Summary: SELinux is preventing /bin/bash "execute" access on /bin/bash. Detailed Description: [sh has a permissive type (boinc_project_t). This access was not denied.] SELinux denied access requested by sh. It is not expected that this access is required by sh and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context system_u:system_r:boinc_project_t:s0 Target Context system_u:object_r:shell_exec_t:s0 Target Objects /bin/bash [ file ] Source sh Source Path /bin/bash Port <Unknown> Host (removed) Source RPM Packages bash-4.1.7-1.fc13 Target RPM Packages bash-4.1.7-1.fc13 Policy RPM selinux-policy-3.7.19-44.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name (removed) Platform Linux (removed) 2.6.33.6-147.2.4.fc13.x86_64 #1 SMP Fri Jul 23 17:14:44 UTC 2010 x86_64 x86_64 Alert Count 15 First Seen Wed 11 Aug 2010 06:02:39 AM EDT Last Seen Wed 11 Aug 2010 08:08:40 PM EDT Local ID 7fe8517a-580c-459e-855c-7b7b37b164b1 Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1281571720.390:32): avc: denied { execute } for pid=2570 comm="primegrid_sr2si" name="bash" dev=dm-4 ino=1049138 scontext=system_u:system_r:boinc_project_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file node=(removed) type=AVC msg=audit(1281571720.390:32): avc: denied { read open } for pid=2570 comm="primegrid_sr2si" name="bash" dev=dm-4 ino=1049138 scontext=system_u:system_r:boinc_project_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file node=(removed) type=AVC msg=audit(1281571720.390:32): avc: denied { execute_no_trans } for pid=2570 comm="primegrid_sr2si" path="/bin/bash" dev=dm-4 ino=1049138 scontext=system_u:system_r:boinc_project_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file node=(removed) type=SYSCALL msg=audit(1281571720.390:32): arch=c000003e syscall=59 success=yes exit=0 a0=3edb540be3 a1=7fff46337560 a2=7fff46339ac8 a3=8 items=0 ppid=2536 pid=2570 auid=4294967295 uid=491 gid=472 euid=491 suid=491 fsuid=491 egid=472 sgid=472 fsgid=472 tty=(none) ses=4294967295 comm="sh" exe="/bin/bash" subj=system_u:system_r:boinc_project_t:s0 key=(null) Hash String generated from catchall,sh,boinc_project_t,shell_exec_t,file,execute audit2allow suggests: #============= boinc_project_t ============== allow boinc_project_t shell_exec_t:file { read execute open execute_no_trans };
Installed some updates today. Restarted the system after installing the last couple updates this evening and observed pop-up notice of 20-something avc denials since last boot, restarted the system again and observed avc denial pop-up notice again. Also noted that abrt status bar indicates "Error while checking policy version."
You can add these rules for now using # grep boinc /var/log/audit/audit.log | audit2allow -M myboinc # semodule -i myboinc.pp
Fixed in selinux-policy-3.7.19-47.fc13
This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component.
This message is a reminder that Fedora 13 is nearing its end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 13. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '13'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 13's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 13 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug to the applicable version. If you are unable to change the version, please add a comment here and someone will do it for you. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping