Bug 1572812 - SELinux is preventing boinc from 'connectto' accesses on the unix_stream_socket 002F746D702F2E5831312D756E69782F5831.
Summary: SELinux is preventing boinc from 'connectto' accesses on the unix_stream_sock...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 27
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:dcbd3666865f0ec50a75ab98d3b...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-04-27 23:56 UTC by Garrett Figueroa
Modified: 2018-04-28 08:33 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-04-28 08:33:20 UTC
Type: ---


Attachments (Terms of Use)

Description Garrett Figueroa 2018-04-27 23:56:19 UTC
Description of problem:
SELinux is preventing boinc from 'connectto' accesses on the unix_stream_socket 002F746D702F2E5831312D756E69782F5831.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that boinc should be allowed connectto access on the 002F746D702F2E5831312D756E69782F5831 unix_stream_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'boinc' --raw | audit2allow -M my-boinc
# semodule -X 300 -i my-boinc.pp

Additional Information:
Source Context                system_u:system_r:container_t:s0:c420,c759
Target Context                unconfined_u:unconfined_r:xserver_t:s0-s0:c0.c1023
Target Objects                002F746D702F2E5831312D756E69782F5831 [
                              unix_stream_socket ]
Source                        boinc
Source Path                   boinc
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    <Unknown>
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.16.3-200.fc27.x86_64 #1 SMP Thu
                              Apr 19 19:33:38 UTC 2018 x86_64 x86_64
Alert Count                   13
First Seen                    2018-04-27 17:54:55 MDT
Last Seen                     2018-04-27 17:55:07 MDT
Local ID                      48e2ead2-3a28-4539-a082-0c79d0aef598

Raw Audit Messages
type=AVC msg=audit(1524873307.948:1814): avc:  denied  { connectto } for  pid=28746 comm="boinc" path=002F746D702F2E5831312D756E69782F5831 scontext=system_u:system_r:container_t:s0:c420,c759 tcontext=unconfined_u:unconfined_r:xserver_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0


Hash: boinc,container_t,xserver_t,unix_stream_socket,connectto


Additional info:
component:      selinux-policy
reporter:       libreport-2.9.3
hashmarkername: setroubleshoot
kernel:         4.16.3-200.fc27.x86_64
type:           libreport

Comment 1 Daniel Walsh 2018-04-28 08:33:20 UTC
This looks correct you definitely do not want to allow containers to connect to the Xserver.  SELinux is doing precisely what it is designed to do.

Allowing a process to connect to the XServer would allow it to screen scape all of you data on the desktop, it would also allow it to fool humans into typing passwords.  It would also allow it to grab all data in the cut and paste buffer. Especially things like passwords.

If you want to run trusted applications to connect to the desktop then you need to disable SELinux.

The way you do this with podman is 


podman run --security-opt label=disable ...

Or with docker

docker run --security-opt label=disable ...


Note You need to log in before you can comment on or make changes to this bug.