SELinux is preventing /var/lib/boinc/projects/www.worldcommunitygrid.org/wcg_dsfl_6.19_i686-pc-linux-gnu from 'getattr' accesses on the file /proc/<pid>/stat. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that wcg_dsfl_6.19_i686-pc-linux-gnu should be allowed getattr access on the stat file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep wcg_dsfl_6.19_i /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:boinc_project_t:s0 Target Context unconfined_u:unconfined_r:setfiles_t:s0 Target Objects /proc/<pid>/stat [ file ] Source wcg_dsfl_6.19_i Source Path /var/lib/boinc/projects/www.worldcommunitygrid.org /wcg_dsfl_6.19_i686-pc-linux-gnu Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.9.7-44.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 2.6.35.14-95.fc14.i686 #1 SMP Tue Aug 16 21:30:14 UTC 2011 i686 i686 Alert Count 1 First Seen Sun 04 Sep 2011 07:53:06 AM PDT Last Seen Sun 04 Sep 2011 07:53:06 AM PDT Local ID 687d9402-6677-4bd3-912d-1061f8d2b5f7 Raw Audit Messages type=AVC msg=audit(1315147986.645:3939): avc: denied { getattr } for pid=18849 comm="wcg_dsfl_6.19_i" path="/proc/19672/stat" dev=proc ino=10434284 scontext=system_u:system_r:boinc_project_t:s0 tcontext=unconfined_u:unconfined_r:setfiles_t:s0 tclass=file type=SYSCALL msg=audit(1315147986.645:3939): arch=i386 syscall=fstat64 success=yes exit=0 a0=c a1=bff17c94 a2=bff17c1c a3=2 items=0 ppid=17314 pid=18849 auid=0 uid=495 gid=490 euid=495 suid=495 fsuid=495 egid=490 sgid=490 fsgid=490 tty=(none) ses=287 comm=wcg_dsfl_6.19_i exe=/var/lib/boinc/projects/www.worldcommunitygrid.org/wcg_dsfl_6.19_i686-pc-linux-gnu subj=system_u:system_r:boinc_project_t:s0 key=(null) Hash: wcg_dsfl_6.19_i,boinc_project_t,setfiles_t,file,getattr audit2allow #============= boinc_project_t ============== allow boinc_project_t setfiles_t:file getattr; audit2allow -R #============= boinc_project_t ============== allow boinc_project_t setfiles_t:file getattr;
I am also getting alerts because it wants search access. I tried following the instructions to set policy for both of these problems, but within less than a minute there were 26 more alerts about the same issue.
Not sure why this would be needed. Do you know which BOINC project causes this issue? Also does everything work fine?
Everything else on my computer works fine. Some of the Einstein@home projects give me alerts, but running restorecon once clears them up. This project is the Drug Search for Leishmaniasis 6.19. I've also reported this on the WCG troubleshooting forum, but so far there's been no response.
Correction: there was also an email this morning from the WCG forum pointing me to this thread: https://secure.worldcommunitygrid.org/forums/wcg/viewthread_thread,31690 This looks like a known issue with the project. If I can verify that, we may be able to close this bug.
I will add a fix from the SELinux point of view.
selinux-policy-3.9.7-46.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-46.fc14
Package selinux-policy-3.9.7-46.fc14: * should fix your issue, * was pushed to the Fedora 14 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.7-46.fc14' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2011-14734 then log in and leave karma (feedback).
I'm installing the update now, and will then go to the WCG and reactivate that project. Alas, there's no way of knowing when I'll be assigned a work unit from it unless there's trouble. Will report back if and when I know anything.
selinux-policy-3.9.7-46.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report.