Fedora Account System
Red Hat Associate
Red Hat Customer
Summary: SELinux is preventing /var/lib/boinc/projects/www.rnaworld.de_rnaworld/cmswrapper_0.10_x86_64-pc-linux-gnu "search" access . Detailed Description: SELinux denied access requested by cmswrapper_0.10. It is not expected that this access is required by cmswrapper_0.10 and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context system_u:system_r:boinc_t:s0 Target Context system_u:object_r:sysctl_vm_t:s0 Target Objects None [ dir ] Source cmswrapper_0.10 Source Path /var/lib/boinc/projects/www.rnaworld.de_rnaworld/c mswrapper_0.10_x86_64-pc-linux-gnu Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.7.19-15.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name (removed) Platform Linux (removed) 2.6.33.4-95.fc13.x86_64 #1 SMP Thu May 13 05:16:23 UTC 2010 x86_64 x86_64 Alert Count 2 First Seen Wed 26 May 2010 07:59:12 AM EDT Last Seen Wed 26 May 2010 09:02:40 AM EDT Local ID 42dc6e9b-ecb1-451e-8944-d31006e86c9c Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1274878960.814:47133): avc: denied { search } for pid=2463 comm="cmswrapper_0.10" scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:object_r:sysctl_vm_t:s0 tclass=dir node=(removed) type=SYSCALL msg=audit(1274878960.814:47133): arch=c000003e syscall=2 success=no exit=-2 a0=42771c a1=0 a2=1b6 a3=0 items=0 ppid=2063 pid=2463 auid=4294967295 uid=491 gid=472 euid=491 suid=491 fsuid=491 egid=472 sgid=472 fsgid=472 tty=(none) ses=4294967295 comm="cmswrapper_0.10" exe="/var/lib/boinc/projects/www.rnaworld.de_rnaworld/cmswrapper_0.10_x86_64-pc-linux-gnu" subj=system_u:system_r:boinc_t:s0 key=(null) Hash String generated from catchall,cmswrapper_0.10,boinc_t,sysctl_vm_t,dir,search audit2allow suggests: #============= boinc_t ============== allow boinc_t sysctl_vm_t:dir search;
Miroslav does boinc need to read all sysctls?
Actually it depends on individual projects. This is first project, which I am seeing, required this access.
Ok I am going to allow it. But we might need to start writing policy per projects like for munin. Fixed in selinux-policy-3.7.19-22.fc13.noarch
(In reply to comment #3) > Ok I am going to allow it. But we might need to start writing policy per > projects like for munin. > Yes, I was also thinking about that.
selinux-policy-3.7.19-22.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-22.fc13
selinux-policy-3.7.19-22.fc13 has been pushed to the Fedora 13 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-22.fc13
selinux-policy-3.7.19-23.fc13 has been pushed to the Fedora 13 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-23.fc13
selinux-policy-3.7.19-23.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.