Hide Forgot
Description of problem: After installing boinc-client and attaching to a project (World Community Grid) tasks would download and then immediately finish with a status of 'computation error'. On a whim, I tried turning off SELinux with 'sudo setenforce 0' and then restarting the boinc-client service, and projects were able to run. Then I did the following: jamie@kloog /var/lib/boinc/projects/www.worldcommunitygrid.org $ sudo restorecon -rv /var/lib/boinc restorecon reset /var/lib/boinc/.pki context unconfined_u:object_r:boinc_project_var_lib_t:s0->system_u:object_r:boinc_var_lib_t:s0 restorecon reset /var/lib/boinc/.pki/nssdb context unconfined_u:object_r:boinc_project_var_lib_t:s0->system_u:object_r:boinc_var_lib_t:s0 jamie@kloog /var/lib/boinc/projects/www.worldcommunitygrid.org $ sudo setenforce 1 jamie@kloog /var/lib/boinc/projects/www.worldcommunitygrid.org $ sudo service boinc-client restart Stopping boinc-client: [ OK ] Starting boinc-client: [ OK ] jamie@kloog /var/lib/boinc/projects/www.worldcommunitygrid.org $ After that, projects still seem to be running, although I suppose I may not know for sure until one finishes. :) Version-Release number of selected component (if applicable): boinc-client-6.10.58-3.r22930svn.fc14.x86_64 How reproducible: always Steps to Reproduce: 1. install and start boinc-client 2. attach to a project 3. Actual results: work units fail immediately with 'computation error' and 'output file absent' error messages Expected results: work units would run to completion and upload results to the project server Additional info:
Hello, would you please attach /var/log/audit/audit.log? It should contain SELinux AVC messages from the time when the denials occurred.
Created attachment 499511 [details] All the AVC messages from audit.log selinux-policy-3.9.7-40.fc14.noarch selinux-policy-targeted-3.9.7-40.fc14.noarch boinc-client-6.10.58-3.r22930svn.fc14.x86_64
After a few iterations of using audit2allow to generate a policy module and restarting the client, I ended up with things appearing to work. I will attach the type enforcement file I used to create the module for your review. As an aside, I still get an AVC related to /lib/ld-2.13.so requesting execstack whenever I restart the BOINC client, but I have not allowed that at this point. Would it make sense to change the component on the bug from boinc-client to selinux-policy-targeted?
Created attachment 500447 [details] SELinux Type Enforcement file for additional permissions requested by boinc-client
Jamie, can you still reproduce with current selinux-policy (I can't)?
No, I believe everything is fine now.