Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
Bug 623533 - SELinux empêche l'accès en "write" à /var/lib/boinc/projects/www.worldcommunitygrid.org/wcg_hfcc_autodock_6.11_i686-pc-linux-gnu on fifo_fi
SELinux empêche l'accès en "write" à /var/lib/boinc/projects/www.worldcommuni...
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
13
i386 Linux
low Severity medium
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
setroubleshoot_trace_hash:d2fcf9cc579...
:
: 623534 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-08-12 00:13 EDT by Nicolas Berrehouc
Modified: 2011-06-01 07:42 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-06-01 07:42:29 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Nicolas Berrehouc 2010-08-12 00:13:48 EDT
Résumé:

SELinux empêche l'accès en "write" à
/var/lib/boinc/projects/www.worldcommunitygrid.org/wcg_hfcc_autodock_6.11_i686-pc-linux-gnu
on fifo_fi

Description détaillée:

[wcg_faah_autodo a un type permissif (boinc_project_t). Cet accès n'a pas été
refusé.]

SELinux a refusé l'accès demandé par wcg_hfcc_autodo. Il n'est pas prévu que
cet accès soit requis par wcg_hfcc_autodo et cet accès peut signaler une
tentative d'intrusion. Il est également possible que cette version ou cette
configuration spécifique de l'application provoque cette demande d'accès
supplémenta

Autoriser l'accès:

Vous pouvez créer un module de stratégie locale pour autoriser cet accès -
lisez la FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Merci de
remplir un rapport de bogue.

Informations complémentaires:

Contexte source               system_u:system_r:boinc_project_t:s0
Contexte cible                system_u:system_r:boinc_project_t:s0
Objets du contexte            fifo_file [ fifo_file ]
source                        wcg_faah_autodo
Chemin de la source           /var/lib/boinc/projects/www.worldcommunitygrid.org
                              /wcg_faah_autodock_6.07_i686-pc-linux-gnu
Port                          <Inconnu>
Hôte                         (supprimé)
Paquetages RPM source         
Paquetages RPM cible          
Politique RPM                 selinux-policy-3.7.19-44.fc13
Selinux activé               True
Type de politique             targeted
Mode strict                   Enforcing
Nom du plugin                 catchall
Nom de l'hôte                (supprimé)
Plateforme                    Linux (supprimé) 2.6.33.6-147.2.4.fc13.i686.PAE #1
                              SMP Fri Jul 23 17:21:06 UTC 2010 i686 i686
Compteur d'alertes            31
Première alerte              mer. 11 août 2010 06:36:09 CEST
Dernière alerte              jeu. 12 août 2010 06:09:53 CEST
ID local                      13a7b866-b604-42bc-baed-d4f416250031
Numéros des lignes           

Messages d'audit bruts        

node=(supprimé) type=AVC msg=audit(1281586193.815:130): avc:  denied  { write } for  pid=2767 comm="wcg_hfcc_autodo" path="pipe:[29429]" dev=pipefs ino=29429 scontext=system_u:system_r:boinc_project_t:s0 tcontext=system_u:system_r:boinc_project_t:s0 tclass=fifo_file

node=(supprimé) type=SYSCALL msg=audit(1281586193.815:130): arch=40000003 syscall=4 success=yes exit=148 a0=8 a1=bf935320 a2=94 a3=bf935320 items=0 ppid=1489 pid=2767 auid=4294967295 uid=492 gid=480 euid=492 suid=492 fsuid=492 egid=480 sgid=480 fsgid=480 tty=(none) ses=4294967295 comm="wcg_hfcc_autodo" exe="/var/lib/boinc/projects/www.worldcommunitygrid.org/wcg_hfcc_autodock_6.11_i686-pc-linux-gnu" subj=system_u:system_r:boinc_project_t:s0 key=(null)



Hash String generated from  catchall,wcg_faah_autodo,boinc_project_t,boinc_project_t,fifo_file,write
audit2allow suggests:

#============= boinc_project_t ==============
allow boinc_project_t self:fifo_file write;
Comment 1 Nicolas Berrehouc 2010-08-12 00:26:30 EDT
Boinc_client seems to work fine but SELinux always show this message.
/var/log/messages contains a lot of alert like.

Aug 12 06:09:20 Hostname setroubleshoot: SELinux empêche l'accès en "read" à /var/lib/boinc/projects/www.worldcommunitygrid.org/wcg_hfcc_autodock_6.11_i686-pc-linux-gnu on fifo_file. For complete SELinux messages. run sealert -l 62c337c0-553a-4c1e-ae33-370045505045
Aug 12 06:10:08 Hostname setroubleshoot: [dbus.proxies.ERROR] Introspect error on :1.65:/org/fedoraproject/Setroubleshootd: dbus.exceptions.DBusException: org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.
Aug 12 06:10:15 Hostname setroubleshoot: SELinux empêche l'accès en "write" à /var/lib/boinc/projects/www.worldcommunitygrid.org/wcg_hfcc_autodock_6.11_i686-pc-linux-gnu on fifo_file. For complete SELinux messages. run sealert -l 13a7b866-b604-42bc-baed-d4f416250031
Aug 12 06:10:16 Hostname setroubleshoot: SELinux empêche l'accès en "read" à /var/lib/boinc/projects/www.worldcommunitygrid.org/wcg_hfcc_autodock_6.11_i686-pc-linux-gnu on fifo_file. For complete SELinux messages. run sealert -l 62c337c0-553a-4c1e-ae33-370045505045

Before the last update all was working fine without Setroubleshoot message.
Comment 2 Miroslav Grepl 2010-08-12 04:18:55 EDT
*** Bug 623534 has been marked as a duplicate of this bug. ***
Comment 3 Miroslav Grepl 2010-08-12 04:23:10 EDT
Boinc runs as permissive domain so nothing is blocked. Thanks for reporting.

Fixed in selinux-policy-3.7.19-46.fc13.

This update is available from koji for now

http://koji.fedoraproject.org/koji/buildinfo?buildID=189375
Comment 4 Nicolas Berrehouc 2010-08-14 10:02:14 EDT
Good job, update works fine.

# yum --enablerepo=updates-testing update selinux-policy

Bug can be closed.
Comment 5 Daniel Walsh 2010-08-15 08:13:05 EDT
Update karma.
Comment 6 Fedora Admin XMLRPC Client 2010-11-08 16:51:00 EST
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 7 Fedora Admin XMLRPC Client 2010-11-08 16:52:16 EST
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 8 Fedora Admin XMLRPC Client 2010-11-08 16:53:38 EST
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 9 Bug Zapper 2011-06-01 07:37:21 EDT
This message is a reminder that Fedora 13 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 13.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '13'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 13's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 13 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Note You need to log in before you can comment on or make changes to this bug.