Bug 1570426 - SELinux is preventing start-boinc.sh from 'write' accesses on the directory /opt/appdata/boinc.
Summary: SELinux is preventing start-boinc.sh from 'write' accesses on the directory /...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: container-selinux
Version: 27
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Lokesh Mandvekar
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:0a2a672d35e97beda6ce4fbb900...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-04-22 20:40 UTC by Garrett Figueroa
Modified: 2018-05-30 22:40 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-05-30 22:40:47 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Garrett Figueroa 2018-04-22 20:40:56 UTC 
Description of problem:
SELinux is preventing start-boinc.sh from 'write' accesses on the directory /opt/appdata/boinc.

*****  Plugin catchall_labels (83.8 confidence) suggests   *******************

If you want to allow start-boinc.sh to have write access on the boinc directory
Then you need to change the label on /opt/appdata/boinc
Do
# semanage fcontext -a -t FILE_TYPE '/opt/appdata/boinc'
where FILE_TYPE is one of the following: container_file_t, container_var_lib_t, nfs_t, svirt_home_t, tmpfs_t, virt_home_t.
Then execute:
restorecon -v '/opt/appdata/boinc'


*****  Plugin catchall (17.1 confidence) suggests   **************************

If you believe that start-boinc.sh should be allowed write access on the boinc directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'start-boinc.sh' --raw | audit2allow -M my-startboincsh
# semodule -X 300 -i my-startboincsh.pp

Additional Information:
Source Context                system_u:system_r:container_t:s0:c313,c596
Target Context                system_u:object_r:usr_t:s0
Target Objects                /opt/appdata/boinc [ dir ]
Source                        start-boinc.sh
Source Path                   start-boinc.sh
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    <Unknown>
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.15.17-300.fc27.x86_64 #1 SMP Thu
                              Apr 12 18:19:17 UTC 2018 x86_64 x86_64
Alert Count                   6
First Seen                    2018-04-22 14:40:09 MDT
Last Seen                     2018-04-22 14:40:13 MDT
Local ID                      d11f4a4c-fbf5-4d84-b429-bf49186b612c

Raw Audit Messages
type=AVC msg=audit(1524429613.394:5883): avc:  denied  { write } for  pid=588 comm="boinc" name="boinc" dev="dm-0" ino=4343940 scontext=system_u:system_r:container_t:s0:c313,c596 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0


Hash: start-boinc.sh,container_t,usr_t,dir,write


Additional info:
component:      selinux-policy
reporter:       libreport-2.9.3
hashmarkername: setroubleshoot
kernel:         4.15.17-300.fc27.x86_64
type:           libreport
Comment 1 Daniel Walsh 2018-05-30 22:40:47 UTC 
This looks like you are volume mounting content into the container that you want the container to write.

You should add :Z to the end of your volume command.
Note You need to log in before you can comment on or make changes to this bug.