Description of problem: some projects in BOINC seem to try execmem as it stands I get avc deny messages I am not quite sure if the boinc-client package should have a policy file that allows this or if selinux-policy-targeted should include it (reassign then) or if this is bad progogramming in the various BOINC hosted projects, considering other projects run just fine (close bug in that case, I'll then donate my CPU cycles to projects that do not require execmem) Version-Release number of selected component (if applicable): boinc-client-6.2.15-1.20080818svn.fc10.x86_64 selinux-policy-targeted-3.5.13-1.fc10.noarch How reproducible: only on some projects Steps to Reproduce: 1. install boinc-client 2. have SELinux in Enforcing targeted mode 3. attach to the Einstein@Home project 4. boinc-client starts at boot time Actual results: avc: denied { execmem } Expected results: project is able to run Additional info: here's a sample message from within sealert browser (hostnae was replaced manually with 'REMOVED' in the paste) Summary: SELinux is preventing einstein_S5R4_6 (initrc_t) "execmem" initrc_t. Detailed Description: SELinux denied access requested by einstein_S5R4_6. It is not expected that this access is required by einstein_S5R4_6 and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:initrc_t:s0 Target Context system_u:system_r:initrc_t:s0 Target Objects None [ process ] Source einstein_S5R4_6 Source Path /var/lib/boinc/projects/einstein.phys.uwm.edu/eins tein_S5R4_6.02_i686-pc-linux-gnu_2 Port <Unknown> Host REMOVED Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.5.13-1.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name REMOVED Platform Linux REMOVED 2.6.27.3-27.rc1.fc10.x86_64 #1 SMP Sat Oct 18 20:24:59 EDT 2008 x86_64 x86_64 Alert Count 229 First Seen Sun 19 Oct 2008 01:24:03 PM EEST Last Seen Fri 24 Oct 2008 01:06:01 PM EEST Local ID c18da064-43e7-46b1-a526-6b4e0f7cfb37 Line Numbers Raw Audit Messages node=REMOVED type=AVC msg=audit(1224842761.9:192): avc: denied { execmem } for pid=13968 comm="einstein_S5R4_6" scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=process node=REMOVED type=SYSCALL msg=audit(1224842761.9:192): arch=40000003 syscall=192 per=400000 success=no exit=-13 a0=0 a1=4000 a2=7 a3=20022 items=0 ppid=3037 pid=13968 auid=4294967295 uid=492 gid=485 euid=492 suid=492 fsuid=492 egid=485 sgid=485 fsgid=485 tty=(none) ses=4294967295 comm="einstein_S5R4_6" exe="/var/lib/boinc/projects/einstein.phys.uwm.edu/einstein_S5R4_6.02_i686-pc-linux-gnu_2" subj=system_u:system_r:initrc_t:s0 key=(null)
Hi, I've posted this to the boinc-devel list, see the response here: http://lists.ssl.berkeley.edu/pipermail/boinc_dev/2008-October/011948.html ...so, is it possible to extract some more detailed information (backtrace would be very nice) from SELinux?
setting NEEDINFO on me until I get to run the requested trace, it will be up to three weeks though
Hate it when that happens ;-) finally got around to testing this and the error simply disappeared. - Machine did a few work units on it's own - test as per Comment #1 went just fine - still boinc-client-6.2.15-1.20080818svn.fc10.x86_64 - still einstein_S5R4_6.02_i686-pc-linux-gnu_2 - newer policy though selinux-policy-targeted-3.5.13-1.fc10.noarch I suggest we close this as NOTABUG for now, I can always reopen in case it shows again.
Agree, closing as NOTABUG for now.