Hide Forgot
SELinux is preventing /usr/bin/boinc_client from read, write access on the chr_file nvidiactl. ***** Plugin device (91.4 confidence) suggests ***************************** If you want to allow boinc_client to have read write access on the nvidiactl chr_file Then you need to change the label on nvidiactl to a type of a similar device. Do # semanage fcontext -a -t SIMILAR_TYPE 'nvidiactl' # restorecon -v 'nvidiactl' ***** Plugin catchall (9.59 confidence) suggests *************************** If you believe that boinc_client should be allowed read write access on the nvidiactl chr_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep boinc_client /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:boinc_t:s0 Target Context system_u:object_r:device_t:s0 Target Objects nvidiactl [ chr_file ] Source boinc_client Source Path /usr/bin/boinc_client Port <Neznámé> Host (removed) Source RPM Packages boinc-client-6.10.58-3.r22930svn.fc14 Target RPM Packages Policy RPM selinux-policy-3.9.7-29.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 2.6.35.11-83.fc14.i686 #1 SMP Mon Feb 7 07:04:18 UTC 2011 i686 i686 Alert Count 43 First Seen Ne 26. prosinec 2010, 10:31:14 CET Last Seen Ne 20. únor 2011, 10:50:03 CET Local ID 1ba334e6-5eb9-468c-a008-ac8ae9785c13 Raw Audit Messages type=AVC msg=audit(1298195403.341:33): avc: denied { read write } for pid=2834 comm="boinc_client" name="nvidiactl" dev=devtmpfs ino=14850 scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file type=AVC msg=audit(1298195403.341:33): avc: denied { open } for pid=2834 comm="boinc_client" name="nvidiactl" dev=devtmpfs ino=14850 scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file type=SYSCALL msg=audit(1298195403.341:33): arch=i386 syscall=open success=yes exit=ENXIO a0=bfa9fec8 a1=8002 a2=0 a3=bfa9fec8 items=0 ppid=1 pid=2834 auid=0 uid=492 gid=487 euid=492 suid=492 fsuid=492 egid=487 sgid=487 fsgid=487 tty=(none) ses=2 comm=boinc_client exe=/usr/bin/boinc_client subj=system_u:system_r:boinc_t:s0 key=(null) Hash: boinc_client,boinc_t,device_t,chr_file,read,write audit2allow #============= boinc_t ============== #!!!! The source type 'boinc_t' can write to a 'chr_file' of the following types: # null_device_t, zero_device_t, devtty_t, initrc_devpts_t allow boinc_t device_t:chr_file { read write open }; audit2allow -R #============= boinc_t ============== #!!!! The source type 'boinc_t' can write to a 'chr_file' of the following types: # null_device_t, zero_device_t, devtty_t, initrc_devpts_t allow boinc_t device_t:chr_file { read write open };
nvidiactl is mislabeled. This device got created with the wrong label. Run: restorecon -R -v /dev/nvidiactl If this happens again after restorecon, please reopen.
I had this problem until now. I just entered the command you suggested. But I am thinking about a thing... If since February nvidiactl has the same wrong label, who is responsible? nVidia? I attach my error SELinux is preventing /var/lib/boinc/projects/einstein.phys.uwm.edu/einsteinbinary_BRP4_1.00_i686-pc-linux-gnu__BRP3cuda32nv270 from ioctl access on the chr_file /dev/nvidiactl. ***** Plugin restorecon (90.5 confidence) suggests ************************* If you want to fix the label. /dev/nvidiactl default label should be xserver_misc_device_t. Then you can run restorecon. Do # /sbin/restorecon -v /dev/nvidiactl ***** Plugin device (9.50 confidence) suggests ***************************** If you want to allow einsteinbinary_BRP4_1.00_i686-pc-linux-gnu__BRP3cuda32nv270 to have ioctl access on the nvidiactl chr_file Then you need to change the label on /dev/nvidiactl to a type of a similar device. Do # semanage fcontext -a -t SIMILAR_TYPE '/dev/nvidiactl' # restorecon -v '/dev/nvidiactl' ***** Plugin catchall (1.40 confidence) suggests *************************** If you believe that einsteinbinary_BRP4_1.00_i686-pc-linux-gnu__BRP3cuda32nv270 should be allowed ioctl access on the nvidiactl chr_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep einsteinbinary_ /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Contesto della sorgente system_u:system_r:boinc_project_t:s0 Contesto target system_u:object_r:device_t:s0 Oggetti target /dev/nvidiactl [ chr_file ] Sorgente einsteinbinary_ Percorso della sorgente /var/lib/boinc/projects/einstein.phys.uwm.edu/eins teinbinary_BRP4_1.00_i686-pc-linux- gnu__BRP3cuda32nv270 Porta <Sconosciuto> Host Magic-4 Sorgente Pacchetti RPM Pacchetti RPM target RPM della policy selinux-policy-3.9.16-35.fc15 Selinux abilitato True Tipo di policy targeted Modalità Enforcing Permissive Host Name Magic-4 Piattaforma Linux Magic-4 2.6.40-4.fc15.x86_64 #1 SMP Fri Jul 29 18:46:53 UTC 2011 x86_64 x86_64 Conteggio avvisi 2 Primo visto lun 08 ago 2011 12:22:06 CEST Ultimo visto lun 08 ago 2011 12:22:31 CEST ID locale 01a39def-c41a-4773-b086-e8dfd719104a Messaggi Raw Audit type=AVC msg=audit(1312798951.324:73): avc: denied { ioctl } for pid=2269 comm="einsteinbinary_" path="/dev/nvidiactl" dev=devtmpfs ino=19403 scontext=system_u:system_r:boinc_project_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file type=SYSCALL msg=audit(1312798951.324:73): arch=i386 syscall=setsockopt success=yes exit=0 a0=f a1=c0104652 a2=ffdd3298 a3=f items=0 ppid=2249 pid=2269 auid=4294967295 uid=494 gid=491 euid=494 suid=494 fsuid=494 egid=491 sgid=491 fsgid=491 tty=(none) ses=4294967295 comm=einsteinbinary_ exe=/var/lib/boinc/projects/einstein.phys.uwm.edu/einsteinbinary_BRP4_1.00_i686-pc-linux-gnu__BRP3cuda32nv270 subj=system_u:system_r:boinc_project_t:s0 key=(null) Hash: einsteinbinary_,boinc_project_t,device_t,chr_file,ioctl audit2allow #============= boinc_project_t ============== allow boinc_project_t device_t:chr_file ioctl; audit2allow -R #============= boinc_project_t ============== allow boinc_project_t device_t:chr_file ioctl;
Yes nvidia is causing the device to be created and not setting the label correctl. For some reason udev is not fixing the label. In F16 we can tell the kernel to create the device with the correct label, so it should be fixed there.
Ok, so finally the huge list of SELinux messages about BOINC with nVidia will terminate on Fedora 16
We hope so. :^)
And not only for BOINC ;-).
Hi, now I am on Fedora 16 What about the corrected label in new kernel as wrote in comment 3?
It should be labeled correctly if you are fully updated.
I get this message SELinux is preventing /usr/bin/boinc_client from ioctl access on the chr_file /dev/nvidiactl. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that boinc_client should be allowed ioctl access on the nvidiactl chr_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep boinc_client /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Contesto della sorgente system_u:system_r:boinc_t:s0 Contesto target system_u:object_r:xserver_misc_device_t:s0 Oggetti target /dev/nvidiactl [ chr_file ] Sorgente boinc_client Percorso della sorgente /usr/bin/boinc_client Porta <Sconosciuto> Host Magic-4 Sorgente Pacchetti RPM boinc-client-6.12.35-1.r24014svn.fc16 Pacchetti RPM target RPM della policy selinux-policy-3.10.0-64.fc16 Selinux abilitato True Tipo di policy targeted Modalità Enforcing Permissive Host Name Magic-4 Piattaforma Linux Magic-4 3.1.4-1.fc16.x86_64 #1 SMP Tue Nov 29 11:37:53 UTC 2011 x86_64 x86_64 Conteggio avvisi 1 first seen gio 08 dic 2011 21:25:07 CET last seen gio 08 dic 2011 21:25:07 CET Messaggi Raw Audit type=AVC msg=audit(1323375907.287:180): avc: denied { ioctl } for pid=7194 comm="boinc_client" path="/dev/nvidiactl" dev=devtmpfs ino=21958 scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:object_r:xserver_misc_device_t:s0 tclass=chr_file type=SYSCALL msg=audit(1323375907.287:180): arch=x86_64 syscall=ioctl success=yes exit=0 a0=6 a1=c04846d2 a2=7fff45ae0c60 a3=0 items=0 ppid=1 pid=7194 auid=4294967295 uid=494 gid=491 euid=494 suid=494 fsuid=494 egid=491 sgid=491 fsgid=491 tty=(none) ses=4294967295 comm=boinc_client exe=/usr/bin/boinc_client subj=system_u:system_r:boinc_t:s0 key=(null) Hash: boinc_client,boinc_t,xserver_misc_device_t,chr_file,ioctl audit2allow #============= boinc_t ============== allow boinc_t xserver_misc_device_t:chr_file ioctl; audit2allow -R #============= boinc_t ============== allow boinc_t xserver_misc_device_t:chr_file ioctl;
F14 is no longer supported. You can allow it using # grep boinc_client /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp or update to a newer release.
Last my comment was about Fedora 16. I will open a new bugreport about Fedora 16......................
How is labeled /usr/bin/boinc_client # ls -Z /usr/bin/boinc_client # matchpathcon /usr/bin/boinc_client
-rwxr-xr-x. root root system_u:object_r:boinc_exec_t:s0 /usr/bin/boinc_client /usr/bin/boinc_client system_u:object_r:boinc_exec_t:s0
Ok, I need to fix it.