Resúmen: SELinux está negando a /var/lib/boinc/projects/einstein.phys.uwm.edu/einsteinbinary_ABP2_1.11_i686-pc-linux-gnu__ABP2cuda23 el acceso "read write" on nvidiactl Descripción Detallada: [boinc_client es un tipo permisivo (boinc_t). Este acceso no fue denegado.] SELinux negó el acceso requerido por einsteinbinary_. No se esperaba que este acceso fuera requerido por einsteinbinary_, y puede ser indicio de un intento de ataque. También es posible que la versión específica o la configuración de la aplicación esté provocando esta necesidad de acceso adicional Permitiendo Acceso: Puede generar un módulo de política local para permitir este acceso. Vea FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Por favor, informe este error. Información Adicional: Contexto Fuente system_u:system_r:boinc_t:s0 Contexto Destino system_u:object_r:xserver_misc_device_t:s0 Objetos Destino nvidiactl [ chr_file ] Fuente boinc_client Dirección de Fuente /usr/bin/boinc_client Puerto <Desconocido> Nombre de Equipo (eliminado) Paquetes RPM Fuentes Paquetes RPM Destinos RPM de Políticas selinux-policy-3.7.19-15.fc13 SELinux Activado True Tipo de Política targeted Modo Obediente Enforcing Nombre de Plugin catchall Nombre de Equipo (eliminado) Plataforma Linux (eliminado) 2.6.33.4-95.fc13.i686 #1 SMP Thu May 13 05:55:24 UTC 2010 i686 i686 Cantidad de Alertas 3 Visto por Primera Vez dom 23 may 2010 12:12:27 CEST Visto por Última Vez dom 23 may 2010 12:12:41 CEST ID Local 7fbdf998-ba93-4681-badf-6c835b74f62b Números de Línea Mensajes de Auditoría Crudos node=(eliminado) type=AVC msg=audit(1274609561.764:64): avc: denied { read write } for pid=4643 comm="einsteinbinary_" name="nvidiactl" dev=devtmpfs ino=13709 scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:object_r:xserver_misc_device_t:s0 tclass=chr_file node=(eliminado) type=AVC msg=audit(1274609561.764:64): avc: denied { open } for pid=4643 comm="einsteinbinary_" name="nvidiactl" dev=devtmpfs ino=13709 scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:object_r:xserver_misc_device_t:s0 tclass=chr_file node=(eliminado) type=SYSCALL msg=audit(1274609561.764:64): arch=40000003 syscall=5 success=yes exit=12 a0=bf8890c4 a1=8002 a2=0 a3=0 items=0 ppid=3634 pid=4643 auid=0 uid=490 gid=476 euid=490 suid=490 fsuid=490 egid=476 sgid=476 fsgid=476 tty=(none) ses=2 comm="einsteinbinary_" exe="/var/lib/boinc/projects/einstein.phys.uwm.edu/einsteinbinary_ABP2_1.11_i686-pc-linux-gnu__ABP2cuda23" subj=system_u:system_r:boinc_t:s0 key=(null) Hash String generated from catchall,boinc_client,boinc_t,xserver_misc_device_t,chr_file,read,write audit2allow suggests: #============= boinc_t ============== #!!!! The source type 'boinc_t' can write to a 'chr_file' of the following types: # null_device_t, zero_device_t, initrc_devpts_t, devtty_t allow boinc_t xserver_misc_device_t:chr_file { read write open };
*** Bug 595090 has been marked as a duplicate of this bug. ***
*** Bug 596573 has been marked as a duplicate of this bug. ***
This appears to not be restricted to the Einstein project client. I have never run the Einstein project and am seeing this issue with "read write" and "open" on nvidiactl.
I'm seeing it on seti@home BOINC project on multiple F13/x86_64 machines. (rpmfusion nVidia proprietary drivers) It seems that if you're using a recent project binary coupled with nvidia hardware and proprietary driver, it'll automatically attempt to enable CUDA processing. However, as the open source driver does not support CUDA, I doubt that this is a Fedora-proper issue. (Problem is - its not an rpmfusion issue either...) - Gilboa
This is fixed in the latest selinux-policy.
The problem reappeared in Fedora 14 Alpha.
I also see this issue with the latest boinc client, on Fedora 13, even though I updated to selinux policy version 3.7.19-62.fc13 (updates-testing), in order to solve other selinux policy bugs. I still get these raw avcs among others (related to the project cosmology@home): node=perfect-tuxie type=AVC msg=audit(1285712657.647:32929): avc: denied { read write } for pid=5012 comm="boinc_client" name="nvidiactl" dev=devtmpfs ino=15925 scontext=unconfined_u:system_r:boinc_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file node=perfect-tuxie type=AVC msg=audit(1285712657.647:32929): avc: denied { open } for pid=5012 comm="boinc_client" name="nvidiactl" dev=devtmpfs ino=15925 scontext=unconfined_u:system_r:boinc_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file node=perfect-tuxie type=SYSCALL msg=audit(1285712657.647:32929): arch=c000003e syscall=2 success=yes exit=6 a0=7fffa8e340d0 a1=2 a2=7fffa8e340de a3=0 items=0 ppid=1 pid=5012 auid=500 uid=491 gid=476 euid=491 suid=491 fsuid=491 egid=476 sgid=476 fsgid=476 tty=(none) ses=1 comm="boinc_client" exe="/usr/bin/boinc_client" subj=unconfined_u:system_r:boinc_t:s0 key=(null) I have already tried to do restorecon -v /dev/nvidia* and semanage fcontext -m -t xserver_misc_device_t "/dev/nvidia*" (in an attempt to make the change more permanent). By using system-config-selinux, I verified this change to the policy is inserted and I also verified that there is already by default a file context labelling xserver_misc_device_t:s0 to /dev/nvidia.*. However, after restart the two files /dev/nvidia0 and /dev/nvdiactl are relabelled to device_t:s0.
Then that is either a bug in udev or the kernel module that creates the device. udev is supposed to make sure files in /dev are labelled correctly.