595092 – SELinux está negando a /var/lib/boinc/projects/einstein.phys.uwm.edu/einsteinbinary_ABP2_1.11_i686-pc-linux-gnu__ABP2cuda23 el acceso "read write" on nvidiactl

Bug 595092 - SELinux está negando a /var/lib/boinc/projects/einstein.phys.uwm.edu/einsteinbinary_ABP2_1.11_i686-pc-linux-gnu__ABP2cuda23 el acceso "read write" on nvidiactl

Summary: SELinux está negando a /var/lib/boinc/projects/einstein.phys.uwm.edu/einstein...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	13
Hardware:	i386
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	setroubleshoot_trace_hash:53e64719e0c...
Duplicates (2):	595090 596573 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2010-05-23 10:23 UTC by Felipe Hommen
Modified:	2010-11-18 09:33 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2010-07-28 06:12:45 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Felipe Hommen 2010-05-23 10:23:07 UTC

Resúmen:

SELinux está negando a
/var/lib/boinc/projects/einstein.phys.uwm.edu/einsteinbinary_ABP2_1.11_i686-pc-linux-gnu__ABP2cuda23
el acceso "read write" on nvidiactl

Descripción Detallada:

[boinc_client es un tipo permisivo (boinc_t). Este acceso no fue denegado.]

SELinux negó el acceso requerido por einsteinbinary_. No se esperaba que este
acceso fuera requerido por einsteinbinary_, y puede ser indicio de un intento de
ataque. También es posible que la versión específica o la configuración de
la aplicación esté provocando esta necesidad de acceso adicional

Permitiendo Acceso:

Puede generar un módulo de política local para permitir este acceso. Vea FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Por favor, informe
este error.

Información Adicional:

Contexto Fuente               system_u:system_r:boinc_t:s0
Contexto Destino              system_u:object_r:xserver_misc_device_t:s0
Objetos Destino               nvidiactl [ chr_file ]
Fuente                        boinc_client
Dirección de Fuente          /usr/bin/boinc_client
Puerto                        <Desconocido>
Nombre de Equipo              (eliminado)
Paquetes RPM Fuentes          
Paquetes RPM Destinos         
RPM de Políticas             selinux-policy-3.7.19-15.fc13
SELinux Activado              True
Tipo de Política             targeted
Modo Obediente                Enforcing
Nombre de Plugin              catchall
Nombre de Equipo              (eliminado)
Plataforma                    Linux (eliminado) 2.6.33.4-95.fc13.i686 #1 SMP Thu May
                              13 05:55:24 UTC 2010 i686 i686
Cantidad de Alertas           3
Visto por Primera Vez         dom 23 may 2010 12:12:27 CEST
Visto por Última Vez         dom 23 may 2010 12:12:41 CEST
ID Local                      7fbdf998-ba93-4681-badf-6c835b74f62b
Números de Línea            

Mensajes de Auditoría Crudos 

node=(eliminado) type=AVC msg=audit(1274609561.764:64): avc:  denied  { read write } for  pid=4643 comm="einsteinbinary_" name="nvidiactl" dev=devtmpfs ino=13709 scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:object_r:xserver_misc_device_t:s0 tclass=chr_file

node=(eliminado) type=AVC msg=audit(1274609561.764:64): avc:  denied  { open } for  pid=4643 comm="einsteinbinary_" name="nvidiactl" dev=devtmpfs ino=13709 scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:object_r:xserver_misc_device_t:s0 tclass=chr_file

node=(eliminado) type=SYSCALL msg=audit(1274609561.764:64): arch=40000003 syscall=5 success=yes exit=12 a0=bf8890c4 a1=8002 a2=0 a3=0 items=0 ppid=3634 pid=4643 auid=0 uid=490 gid=476 euid=490 suid=490 fsuid=490 egid=476 sgid=476 fsgid=476 tty=(none) ses=2 comm="einsteinbinary_" exe="/var/lib/boinc/projects/einstein.phys.uwm.edu/einsteinbinary_ABP2_1.11_i686-pc-linux-gnu__ABP2cuda23" subj=system_u:system_r:boinc_t:s0 key=(null)



Hash String generated from  catchall,boinc_client,boinc_t,xserver_misc_device_t,chr_file,read,write
audit2allow suggests:

#============= boinc_t ==============
#!!!! The source type 'boinc_t' can write to a 'chr_file' of the following types:
# null_device_t, zero_device_t, initrc_devpts_t, devtty_t

allow boinc_t xserver_misc_device_t:chr_file { read write open };

Comment 1 Miroslav Grepl 2010-05-24 12:19:24 UTC

*** Bug 595090 has been marked as a duplicate of this bug. ***

Comment 2 Miroslav Grepl 2010-05-28 12:20:34 UTC

*** Bug 596573 has been marked as a duplicate of this bug. ***

Comment 3 Daniel Stripes 2010-05-28 18:32:22 UTC

This appears to not be restricted to the Einstein project client.  I have never run the Einstein project and am seeing this issue with "read write" and "open" on nvidiactl.

Comment 4 Gilboa Davara 2010-06-03 15:16:28 UTC

I'm seeing it on seti@home BOINC project on multiple F13/x86_64 machines. (rpmfusion nVidia proprietary drivers)
It seems that if you're using a recent project binary coupled with nvidia hardware and proprietary driver, it'll automatically attempt to enable CUDA processing.

However, as the open source driver does not support CUDA, I doubt that this is a Fedora-proper issue. (Problem is - its not an rpmfusion issue either...)

- Gilboa

Comment 5 Miroslav Grepl 2010-07-28 06:12:45 UTC

This is fixed in the latest selinux-policy.

Comment 6 Vaclav "sHINOBI" Misek 2010-08-24 18:38:42 UTC

The problem reappeared in Fedora 14 Alpha.

Comment 7 vitor.dominor 2010-09-29 01:50:11 UTC

I also see this issue with the latest boinc client, on Fedora 13, even though I updated to selinux policy version 3.7.19-62.fc13 (updates-testing), in order to solve other selinux policy bugs.
I still get these raw avcs among others (related to the project cosmology@home):

node=perfect-tuxie type=AVC msg=audit(1285712657.647:32929): avc:  denied  { read write } for  pid=5012 comm="boinc_client" name="nvidiactl" dev=devtmpfs ino=15925 scontext=unconfined_u:system_r:boinc_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file

node=perfect-tuxie type=AVC msg=audit(1285712657.647:32929): avc:  denied  { open } for  pid=5012 comm="boinc_client" name="nvidiactl" dev=devtmpfs ino=15925 scontext=unconfined_u:system_r:boinc_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file

node=perfect-tuxie type=SYSCALL msg=audit(1285712657.647:32929): arch=c000003e syscall=2 success=yes exit=6 a0=7fffa8e340d0 a1=2 a2=7fffa8e340de a3=0 items=0 ppid=1 pid=5012 auid=500 uid=491 gid=476 euid=491 suid=491 fsuid=491 egid=476 sgid=476 fsgid=476 tty=(none) ses=1 comm="boinc_client" exe="/usr/bin/boinc_client" subj=unconfined_u:system_r:boinc_t:s0 key=(null)

I have already tried to do restorecon -v /dev/nvidia* and semanage fcontext -m -t xserver_misc_device_t "/dev/nvidia*" (in an attempt to make the change more permanent). By using system-config-selinux, I verified this change to the policy is inserted and I also verified that there is already by default a file context labelling xserver_misc_device_t:s0 to /dev/nvidia.*. However, after restart the two files /dev/nvidia0 and /dev/nvdiactl are relabelled to device_t:s0.

Comment 8 Daniel Walsh 2010-09-29 12:50:27 UTC

Then that is either a bug in udev or the kernel module that creates the device.

udev is supposed to make sure files in /dev are labelled correctly.

Note You need to log in before you can comment on or make changes to this bug.