Bug 689205 - SELinux is preventing /usr/bin/boinc_client from 'connectto' accesses on the unix_stream_socket @/tmp/.X11-unix/X0.
Summary: SELinux is preventing /usr/bin/boinc_client from 'connectto' accesses on the ...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 14
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:9868c93e300...
: 893848 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-03-20 10:53 UTC by Nicolas Berrehouc
Modified: 2013-01-14 10:50 UTC (History)
5 users (show)

Fixed In Version: selinux-policy-3.9.7-46.fc14
Clone Of:
Environment:
Last Closed: 2011-10-30 00:33:43 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)
/var/log/messages from 21/03/2011 (4.30 KB, text/plain)
2011-03-24 11:54 UTC, Nicolas Berrehouc 		no flags Details
/var/log/messages from 27/03/2011 (4.00 KB, text/plain)
2011-03-27 08:19 UTC, Nicolas Berrehouc 		no flags Details
View All

Description Nicolas Berrehouc 2011-03-20 10:53:25 UTC 
SELinux is preventing /usr/bin/boinc_client from 'connectto' accesses on the unix_stream_socket @/tmp/.X11-unix/X0.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that boinc_client should be allowed connectto access on the X0 unix_stream_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep boinc_client /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:boinc_t:s0
Target Context                system_u:system_r:xserver_t:s0-s0:c0.c1023
Target Objects                @/tmp/.X11-unix/X0 [ unix_stream_socket ]
Source                        boinc_client
Source Path                   /usr/bin/boinc_client
Port                          <Inconnu>
Host                          (removed)
Source RPM Packages           boinc-client-6.10.58-3.r22930svn.fc14
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.7-31.fc14
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 2.6.35.11-83.fc14.x86_64 #1 SMP Mon
                              Feb 7 07:06:44 UTC 2011 x86_64 x86_64
Alert Count                   1
First Seen                    dim. 20 mars 2011 03:37:14 CET
Last Seen                     dim. 20 mars 2011 03:37:14 CET
Local ID                      6514110b-c7ef-4c55-800c-7380eb834061

Raw Audit Messages
type=AVC msg=audit(1300588634.223:71650): avc:  denied  { connectto } for  pid=12666 comm="boinc_client" path=002F746D702F2E5831312D756E69782F5830 scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 tclass=unix_stream_socket


type=SYSCALL msg=audit(1300588634.223:71650): arch=x86_64 syscall=connect success=yes exit=0 a0=7 a1=7fff021d7650 a2=14 a3=7fff021d7653 items=0 ppid=1 pid=12666 auid=0 uid=494 gid=489 euid=494 suid=494 fsuid=494 egid=489 sgid=489 fsgid=489 tty=(none) ses=11 comm=boinc_client exe=/usr/bin/boinc_client subj=system_u:system_r:boinc_t:s0 key=(null)

Hash: boinc_client,boinc_t,xserver_t,unix_stream_socket,connectto

audit2allow

#============= boinc_t ==============
allow boinc_t xserver_t:unix_stream_socket connectto;

audit2allow -R

#============= boinc_t ==============
allow boinc_t xserver_t:unix_stream_socket connectto;
Comment 1 Miroslav Grepl 2011-03-24 09:12:25 UTC 
What were you doing when this happened?

Were you using boinc manager?
Comment 2 Nicolas Berrehouc 2011-03-24 11:54:26 UTC 
Created attachment 487292 [details]
/var/log/messages from 21/03/2011

Yes I'm using boinc-manager.
boinc-manager-6.10.58-3.r22930svn.fc14.x86_64
boinc-client-6.10.58-3.r22930svn.fc14.x86_64

Graphic drivers for ATI
kmod-catalyst-2.6.35.11-83.fc14.x86_64-11.2-1.fc14.x86_64
xorg-x11-drv-ati-6.13.2-0.1.20101109git0c2834e67.fc15.x86_64

boinc-client was running projects from World Community Grid. See attachment for more information from /var/log/messages.
Comment 3 Miroslav Grepl 2011-03-25 08:31:17 UTC 
Does it work in enforcing mode? Or you needed to switch to permissive mode to get this working?
Comment 4 Nicolas Berrehouc 2011-03-25 17:51:28 UTC 
I don't know if it was working in enforcing because I'm always in permissive mode.
But this bug happened only with one unit (wcgrid_cep2_6.40_i686-pc-linux-gnu) as you can see on logs. Actually no more abrt alert with new units project. Perhaps it tried to use GPU (/dev/ati/card0) ?
I think this unit was performed completely only by CPU and sent with no error because all results are valid.
Comment 5 Nicolas Berrehouc 2011-03-27 08:19:59 UTC 
Created attachment 487990 [details]
/var/log/messages from 27/03/2011

New unit and same problem with project using wcgrid_cep2_6.40_i686-pc-linux-gnu.
See attachment for more information from /var/log/messages.
Comment 6 Miroslav Grepl 2011-05-27 09:18:41 UTC 
execute

# chcon -t xserver_misc_device_t /dev/ati/card0


Fixed in selinux-policy-3.9.7-42.fc14
Comment 7 Fedora Update System 2011-10-20 11:57:47 UTC 
selinux-policy-3.9.7-46.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-46.fc14
Comment 8 Fedora Update System 2011-10-22 08:21:02 UTC 
Package selinux-policy-3.9.7-46.fc14:
* should fix your issue,
* was pushed to the Fedora 14 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.7-46.fc14'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2011-14734
then log in and leave karma (feedback).
Comment 9 Fedora Update System 2011-10-30 00:33:43 UTC 
selinux-policy-3.9.7-46.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Miroslav Grepl 2013-01-14 10:50:26 UTC 
*** Bug 893848 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.