
I did this

sudo chmod g+rw /var/lib/boinc

but without this

sudo chmod g+rw /var/lib/boinc/*

and then starts BOINC Manager, BOINC can't connect to client(?) and SELinux alerts triggers after some time...

Doing back

sudo chmod g+rw /var/lib/boinc/*

BOINC works, alerts gone...

Comment 5 Jia Yuan Lo 2016-11-23 17:36:06 UTC
Note that I also did systemctl restart boinc-client.service a few times before realising I miss some steps after BOINC installed.

Thats where the alert really comes in.

Comment 6 Germano Massullo 2016-11-23 18:55:07 UTC
Could you please show us the output of:
# ls -latr /var/lib/boinc/

Comment 7 Jia Yuan Lo 2016-11-24 05:34:09 UTC
Sorry I have formatted my laptop...

I was following this old guide
http://boinc.berkeley.edu/wiki/Installing_BOINC_on_Fedora#Set_up_your_accounts

Is this still relevant? Do I still need to chmod here and there?

I think you guys should just closed this report since it doesn't worth the time to investigate the problem just because I didn't follow those instructions...

Comment 8 Germano Massullo 2016-11-26 20:19:06 UTC
/var/lib/boinc/ is owned and should be owned by boinc user only for security reasons and the defaults permissions are fine.
Your SELinux alert is triggered by other factors but we can no longer investigate because the laptop has been formatted

Comment 9 Jia Yuan Lo 2016-12-10 15:42:17 UTC
Description of problem:
Happened after 1st time install BOINC client and 1st time starting BOINC client service

Version-Release number of selected component:
selinux-policy-3.13.1-225.1.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.12-300.fc25.x86_64
type:           libreport

Comment 10 Jia Yuan Lo 2016-12-10 15:51:16 UTC
Ok, this time ignore all the previous comments before #9...

Here's the command I run after freshly installed Fedora 25...

sudo dnf -y install boinc-client boinc-manager

sudo gpasswd -a $(whoami) boinc

sudo gpasswd -a boinc video

sudo systemctl start boinc-client.service

^ above starts the SELinux trigger I assume

sudo systemctl enable boinc-client.service

find /var/lib/boinc -type d -exec sudo chmod 755 {} \;
find /var/lib/boinc -type f -exec sudo chmod 644 {} \;

ln -s /var/lib/boinc/gui_rpc_auth.cfg ~/gui_rpc_auth.cfg

Comment 11 Jia Yuan Lo 2016-12-20 16:49:46 UTC
It looks like its actually the brawling between TLP and SELinux that also got BOINC drag into the fight...

If you don't install TLP, you will not get that SELinux error.

Sorry folks for the mess up bug report and wasted everybody's time.

SELinux guys, you can close these as well...
https://bugzilla.redhat.com/show_bug.cgi?id=1403493
https://bugzilla.redhat.com/show_bug.cgi?id=1403494

These reports here are also ERRONEOUSLY commented by me that its got to do with BOINC which in fact is TLP vs SELinux...

https://bugzilla.redhat.com/show_bug.cgi?id=1403490
https://bugzilla.redhat.com/show_bug.cgi?id=1403489
https://bugzilla.redhat.com/show_bug.cgi?id=1403488
https://bugzilla.redhat.com/show_bug.cgi?id=1403486
https://bugzilla.redhat.com/show_bug.cgi?id=1403485
https://bugzilla.redhat.com/show_bug.cgi?id=1403103
https://bugzilla.redhat.com/show_bug.cgi?id=1403462
https://bugzilla.redhat.com/show_bug.cgi?id=1403487
https://bugzilla.redhat.com/show_bug.cgi?id=1403102

Marking this as WORKS FOR ME...

Comment 12 Jia Yuan Lo 2017-04-12 02:08:52 UTC
*** Bug 1403493 has been marked as a duplicate of this bug. ***

Comment 13 Jia Yuan Lo 2017-04-12 02:09:20 UTC
*** Bug 1403494 has been marked as a duplicate of this bug. ***

Comment 14 Jia Yuan Lo 2017-04-12 02:11:28 UTC
Sorry I am still getting errors after dozens of fresh installs and I have checked all the permission and BOINC is up and running

But after every boot SELinux is still complaining...

Comment 15 Germano Massullo 2017-04-12 06:13:24 UTC
Which project are you running? Please show us
# ls -latr /var/lib/boinc

Comment 16 Jia Yuan Lo 2017-04-12 06:15:57 UTC
(In reply to Germano Massullo from comment #15)
> Which project are you running? Please show us
> # ls -latr /var/lib/boinc

[root@asus-x552l jylo]# ls -latr /var/lib/boinc
total 480
drwxr-xr-x. 61 root  root   4096 Apr 12 01:25 ..
-rw-r--r--.  1 boinc boinc     0 Apr 12 01:25 stderrdae.txt
-rw-r--r--.  1 boinc boinc    32 Apr 12 01:25 gui_rpc_auth.cfg
-rw-r--r--.  1 boinc boinc 55537 Apr 12 01:25 all_projects_list.xml
drwxr-----.  3 boinc boinc  4096 Apr 12 01:31 .pki
-rw-r--r--.  1 boinc boinc  1392 Apr 12 01:31 get_project_config.xml
-rw-r--r--.  1 boinc boinc   142 Apr 12 01:32 lookup_account.xml
drwxrwx--x.  3 boinc boinc  4096 Apr 12 01:32 projects
-rw-r--r--.  1 boinc boinc 26212 Apr 12 01:32 master_www.worldcommunitygrid.org.xml
-rw-r--r--.  1 boinc boinc  9281 Apr 12 01:32 get_current_version.xml
-rw-r--r--.  1 boinc boinc  1344 Apr 12 01:32 global_prefs.xml
drwxrwx--x.  6 boinc boinc  4096 Apr 12 01:39 slots
-rw-r--r--.  1 boinc boinc     0 Apr 12 11:16 lockfile
-rw-r--r--.  1 boinc boinc   560 Apr 12 11:16 stderrgpudetect.txt
-rw-r--r--.  1 boinc boinc  3238 Apr 12 11:16 coproc_info.xml
-rw-r--r--.  1 boinc boinc   272 Apr 12 11:16 stdoutgpudetect.txt
drwxr-xr-x.  2 boinc boinc  4096 Apr 12 11:16 notices
-rw-r--r--.  1 boinc boinc   807 Apr 12 11:16 time_stats_log
-rw-r--r--.  1 boinc boinc  2212 Apr 12 11:25 account_www.worldcommunitygrid.org.xml
-rw-r--r--.  1 boinc boinc 12585 Apr 12 13:55 sched_request_www.worldcommunitygrid.org.xml
-rw-r--r--.  1 boinc boinc 32679 Apr 12 13:55 sched_reply_www.worldcommunitygrid.org.xml
-rw-r--r--.  1 boinc boinc   748 Apr 12 13:55 statistics_www.worldcommunitygrid.org.xml
-rw-r--r--.  1 boinc boinc   990 Apr 12 13:58 job_log_www.worldcommunitygrid.org.txt
-rw-r--r--.  1 boinc boinc 11798 Apr 12 14:03 lookup_website.html
-rw-r--r--.  1 boinc boinc 56676 Apr 12 14:03 stdoutdae.txt
-rw-r--r--.  1 boinc boinc   121 Apr 12 14:03 daily_xfer_history.xml
-rw-r--r--.  1 boinc boinc 95010 Apr 12 14:10 client_state_prev.xml
-rw-r--r--.  1 boinc boinc 95010 Apr 12 14:14 client_state.xml
drwxr-xr-x.  6 boinc boinc  4096 Apr 12 14:14 .

Comment 17 Germano Massullo 2017-04-12 06:23:40 UTC
Show us 
# cat /proc/sys/vm/mmap_min_addr

Comment 18 Jia Yuan Lo 2017-04-12 06:25:20 UTC
(In reply to Germano Massullo from comment #17)
> Show us 
> # cat /proc/sys/vm/mmap_min_addr

[root@asus-x552l jylo]# cat /proc/sys/vm/mmap_min_addr
65536

Comment 19 Germano Massullo 2017-04-12 06:33:51 UTC
Similar bugreport
https://bugzilla.redhat.com/show_bug.cgi?id=1404015

Comment 20 Fedora Update System 2017-10-20 09:05:35 UTC
boinc-client-7.8.3-2.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-65f3922240

Comment 21 Fedora Update System 2017-10-20 09:08:21 UTC
boinc-client-7.8.3-2.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-520df58c68

Comment 22 Fedora Update System 2017-10-20 09:09:48 UTC
boinc-client-7.8.3-2.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-a21b5d9b81

Comment 23 Fedora Update System 2017-10-20 09:11:14 UTC
boinc-client-7.8.3-2.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-25fce4ebdd

Comment 24 Fedora Update System 2017-10-21 19:27:42 UTC
boinc-client-7.8.3-2.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-25fce4ebdd

Comment 25 Fedora Update System 2017-10-22 02:24:06 UTC
boinc-client-7.8.3-2.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-65f3922240

Comment 26 Fedora Update System 2017-10-22 03:23:29 UTC
boinc-client-7.8.3-2.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-a21b5d9b81

Comment 27 Fedora Update System 2017-10-22 05:17:09 UTC
boinc-client-7.8.3-2.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-520df58c68

Comment 28 Fedora Update System 2017-11-14 08:54:09 UTC
boinc-client-7.8.4-1.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-afb2246c84

Comment 29 Fedora Update System 2017-11-14 08:56:57 UTC
boinc-client-7.8.4-1.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-45b1e5bc58

Comment 30 Fedora Update System 2017-11-14 08:58:23 UTC
boinc-client-7.8.4-1.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-b3e960d5ad

Comment 31 Fedora Update System 2017-11-14 08:59:49 UTC
boinc-client-7.8.4-1.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-c45de2e44e

Comment 32 Fedora Update System 2017-11-14 15:47:39 UTC
boinc-client-7.8.4-1.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-afb2246c84

Comment 33 Fedora Update System 2017-11-14 16:44:38 UTC
boinc-client-7.8.4-1.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-b3e960d5ad

Comment 34 Fedora Update System 2017-11-14 17:12:29 UTC
boinc-client-7.8.4-1.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-c45de2e44e

Comment 35 Fedora Update System 2017-11-14 20:41:54 UTC
boinc-client-7.8.4-1.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-45b1e5bc58

Comment 36 Fedora End Of Life 2017-11-16 19:35:42 UTC
This message is a reminder that Fedora 25 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 25. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '25'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version'
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not
able to fix it before Fedora 25 is end of life. If you would still like
to see this bug fixed and are able to reproduce it against a later version
of Fedora, you are encouraged  change the 'version' to a later Fedora
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's
lifetime, sometimes those efforts are overtaken by events. Often a
more recent Fedora release includes newer upstream software that fixes
bugs or makes them obsolete.

Comment 37 Fedora Update System 2017-11-25 02:36:00 UTC
boinc-client-7.8.4-1.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.

Comment 38 Fedora Update System 2017-11-28 00:48:11 UTC
boinc-client-7.8.4-1.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.

Comment 39 Fedora Update System 2017-11-28 17:33:02 UTC
boinc-client-7.8.4-1.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.

Comment 40 Fedora Update System 2017-12-09 03:29:03 UTC
boinc-client-7.8.4-1.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.