Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
Bug 596573 - SELinux is preventing /usr/bin/boinc_client "read write" access to device nvidiactl.
SELinux is preventing /usr/bin/boinc_client "read write" access to device nvi...
Status: CLOSED DUPLICATE of bug 595092
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
13
x86_64 Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
setroubleshoot_trace_hash:dbf0c2a84d5...
:
: 596583 597200 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-05-26 21:46 EDT by Daniel Stripes
Modified: 2011-03-16 17:07 EDT (History)
13 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-05-28 08:20:34 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Daniel Stripes 2010-05-26 21:46:23 EDT
Summary:

SELinux is preventing /usr/bin/boinc_client "read write" access to device
nvidiactl.

Detailed Description:

[boinc_client has a permissive type (boinc_t). This access was not denied.]

SELinux has denied boinc_client "read write" access to device nvidiactl.
nvidiactl is mislabeled, this device has the default label of the /dev
directory, which should not happen. All Character and/or Block Devices should
have a label. You can attempt to change the label of the file using restorecon
-v 'nvidiactl'. If this device remains labeled device_t, then this is a bug in
SELinux policy. Please file a bg report. If you look at the other similar
devices labels, ls -lZ /dev/SIMILAR, and find a type that would work for
nvidiactl, you can use chcon -t SIMILAR_TYPE 'nvidiactl', If this fixes the
problem, you can make this permanent by executing semanage fcontext -a -t
SIMILAR_TYPE 'nvidiactl' If the restorecon changes the context, this indicates
that the application that created the device, created it without using SELinux
APIs. If you can figure out which application created the device, please file a
bug report against this application.

Allowing Access:

Attempt restorecon -v 'nvidiactl' or chcon -t SIMILAR_TYPE 'nvidiactl'

Additional Information:

Source Context                system_u:system_r:boinc_t:s0
Target Context                system_u:object_r:device_t:s0
Target Objects                nvidiactl [ chr_file ]
Source                        boinc_client
Source Path                   /usr/bin/boinc_client
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           boinc-client-6.10.45-1.r21128svn.fc13
Target RPM Packages           
Policy RPM                    selinux-policy-3.7.19-15.fc13
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   device
Host Name                     (removed)
Platform                      Linux (removed) 2.6.33.4-95.fc13.x86_64 #1
                              SMP Thu May 13 05:16:23 UTC 2010 x86_64 x86_64
Alert Count                   2
First Seen                    Wed 26 May 2010 09:30:39 PM EDT
Last Seen                     Wed 26 May 2010 09:30:39 PM EDT
Local ID                      a92bbd4b-d74e-476c-8563-ff4139516ba3
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1274923839.61:46045): avc:  denied  { read write } for  pid=5201 comm="boinc_client" name="nvidiactl" dev=devtmpfs ino=17152 scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file

node=(removed) type=AVC msg=audit(1274923839.61:46045): avc:  denied  { open } for  pid=5201 comm="boinc_client" name="nvidiactl" dev=devtmpfs ino=17152 scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file

node=(removed) type=SYSCALL msg=audit(1274923839.61:46045): arch=c000003e syscall=2 success=yes exit=6 a0=7fffd4a64660 a1=2 a2=7fffd4a6466e a3=0 items=0 ppid=1 pid=5201 auid=4294967295 uid=491 gid=472 euid=491 suid=491 fsuid=491 egid=472 sgid=472 fsgid=472 tty=(none) ses=4294967295 comm="boinc_client" exe="/usr/bin/boinc_client" subj=system_u:system_r:boinc_t:s0 key=(null)



Hash String generated from  device,boinc_client,boinc_t,device_t,chr_file,read,write
audit2allow suggests:

#============= boinc_t ==============
#!!!! The source type 'boinc_t' can write to a 'chr_file' of the following types:
# null_device_t, zero_device_t, initrc_devpts_t, devtty_t

allow boinc_t device_t:chr_file { read write open };
Comment 1 Miroslav Grepl 2010-05-27 06:22:49 EDT
*** Bug 596583 has been marked as a duplicate of this bug. ***
Comment 2 Miroslav Grepl 2010-05-27 07:02:31 EDT
Were you running Einstein project when this happened?


nvidiactl is also mislabeled. This device got created with the wrong label.

Run:

restorecon -R -v /dev/nvidiactl
Comment 3 Daniel Stripes 2010-05-28 07:25:52 EDT
(In reply to comment #2)
> Were you running Einstein project when this happened?

No, never have.

> nvidiactl is also mislabeled. This device got created with the wrong label.
> 
> Run:
> 
> restorecon -R -v /dev/nvidiactl    

Okay, I have now run:

restorecon -R -v /dev/nvidiactl

and

restorecon -R -v /dev/nvidia0

and I will see whether there is a recurrence.

Thank you.
Comment 4 Daniel Stripes 2010-05-28 07:41:01 EDT
(In reply to comment #3)

> Okay, I have now run:
> 
> restorecon -R -v /dev/nvidiactl
> 
> and
> 
> restorecon -R -v /dev/nvidia0
> 
> and I will see whether there is a recurrence.


After subsequent restart of the machine, I then did:

  $ su -c  'service boinc-client restart'

and received the alert again.  This is repeatable and happens every time boinc-client is restarted.
Comment 5 Miroslav Grepl 2010-05-28 08:19:46 EDT
*** Bug 597200 has been marked as a duplicate of this bug. ***
Comment 6 Miroslav Grepl 2010-05-28 08:20:34 EDT

*** This bug has been marked as a duplicate of bug 595092 ***
Comment 7 Vaclav "sHINOBI" Misek 2010-08-24 14:38:55 EDT
The problem reappeared in Fedora 14 Alpha.
Comment 8 Miroslav Grepl 2010-08-25 03:46:54 EDT
Do you mean the problem with labeling of nvidiactl? Are you seeing the same AVC?
Comment 9 Vaclav "sHINOBI" Misek 2010-08-25 04:40:21 EDT
Yes, it was assigned to this bug by setroubleshootd and AVC follows:

node=(removed) type=AVC msg=audit(1282698433.521:509): avc:  denied  { read write } for  pid=2905 comm="boinc_client" path="/dev/nvidia0" dev=devtmpfs ino=17117 scontext=unconfined_u:system_r:boinc_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file

node=(removed) type=SYSCALL msg=audit(1282698433.521:509): arch=c000003e syscall=16 success=yes exit=0 a0=8 a1=c0304627 a2=7fffdaa4cd50 a3=7fffdaa4cde0 items=0 ppid=1 pid=2905 auid=500 uid=495 gid=491 euid=495 suid=495 fsuid=495 egid=491 sgid=491 fsgid=491 tty=(none) ses=1 comm="boinc_client" exe="/usr/bin/boinc_client" subj=unconfined_u:system_r:boinc_t:s0 key=(null)
Comment 10 Joe Wood 2010-12-14 06:51:46 EST
Just installed boinc. Still happening under F14, x86_64.
Comment 11 Miroslav Grepl 2010-12-14 07:40:12 EST
So does it happen after reboot? 

I mean have you run 

# restorecon -R -v /dev/dev/nvidia*
Comment 12 Joe Wood 2010-12-14 13:13:54 EST
Yes, I ran

# yum upgrade
! nothing to be done

# restorecon -R -v /dev/nvidia*

# reboot

System restarted, and we have an error.

Please note: following the reboot, /dev/nvidia* files had security context 

[root@neon joe]# ls -Z /dev/nvidia*
crw-rw-rw-. root root system_u:object_r:device_t:s0    /dev/nvidia0
crw-rw-rw-. root root system_u:object_r:device_t:s0    /dev/nvidiactl

which is not what they had following the restorecon. Please see below error report.

Summary after boot:

SELinux is preventing /usr/bin/boinc_client "read write" access on nvidiactl.

Detailed Description:

SELinux denied access requested by boinc_client. It is not expected that this
access is required by boinc_client and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                unconfined_u:system_r:boinc_t:s0
Target Context                system_u:object_r:xserver_misc_device_t:s0
Target Objects                nvidiactl [ chr_file ]
Source                        boinc_client
Source Path                   /usr/bin/boinc_client
Port                          <Unknown>
Host                          neon.aleph.org.uk
Source RPM Packages           boinc-client-6.10.45-2.r21128svn.fc14
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.7-16.fc14
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     neon.aleph.org.uk
Platform                      Linux neon.aleph.org.uk 2.6.35.9-64.fc14.x86_64 #1
                              SMP Fri Dec 3 12:19:41 UTC 2010 x86_64 x86_64
Alert Count                   1
First Seen                    Tue 14 Dec 2010 17:56:52 GMT
Last Seen                     Tue 14 Dec 2010 17:56:52 GMT
Local ID                      ddf583de-ae8e-46fb-ab73-ddba0966a2b7
Line Numbers                  

Raw Audit Messages            

node=neon.aleph.org.uk type=AVC msg=audit(1292349412.963:35965): avc:  denied  { read write } for  pid=3173 comm="boinc_client" name="nvidiactl" dev=devtmpfs ino=16848 scontext=unconfined_u:system_r:boinc_t:s0 tcontext=system_u:object_r:xserver_misc_device_t:s0 tclass=chr_file

node=neon.aleph.org.uk type=SYSCALL msg=audit(1292349412.963:35965): arch=c000003e syscall=2 success=no exit=-13 a0=7fff8d122ab0 a1=2 a2=7fff8d122abe a3=0 items=0 ppid=1 pid=3173 auid=500 uid=489 gid=473 euid=489 suid=489 fsuid=489 egid=473 sgid=473 fsgid=473 tty=(none) ses=1 comm="boinc_client" exe="/usr/bin/boinc_client" subj=unconfined_u:system_r:boinc_t:s0 key=(null)




OK, stopped boinc-client
[root@neon joe]# service boinc-client stop
Stopping boinc-client:                                     [  OK  ]

relabelled files
[root@neon joe]# ls -Z /dev/nvidia*
crw-rw-rw-. root root system_u:object_r:device_t:s0    /dev/nvidia0
crw-rw-rw-. root root system_u:object_r:device_t:s0    /dev/nvidiactl
[root@neon joe]# restorecon -R -v /dev/nvidia*
restorecon reset /dev/nvidia0 context system_u:object_r:device_t:s0->system_u:object_r:xserver_misc_device_t:s0
restorecon reset /dev/nvidiactl context system_u:object_r:device_t:s0->system_u:object_r:xserver_misc_device_t:s0

restart boinc-client, no reboot

[root@neon joe]# service boinc-client start
Starting boinc-client:                                     [  OK  ]

and another (different?) error


Summary:

SELinux is preventing /usr/bin/boinc_client "read write" access on nvidiactl.

Detailed Description:

SELinux denied access requested by boinc_client. It is not expected that this
access is required by boinc_client and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                unconfined_u:system_r:boinc_t:s0
Target Context                system_u:object_r:xserver_misc_device_t:s0
Target Objects                nvidiactl [ chr_file ]
Source                        boinc_client
Source Path                   /usr/bin/boinc_client
Port                          <Unknown>
Host                          neon.aleph.org.uk
Source RPM Packages           boinc-client-6.10.45-2.r21128svn.fc14
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.7-16.fc14
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     neon.aleph.org.uk
Platform                      Linux neon.aleph.org.uk 2.6.35.9-64.fc14.x86_64 #1
                              SMP Fri Dec 3 12:19:41 UTC 2010 x86_64 x86_64
Alert Count                   2
First Seen                    Tue 14 Dec 2010 17:56:52 GMT
Last Seen                     Tue 14 Dec 2010 18:08:02 GMT
Local ID                      ddf583de-ae8e-46fb-ab73-ddba0966a2b7
Line Numbers                  

Raw Audit Messages            

node=neon.aleph.org.uk type=AVC msg=audit(1292350082.863:45): avc:  denied  { read write } for  pid=3191 comm="boinc_client" name="nvidiactl" dev=devtmpfs ino=16870 scontext=unconfined_u:system_r:boinc_t:s0 tcontext=system_u:object_r:xserver_misc_device_t:s0 tclass=chr_file

node=neon.aleph.org.uk type=SYSCALL msg=audit(1292350082.863:45): arch=c000003e syscall=2 success=no exit=-13 a0=7fff743fb0d0 a1=2 a2=7fff743fb0de a3=0 items=0 ppid=1 pid=3191 auid=500 uid=489 gid=473 euid=489 suid=489 fsuid=489 egid=473 sgid=473 fsgid=473 tty=(none) ses=1 comm="boinc_client" exe="/usr/bin/boinc_client" subj=unconfined_u:system_r:boinc_t:s0 key=(null)


hope that helps.
Comment 13 Christof Kaelin 2011-03-16 17:07:54 EDT
Ack that bug is still there on actual F14.

Note You need to log in before you can comment on or make changes to this bug.