Bug 596583 - SELinux is preventing /usr/bin/boinc_client "open" access to device nvidiactl.
Summary: SELinux is preventing /usr/bin/boinc_client "open" access to device nvidiactl.
Status: CLOSED DUPLICATE of bug 596573
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
(Show other bugs)
Version: 13
Hardware: x86_64 Linux
low
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:f0fc69ea4cc...
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-05-27 03:04 UTC by Daniel Stripes
Modified: 2010-05-31 10:29 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-05-27 10:22:49 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Daniel Stripes 2010-05-27 03:04:55 UTC
Summary:

SELinux is preventing /usr/bin/boinc_client "open" access to device nvidiactl.

Detailed Description:

[boinc_client has a permissive type (boinc_t). This access was not denied.]

SELinux has denied boinc_client "open" access to device nvidiactl. nvidiactl is
mislabeled, this device has the default label of the /dev directory, which
should not happen. All Character and/or Block Devices should have a label. You
can attempt to change the label of the file using restorecon -v 'nvidiactl'. If
this device remains labeled device_t, then this is a bug in SELinux policy.
Please file a bg report. If you look at the other similar devices labels, ls -lZ
/dev/SIMILAR, and find a type that would work for nvidiactl, you can use chcon
-t SIMILAR_TYPE 'nvidiactl', If this fixes the problem, you can make this
permanent by executing semanage fcontext -a -t SIMILAR_TYPE 'nvidiactl' If the
restorecon changes the context, this indicates that the application that created
the device, created it without using SELinux APIs. If you can figure out which
application created the device, please file a bug report against this
application.

Allowing Access:

Attempt restorecon -v 'nvidiactl' or chcon -t SIMILAR_TYPE 'nvidiactl'

Additional Information:

Source Context                unconfined_u:system_r:boinc_t:s0
Target Context                system_u:object_r:device_t:s0
Target Objects                nvidiactl [ chr_file ]
Source                        boinc_client
Source Path                   /usr/bin/boinc_client
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           boinc-client-6.10.45-1.r21128svn.fc13
Target RPM Packages           
Policy RPM                    selinux-policy-3.7.19-15.fc13
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   device
Host Name                     (removed)
Platform                      Linux rigel.milky.way 2.6.33.4-95.fc13.x86_64 #1
                              SMP Thu May 13 05:16:23 UTC 2010 x86_64 x86_64
Alert Count                   1
First Seen                    Wed 26 May 2010 10:49:23 PM EDT
Last Seen                     Wed 26 May 2010 10:49:23 PM EDT
Local ID                      2aa743f5-9116-4e8b-a426-dc5f7b48b749
Line Numbers                  

Raw Audit Messages            

node=rigel.milky.way type=AVC msg=audit(1274928563.591:35): avc:  denied  { open } for  pid=3041 comm="boinc_client" name="nvidiactl" dev=devtmpfs ino=17479 scontext=unconfined_u:system_r:boinc_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file

node=rigel.milky.way type=SYSCALL msg=audit(1274928563.591:35): arch=c000003e syscall=2 success=yes exit=14 a0=7fff01dbc720 a1=2 a2=7fff01dbc72e a3=19 items=0 ppid=1 pid=3041 auid=500 uid=491 gid=472 euid=491 suid=491 fsuid=491 egid=472 sgid=472 fsgid=472 tty=(none) ses=1 comm="boinc_client" exe="/usr/bin/boinc_client" subj=unconfined_u:system_r:boinc_t:s0 key=(null)



Hash String generated from  device,boinc_client,boinc_t,device_t,chr_file,open
audit2allow suggests:

#============= boinc_t ==============
allow boinc_t device_t:chr_file open;

Comment 1 Miroslav Grepl 2010-05-27 10:22:49 UTC

*** This bug has been marked as a duplicate of bug 596573 ***


Note You need to log in before you can comment on or make changes to this bug.