Bug 704917 - Tasks fail with 'computation error' due to wrong context on pki database
Summary: Tasks fail with 'computation error' due to wrong context on pki database
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: boinc-client
Version: 14
Hardware: x86_64
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Milos Jakubicek
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-05-16 00:47 UTC by Jamie Anderson
Modified: 2011-08-21 07:52 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-08-21 07:52:49 UTC
Type: ---


Attachments (Terms of Use)
All the AVC messages from audit.log (16.35 KB, text/plain)
2011-05-18 03:28 UTC, Jamie Anderson
no flags Details
SELinux Type Enforcement file for additional permissions requested by boinc-client (852 bytes, application/octet-stream)
2011-05-23 14:26 UTC, Jamie Anderson
no flags Details

Description Jamie Anderson 2011-05-16 00:47:57 UTC
Description of problem:
After installing boinc-client and attaching to a project (World Community Grid) tasks would download and then immediately finish with a status of 'computation error'. On a whim, I tried turning off SELinux with 'sudo setenforce 0' and then restarting the boinc-client service, and projects were able to run. Then I did the following:

jamie@kloog /var/lib/boinc/projects/www.worldcommunitygrid.org $ sudo restorecon -rv /var/lib/boinc
restorecon reset /var/lib/boinc/.pki context unconfined_u:object_r:boinc_project_var_lib_t:s0->system_u:object_r:boinc_var_lib_t:s0
restorecon reset /var/lib/boinc/.pki/nssdb context unconfined_u:object_r:boinc_project_var_lib_t:s0->system_u:object_r:boinc_var_lib_t:s0
jamie@kloog /var/lib/boinc/projects/www.worldcommunitygrid.org $ sudo setenforce 1
jamie@kloog /var/lib/boinc/projects/www.worldcommunitygrid.org $ sudo service boinc-client restart
Stopping boinc-client:                                     [  OK  ]
Starting boinc-client:                                     [  OK  ]
jamie@kloog /var/lib/boinc/projects/www.worldcommunitygrid.org $ 


After that, projects still seem to be running, although I suppose I may not know for sure until one finishes. :)


Version-Release number of selected component (if applicable):
boinc-client-6.10.58-3.r22930svn.fc14.x86_64

How reproducible:
always

Steps to Reproduce:
1. install and start boinc-client
2. attach to a project
3.
  
Actual results:
work units fail immediately with 'computation error' and 'output file absent' error messages

Expected results:
work units would run to completion and upload results to the project server

Additional info:

Comment 1 Milos Jakubicek 2011-05-16 05:47:02 UTC
Hello,

would you please attach /var/log/audit/audit.log? It should contain SELinux AVC messages from the time when the denials occurred.

Comment 2 Jamie Anderson 2011-05-18 03:28:45 UTC
Created attachment 499511 [details]
All the AVC messages from audit.log

selinux-policy-3.9.7-40.fc14.noarch
selinux-policy-targeted-3.9.7-40.fc14.noarch
boinc-client-6.10.58-3.r22930svn.fc14.x86_64

Comment 3 Jamie Anderson 2011-05-23 14:24:50 UTC
After a few iterations of using audit2allow to generate a policy module and restarting the client, I ended up with things appearing to work. I will attach the type enforcement file I used to create the module for your review. As an aside, I still get an AVC related to /lib/ld-2.13.so requesting execstack whenever I restart the BOINC client, but I have not allowed that at this point.

Would it make sense to change the component on the bug from boinc-client to selinux-policy-targeted?

Comment 4 Jamie Anderson 2011-05-23 14:26:04 UTC
Created attachment 500447 [details]
SELinux Type Enforcement file for additional permissions requested by boinc-client

Comment 5 Milos Jakubicek 2011-08-20 12:17:11 UTC
Jamie, can you still reproduce with current selinux-policy (I can't)?

Comment 6 Jamie Anderson 2011-08-21 03:36:41 UTC
No, I believe everything is fine now.


Note You need to log in before you can comment on or make changes to this bug.