Fedora Account System
Red Hat Associate
Red Hat Customer
Summary: SELinux is preventing /usr/bin/boinc_client "read write" access to device nvidiactl. Detailed Description: [boinc_client has a permissive type (boinc_t). This access was not denied.] SELinux has denied boinc_client "read write" access to device nvidiactl. nvidiactl is mislabeled, this device has the default label of the /dev directory, which should not happen. All Character and/or Block Devices should have a label. You can attempt to change the label of the file using restorecon -v 'nvidiactl'. If this device remains labeled device_t, then this is a bug in SELinux policy. Please file a bg report. If you look at the other similar devices labels, ls -lZ /dev/SIMILAR, and find a type that would work for nvidiactl, you can use chcon -t SIMILAR_TYPE 'nvidiactl', If this fixes the problem, you can make this permanent by executing semanage fcontext -a -t SIMILAR_TYPE 'nvidiactl' If the restorecon changes the context, this indicates that the application that created the device, created it without using SELinux APIs. If you can figure out which application created the device, please file a bug report against this application. Allowing Access: Attempt restorecon -v 'nvidiactl' or chcon -t SIMILAR_TYPE 'nvidiactl' Additional Information: Source Context system_u:system_r:boinc_t:s0 Target Context system_u:object_r:device_t:s0 Target Objects nvidiactl [ chr_file ] Source boinc_client Source Path /usr/bin/boinc_client Port <Unknown> Host (removed) Source RPM Packages boinc-client-6.10.45-1.r21128svn.fc13 Target RPM Packages Policy RPM selinux-policy-3.7.19-15.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name device Host Name (removed) Platform Linux (removed) 2.6.33.4-95.fc13.x86_64 #1 SMP Thu May 13 05:16:23 UTC 2010 x86_64 x86_64 Alert Count 2 First Seen Wed 26 May 2010 09:30:39 PM EDT Last Seen Wed 26 May 2010 09:30:39 PM EDT Local ID a92bbd4b-d74e-476c-8563-ff4139516ba3 Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1274923839.61:46045): avc: denied { read write } for pid=5201 comm="boinc_client" name="nvidiactl" dev=devtmpfs ino=17152 scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file node=(removed) type=AVC msg=audit(1274923839.61:46045): avc: denied { open } for pid=5201 comm="boinc_client" name="nvidiactl" dev=devtmpfs ino=17152 scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file node=(removed) type=SYSCALL msg=audit(1274923839.61:46045): arch=c000003e syscall=2 success=yes exit=6 a0=7fffd4a64660 a1=2 a2=7fffd4a6466e a3=0 items=0 ppid=1 pid=5201 auid=4294967295 uid=491 gid=472 euid=491 suid=491 fsuid=491 egid=472 sgid=472 fsgid=472 tty=(none) ses=4294967295 comm="boinc_client" exe="/usr/bin/boinc_client" subj=system_u:system_r:boinc_t:s0 key=(null) Hash String generated from device,boinc_client,boinc_t,device_t,chr_file,read,write audit2allow suggests: #============= boinc_t ============== #!!!! The source type 'boinc_t' can write to a 'chr_file' of the following types: # null_device_t, zero_device_t, initrc_devpts_t, devtty_t allow boinc_t device_t:chr_file { read write open };
*** Bug 596583 has been marked as a duplicate of this bug. ***
Were you running Einstein project when this happened? nvidiactl is also mislabeled. This device got created with the wrong label. Run: restorecon -R -v /dev/nvidiactl
(In reply to comment #2) > Were you running Einstein project when this happened? No, never have. > nvidiactl is also mislabeled. This device got created with the wrong label. > > Run: > > restorecon -R -v /dev/nvidiactl Okay, I have now run: restorecon -R -v /dev/nvidiactl and restorecon -R -v /dev/nvidia0 and I will see whether there is a recurrence. Thank you.
(In reply to comment #3) > Okay, I have now run: > > restorecon -R -v /dev/nvidiactl > > and > > restorecon -R -v /dev/nvidia0 > > and I will see whether there is a recurrence. After subsequent restart of the machine, I then did: $ su -c 'service boinc-client restart' and received the alert again. This is repeatable and happens every time boinc-client is restarted.
*** Bug 597200 has been marked as a duplicate of this bug. ***
*** This bug has been marked as a duplicate of bug 595092 ***
The problem reappeared in Fedora 14 Alpha.
Do you mean the problem with labeling of nvidiactl? Are you seeing the same AVC?
Yes, it was assigned to this bug by setroubleshootd and AVC follows: node=(removed) type=AVC msg=audit(1282698433.521:509): avc: denied { read write } for pid=2905 comm="boinc_client" path="/dev/nvidia0" dev=devtmpfs ino=17117 scontext=unconfined_u:system_r:boinc_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file node=(removed) type=SYSCALL msg=audit(1282698433.521:509): arch=c000003e syscall=16 success=yes exit=0 a0=8 a1=c0304627 a2=7fffdaa4cd50 a3=7fffdaa4cde0 items=0 ppid=1 pid=2905 auid=500 uid=495 gid=491 euid=495 suid=495 fsuid=495 egid=491 sgid=491 fsgid=491 tty=(none) ses=1 comm="boinc_client" exe="/usr/bin/boinc_client" subj=unconfined_u:system_r:boinc_t:s0 key=(null)
Just installed boinc. Still happening under F14, x86_64.
So does it happen after reboot? I mean have you run # restorecon -R -v /dev/dev/nvidia*
Yes, I ran # yum upgrade ! nothing to be done # restorecon -R -v /dev/nvidia* # reboot System restarted, and we have an error. Please note: following the reboot, /dev/nvidia* files had security context [root@neon joe]# ls -Z /dev/nvidia* crw-rw-rw-. root root system_u:object_r:device_t:s0 /dev/nvidia0 crw-rw-rw-. root root system_u:object_r:device_t:s0 /dev/nvidiactl which is not what they had following the restorecon. Please see below error report. Summary after boot: SELinux is preventing /usr/bin/boinc_client "read write" access on nvidiactl. Detailed Description: SELinux denied access requested by boinc_client. It is not expected that this access is required by boinc_client and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context unconfined_u:system_r:boinc_t:s0 Target Context system_u:object_r:xserver_misc_device_t:s0 Target Objects nvidiactl [ chr_file ] Source boinc_client Source Path /usr/bin/boinc_client Port <Unknown> Host neon.aleph.org.uk Source RPM Packages boinc-client-6.10.45-2.r21128svn.fc14 Target RPM Packages Policy RPM selinux-policy-3.9.7-16.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name neon.aleph.org.uk Platform Linux neon.aleph.org.uk 2.6.35.9-64.fc14.x86_64 #1 SMP Fri Dec 3 12:19:41 UTC 2010 x86_64 x86_64 Alert Count 1 First Seen Tue 14 Dec 2010 17:56:52 GMT Last Seen Tue 14 Dec 2010 17:56:52 GMT Local ID ddf583de-ae8e-46fb-ab73-ddba0966a2b7 Line Numbers Raw Audit Messages node=neon.aleph.org.uk type=AVC msg=audit(1292349412.963:35965): avc: denied { read write } for pid=3173 comm="boinc_client" name="nvidiactl" dev=devtmpfs ino=16848 scontext=unconfined_u:system_r:boinc_t:s0 tcontext=system_u:object_r:xserver_misc_device_t:s0 tclass=chr_file node=neon.aleph.org.uk type=SYSCALL msg=audit(1292349412.963:35965): arch=c000003e syscall=2 success=no exit=-13 a0=7fff8d122ab0 a1=2 a2=7fff8d122abe a3=0 items=0 ppid=1 pid=3173 auid=500 uid=489 gid=473 euid=489 suid=489 fsuid=489 egid=473 sgid=473 fsgid=473 tty=(none) ses=1 comm="boinc_client" exe="/usr/bin/boinc_client" subj=unconfined_u:system_r:boinc_t:s0 key=(null) OK, stopped boinc-client [root@neon joe]# service boinc-client stop Stopping boinc-client: [ OK ] relabelled files [root@neon joe]# ls -Z /dev/nvidia* crw-rw-rw-. root root system_u:object_r:device_t:s0 /dev/nvidia0 crw-rw-rw-. root root system_u:object_r:device_t:s0 /dev/nvidiactl [root@neon joe]# restorecon -R -v /dev/nvidia* restorecon reset /dev/nvidia0 context system_u:object_r:device_t:s0->system_u:object_r:xserver_misc_device_t:s0 restorecon reset /dev/nvidiactl context system_u:object_r:device_t:s0->system_u:object_r:xserver_misc_device_t:s0 restart boinc-client, no reboot [root@neon joe]# service boinc-client start Starting boinc-client: [ OK ] and another (different?) error Summary: SELinux is preventing /usr/bin/boinc_client "read write" access on nvidiactl. Detailed Description: SELinux denied access requested by boinc_client. It is not expected that this access is required by boinc_client and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context unconfined_u:system_r:boinc_t:s0 Target Context system_u:object_r:xserver_misc_device_t:s0 Target Objects nvidiactl [ chr_file ] Source boinc_client Source Path /usr/bin/boinc_client Port <Unknown> Host neon.aleph.org.uk Source RPM Packages boinc-client-6.10.45-2.r21128svn.fc14 Target RPM Packages Policy RPM selinux-policy-3.9.7-16.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name neon.aleph.org.uk Platform Linux neon.aleph.org.uk 2.6.35.9-64.fc14.x86_64 #1 SMP Fri Dec 3 12:19:41 UTC 2010 x86_64 x86_64 Alert Count 2 First Seen Tue 14 Dec 2010 17:56:52 GMT Last Seen Tue 14 Dec 2010 18:08:02 GMT Local ID ddf583de-ae8e-46fb-ab73-ddba0966a2b7 Line Numbers Raw Audit Messages node=neon.aleph.org.uk type=AVC msg=audit(1292350082.863:45): avc: denied { read write } for pid=3191 comm="boinc_client" name="nvidiactl" dev=devtmpfs ino=16870 scontext=unconfined_u:system_r:boinc_t:s0 tcontext=system_u:object_r:xserver_misc_device_t:s0 tclass=chr_file node=neon.aleph.org.uk type=SYSCALL msg=audit(1292350082.863:45): arch=c000003e syscall=2 success=no exit=-13 a0=7fff743fb0d0 a1=2 a2=7fff743fb0de a3=0 items=0 ppid=1 pid=3191 auid=500 uid=489 gid=473 euid=489 suid=489 fsuid=489 egid=473 sgid=473 fsgid=473 tty=(none) ses=1 comm="boinc_client" exe="/usr/bin/boinc_client" subj=unconfined_u:system_r:boinc_t:s0 key=(null) hope that helps.
Ack that bug is still there on actual F14.