Bug 595092 - SELinux está negando a /var/lib/boinc/projects/einstein.phys.uwm.edu/einsteinbinary_ABP2_1.11_i686-pc-linux-gnu__ABP2cuda23 el acceso "read write" on nvidiactl
SELinux está negando a /var/lib/boinc/projects/einstein.phys.uwm.edu/einstein...
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
13
i386 Linux
low Severity medium
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
setroubleshoot_trace_hash:53e64719e0c...
:
: 595090 596573 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-05-23 06:23 EDT by Felipe Hommen
Modified: 2010-11-18 04:33 EST (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-07-28 02:12:45 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Felipe Hommen 2010-05-23 06:23:07 EDT
Resúmen:

SELinux está negando a
/var/lib/boinc/projects/einstein.phys.uwm.edu/einsteinbinary_ABP2_1.11_i686-pc-linux-gnu__ABP2cuda23
el acceso "read write" on nvidiactl

Descripción Detallada:

[boinc_client es un tipo permisivo (boinc_t). Este acceso no fue denegado.]

SELinux negó el acceso requerido por einsteinbinary_. No se esperaba que este
acceso fuera requerido por einsteinbinary_, y puede ser indicio de un intento de
ataque. También es posible que la versión específica o la configuración de
la aplicación esté provocando esta necesidad de acceso adicional

Permitiendo Acceso:

Puede generar un módulo de política local para permitir este acceso. Vea FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Por favor, informe
este error.

Información Adicional:

Contexto Fuente               system_u:system_r:boinc_t:s0
Contexto Destino              system_u:object_r:xserver_misc_device_t:s0
Objetos Destino               nvidiactl [ chr_file ]
Fuente                        boinc_client
Dirección de Fuente          /usr/bin/boinc_client
Puerto                        <Desconocido>
Nombre de Equipo              (eliminado)
Paquetes RPM Fuentes          
Paquetes RPM Destinos         
RPM de Políticas             selinux-policy-3.7.19-15.fc13
SELinux Activado              True
Tipo de Política             targeted
Modo Obediente                Enforcing
Nombre de Plugin              catchall
Nombre de Equipo              (eliminado)
Plataforma                    Linux (eliminado) 2.6.33.4-95.fc13.i686 #1 SMP Thu May
                              13 05:55:24 UTC 2010 i686 i686
Cantidad de Alertas           3
Visto por Primera Vez         dom 23 may 2010 12:12:27 CEST
Visto por Última Vez         dom 23 may 2010 12:12:41 CEST
ID Local                      7fbdf998-ba93-4681-badf-6c835b74f62b
Números de Línea            

Mensajes de Auditoría Crudos 

node=(eliminado) type=AVC msg=audit(1274609561.764:64): avc:  denied  { read write } for  pid=4643 comm="einsteinbinary_" name="nvidiactl" dev=devtmpfs ino=13709 scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:object_r:xserver_misc_device_t:s0 tclass=chr_file

node=(eliminado) type=AVC msg=audit(1274609561.764:64): avc:  denied  { open } for  pid=4643 comm="einsteinbinary_" name="nvidiactl" dev=devtmpfs ino=13709 scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:object_r:xserver_misc_device_t:s0 tclass=chr_file

node=(eliminado) type=SYSCALL msg=audit(1274609561.764:64): arch=40000003 syscall=5 success=yes exit=12 a0=bf8890c4 a1=8002 a2=0 a3=0 items=0 ppid=3634 pid=4643 auid=0 uid=490 gid=476 euid=490 suid=490 fsuid=490 egid=476 sgid=476 fsgid=476 tty=(none) ses=2 comm="einsteinbinary_" exe="/var/lib/boinc/projects/einstein.phys.uwm.edu/einsteinbinary_ABP2_1.11_i686-pc-linux-gnu__ABP2cuda23" subj=system_u:system_r:boinc_t:s0 key=(null)



Hash String generated from  catchall,boinc_client,boinc_t,xserver_misc_device_t,chr_file,read,write
audit2allow suggests:

#============= boinc_t ==============
#!!!! The source type 'boinc_t' can write to a 'chr_file' of the following types:
# null_device_t, zero_device_t, initrc_devpts_t, devtty_t

allow boinc_t xserver_misc_device_t:chr_file { read write open };
Comment 1 Miroslav Grepl 2010-05-24 08:19:24 EDT
*** Bug 595090 has been marked as a duplicate of this bug. ***
Comment 2 Miroslav Grepl 2010-05-28 08:20:34 EDT
*** Bug 596573 has been marked as a duplicate of this bug. ***
Comment 3 Daniel Stripes 2010-05-28 14:32:22 EDT
This appears to not be restricted to the Einstein project client.  I have never run the Einstein project and am seeing this issue with "read write" and "open" on nvidiactl.
Comment 4 Gilboa Davara 2010-06-03 11:16:28 EDT
I'm seeing it on seti@home BOINC project on multiple F13/x86_64 machines. (rpmfusion nVidia proprietary drivers)
It seems that if you're using a recent project binary coupled with nvidia hardware and proprietary driver, it'll automatically attempt to enable CUDA processing.

However, as the open source driver does not support CUDA, I doubt that this is a Fedora-proper issue. (Problem is - its not an rpmfusion issue either...)

- Gilboa
Comment 5 Miroslav Grepl 2010-07-28 02:12:45 EDT
This is fixed in the latest selinux-policy.
Comment 6 Vaclav "sHINOBI" Misek 2010-08-24 14:38:42 EDT
The problem reappeared in Fedora 14 Alpha.
Comment 7 vitor.dominor 2010-09-28 21:50:11 EDT
I also see this issue with the latest boinc client, on Fedora 13, even though I updated to selinux policy version 3.7.19-62.fc13 (updates-testing), in order to solve other selinux policy bugs.
I still get these raw avcs among others (related to the project cosmology@home):

node=perfect-tuxie type=AVC msg=audit(1285712657.647:32929): avc:  denied  { read write } for  pid=5012 comm="boinc_client" name="nvidiactl" dev=devtmpfs ino=15925 scontext=unconfined_u:system_r:boinc_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file

node=perfect-tuxie type=AVC msg=audit(1285712657.647:32929): avc:  denied  { open } for  pid=5012 comm="boinc_client" name="nvidiactl" dev=devtmpfs ino=15925 scontext=unconfined_u:system_r:boinc_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file

node=perfect-tuxie type=SYSCALL msg=audit(1285712657.647:32929): arch=c000003e syscall=2 success=yes exit=6 a0=7fffa8e340d0 a1=2 a2=7fffa8e340de a3=0 items=0 ppid=1 pid=5012 auid=500 uid=491 gid=476 euid=491 suid=491 fsuid=491 egid=476 sgid=476 fsgid=476 tty=(none) ses=1 comm="boinc_client" exe="/usr/bin/boinc_client" subj=unconfined_u:system_r:boinc_t:s0 key=(null)

I have already tried to do restorecon -v /dev/nvidia* and semanage fcontext -m -t xserver_misc_device_t "/dev/nvidia*" (in an attempt to make the change more permanent). By using system-config-selinux, I verified this change to the policy is inserted and I also verified that there is already by default a file context labelling xserver_misc_device_t:s0 to /dev/nvidia.*. However, after restart the two files /dev/nvidia0 and /dev/nvdiactl are relabelled to device_t:s0.
Comment 8 Daniel Walsh 2010-09-29 08:50:27 EDT
Then that is either a bug in udev or the kernel module that creates the device.

udev is supposed to make sure files in /dev are labelled correctly.

Note You need to log in before you can comment on or make changes to this bug.