Bug 735648 - SELinux is preventing /var/lib/boinc/projects/www.worldcommunitygrid.org/wcg_dsfl_6.19_i686-pc-linux-gnu from 'getattr' accesses on the file /proc/<pid>/stat.
Summary: SELinux is preventing /var/lib/boinc/projects/www.worldcommunitygrid.org/wcg_...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 14
Hardware: i386
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:af87ce2dfcb...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-09-04 14:57 UTC by Joe Zeff
Modified: 2011-10-30 00:34 UTC (History)
4 users (show)

Fixed In Version: selinux-policy-3.9.7-46.fc14
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-10-30 00:34:24 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Joe Zeff 2011-09-04 14:57:48 UTC 
SELinux is preventing /var/lib/boinc/projects/www.worldcommunitygrid.org/wcg_dsfl_6.19_i686-pc-linux-gnu from 'getattr' accesses on the file /proc/<pid>/stat.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that wcg_dsfl_6.19_i686-pc-linux-gnu should be allowed getattr access on the stat file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep wcg_dsfl_6.19_i /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:boinc_project_t:s0
Target Context                unconfined_u:unconfined_r:setfiles_t:s0
Target Objects                /proc/<pid>/stat [ file ]
Source                        wcg_dsfl_6.19_i
Source Path                   /var/lib/boinc/projects/www.worldcommunitygrid.org
                              /wcg_dsfl_6.19_i686-pc-linux-gnu
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.7-44.fc14
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 2.6.35.14-95.fc14.i686 #1
                              SMP Tue Aug 16 21:30:14 UTC 2011 i686 i686
Alert Count                   1
First Seen                    Sun 04 Sep 2011 07:53:06 AM PDT
Last Seen                     Sun 04 Sep 2011 07:53:06 AM PDT
Local ID                      687d9402-6677-4bd3-912d-1061f8d2b5f7

Raw Audit Messages
type=AVC msg=audit(1315147986.645:3939): avc:  denied  { getattr } for  pid=18849 comm="wcg_dsfl_6.19_i" path="/proc/19672/stat" dev=proc ino=10434284 scontext=system_u:system_r:boinc_project_t:s0 tcontext=unconfined_u:unconfined_r:setfiles_t:s0 tclass=file


type=SYSCALL msg=audit(1315147986.645:3939): arch=i386 syscall=fstat64 success=yes exit=0 a0=c a1=bff17c94 a2=bff17c1c a3=2 items=0 ppid=17314 pid=18849 auid=0 uid=495 gid=490 euid=495 suid=495 fsuid=495 egid=490 sgid=490 fsgid=490 tty=(none) ses=287 comm=wcg_dsfl_6.19_i exe=/var/lib/boinc/projects/www.worldcommunitygrid.org/wcg_dsfl_6.19_i686-pc-linux-gnu subj=system_u:system_r:boinc_project_t:s0 key=(null)

Hash: wcg_dsfl_6.19_i,boinc_project_t,setfiles_t,file,getattr

audit2allow

#============= boinc_project_t ==============
allow boinc_project_t setfiles_t:file getattr;

audit2allow -R

#============= boinc_project_t ==============
allow boinc_project_t setfiles_t:file getattr;
Comment 1 Joe Zeff 2011-09-04 15:00:50 UTC 
I am also getting alerts because it wants search access.  I tried following the instructions to set policy for both of these problems, but within less than a minute there were 26 more alerts about the same issue.
Comment 2 Miroslav Grepl 2011-09-05 11:06:55 UTC 
Not sure why this would be needed. 

Do you know which BOINC project causes this issue? 

Also does everything work fine?
Comment 3 Joe Zeff 2011-09-05 17:03:23 UTC 
Everything else on my computer works fine.  Some of the Einstein@home projects give me alerts, but running restorecon once clears them up.  This project is the Drug Search for Leishmaniasis 6.19.  I've also reported this on the WCG troubleshooting forum, but so far there's been no response.
Comment 4 Joe Zeff 2011-09-05 17:08:37 UTC 
Correction: there was also an email this morning from the WCG forum pointing me to this thread: https://secure.worldcommunitygrid.org/forums/wcg/viewthread_thread,31690

This looks like a known issue with the project.  If I can verify that, we may be able to close this bug.
Comment 5 Miroslav Grepl 2011-09-06 07:01:47 UTC 
I will add a fix from the SELinux point of view.
Comment 6 Fedora Update System 2011-10-20 11:58:26 UTC 
selinux-policy-3.9.7-46.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-46.fc14
Comment 7 Fedora Update System 2011-10-22 08:21:42 UTC 
Package selinux-policy-3.9.7-46.fc14:
* should fix your issue,
* was pushed to the Fedora 14 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.7-46.fc14'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2011-14734
then log in and leave karma (feedback).
Comment 8 Joe Zeff 2011-10-22 19:00:47 UTC 
I'm installing the update now, and will then go to the WCG and reactivate that project.  Alas, there's no way of knowing when I'll be assigned a work unit from it unless there's trouble.  Will report back if and when I know anything.
Comment 9 Fedora Update System 2011-10-30 00:34:24 UTC 
selinux-policy-3.9.7-46.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.