libreport version: 2.0.8 executable: /usr/bin/python hashmarkername: setroubleshoot kernel: 3.1.5-2.fc16.x86_64 reason: SELinux is preventing /var/lib/boinc/projects/einstein.phys.uwm.edu/einstein_S6Bucket_1.01_x86_64-pc-linux-gnu from 'getattr' accesses on the file /etc/localtime. time: Fri 23 Dec 2011 10:10:33 AM CST description: :SELinux is preventing /var/lib/boinc/projects/einstein.phys.uwm.edu/einstein_S6Bucket_1.01_x86_64-pc-linux-gnu from 'getattr' accesses on the file /etc/localtime. : :***** Plugin catchall (100. confidence) suggests *************************** : :If you believe that einstein_S6Bucket_1.01_x86_64-pc-linux-gnu should be allowed getattr access on the localtime file by default. :Then you should report this as a bug. :You can generate a local policy module to allow this access. :Do :allow this access for now by executing: :# grep einstein_S6Buck /var/log/audit/audit.log | audit2allow -M mypol :# semodule -i mypol.pp : :Additional Information: :Source Context system_u:system_r:boinc_project_t:s0 :Target Context system_u:object_r:locale_t:s0 :Target Objects /etc/localtime [ file ] :Source einstein_S6Buck :Source Path /var/lib/boinc/projects/einstein.phys.uwm.edu/eins : tein_S6Bucket_1.01_x86_64-pc-linux-gnu :Port <Unknown> :Host (removed) :Source RPM Packages :Target RPM Packages glibc-2.14.90-21 :Policy RPM selinux-policy-3.10.0-67.fc16 :Selinux Enabled True :Policy Type targeted :Enforcing Mode Enforcing :Host Name (removed) :Platform Linux (removed) 3.1.5-2.fc16.x86_64 #1 SMP : Mon Dec 12 21:25:51 UTC 2011 x86_64 x86_64 :Alert Count 2 :First Seen Fri 23 Dec 2011 09:55:52 AM CST :Last Seen Fri 23 Dec 2011 09:55:54 AM CST :Local ID bef0c3ce-57c9-4b35-89cb-8cd31dcc6736 : :Raw Audit Messages :type=AVC msg=audit(1324655754.940:1391): avc: denied { getattr } for pid=28884 comm="einstein_S6Buck" path="/etc/localtime" dev=dm-1 ino=1719485 scontext=system_u:system_r:boinc_project_t:s0 tcontext=system_u:object_r:locale_t:s0 tclass=file : : :type=SYSCALL msg=audit(1324655754.940:1391): arch=x86_64 syscall=stat success=no exit=EACCES a0=3a2777208a a1=7fff2af03e80 a2=7fff2af03e80 a3=0 items=0 ppid=11638 pid=28884 auid=4294967295 uid=992 gid=989 euid=992 suid=992 fsuid=992 egid=989 sgid=989 fsgid=989 tty=(none) ses=4294967295 comm=einstein_S6Buck exe=/var/lib/boinc/projects/einstein.phys.uwm.edu/einstein_S6Bucket_1.01_x86_64-pc-linux-gnu subj=system_u:system_r:boinc_project_t:s0 key=(null) : :Hash: einstein_S6Buck,boinc_project_t,locale_t,file,getattr : :audit2allow : :#============= boinc_project_t ============== :allow boinc_project_t locale_t:file getattr; : :audit2allow -R : :#============= boinc_project_t ============== :allow boinc_project_t locale_t:file getattr; :
I apologize, there is a bug in the boinc policy which has been re-written. I am fixing it right now.
*** Bug 770149 has been marked as a duplicate of this bug. ***
*** Bug 770150 has been marked as a duplicate of this bug. ***
*** Bug 770175 has been marked as a duplicate of this bug. ***
*** Bug 770176 has been marked as a duplicate of this bug. ***
*** Bug 770205 has been marked as a duplicate of this bug. ***
*** Bug 770225 has been marked as a duplicate of this bug. ***
*** Bug 770226 has been marked as a duplicate of this bug. ***
*** Bug 770151 has been marked as a duplicate of this bug. ***
*** Bug 770241 has been marked as a duplicate of this bug. ***
You can use a new build from koji for now http://koji.fedoraproject.org/koji/buildinfo?buildID=280140
*** Bug 770297 has been marked as a duplicate of this bug. ***
selinux-policy-3.10.0-69.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-69.fc16
Regarding comment 11, I attempted to update selinux-policy-3.10.0-67.fc16 to selinux-policy-3.10.0-69.fc16. My install includes selinux-policy-3.10.0-67.fc16.noarch and selinux-policy-targeted-3.10.0-67.fc16.noarch only. I attempted to install selinux-policy-3.10.0-69.fc16.noarch.rpm which failed, resulting in this error message: selinux-policy-targeted-3.10.0-67.fc16.noarch requires selinux-policy = 3.10.0-67.fc16 I also attempted to install selinux-policy-3.10.0-69.fc16.src.rpm which failed with this error message: The package that is trying to be installed is incompatible with this system. Package /tmp/selinux-policy-3.10.0-69.fc16.src-1.rpm has incompatible architecture src. Valid architectures are ['ia32e', 'x86_64', 'athlon', 'i686', 'i586', 'i486', 'i386', 'noarch'] Please advise. Thank you, RLK
Package selinux-policy-3.10.0-69.fc16: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-69.fc16' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2011-17464/selinux-policy-3.10.0-69.fc16 then log in and leave karma (feedback).
The update isn't available right now, but I'll keep checking and install it ASAP. Thanks, RLK
*** Bug 770457 has been marked as a duplicate of this bug. ***
*** Bug 770456 has been marked as a duplicate of this bug. ***
*** Bug 770454 has been marked as a duplicate of this bug. ***
*** Bug 770453 has been marked as a duplicate of this bug. ***
*** Bug 770452 has been marked as a duplicate of this bug. ***
*** Bug 770323 has been marked as a duplicate of this bug. ***
*** Bug 770322 has been marked as a duplicate of this bug. ***
*** Bug 770320 has been marked as a duplicate of this bug. ***
*** Bug 770319 has been marked as a duplicate of this bug. ***
*** Bug 770318 has been marked as a duplicate of this bug. ***
*** Bug 770317 has been marked as a duplicate of this bug. ***
*** Bug 770315 has been marked as a duplicate of this bug. ***
*** Bug 770316 has been marked as a duplicate of this bug. ***
*** Bug 770242 has been marked as a duplicate of this bug. ***
*** Bug 770224 has been marked as a duplicate of this bug. ***
I just finished installing the update per Comment 15. When the install completed, my H/D finally stopped rattling and BOINC is back and apparently running normally. The nine alerts have slowly disappeared from the Alert Browser. I'll check it again in the morning. Thank you, RLK
BOINC appears to be running normally with the possible exception of Einstein@Home. The Einstein@Home project on my computer has displayed "Communication Deferred" since I installed the updates. The other two projects are functioning normally. On the Einstein@Home site, they indicate three "Work Generator" servers down, but one is up and running. All of their other servers are functioning normally. I don't know if the "Communication Deferred" message is an Einstein@Home issue or a continuing problem caused by this bug. No new SELinux bugs have appeared since I installed the updates. RLK
selinux-policy-3.10.0-69.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
I may not have this right, but I think it is still a problem under Fedora 17. SELinux is preventing /usr/lib/virtualbox/VBoxManage from execute_no_trans access on the file /usr/lib/virtualbox/VBoxManage. ***** Plugin restorecon (93.9 confidence) suggests ************************* If you want to fix the label. /usr/lib/virtualbox/VBoxManage default label should be bin_t. Then you can run restorecon. Do # /sbin/restorecon -v /usr/lib/virtualbox/VBoxManage ***** Plugin leaks (6.10 confidence) suggests ****************************** If you want to ignore VBoxManage trying to execute_no_trans access the VBoxManage file, because you believe it should not need this access. Then you should report this as a bug. You can generate a local policy module to dontaudit this access. Do # grep /usr/lib/virtualbox/VBoxManage /var/log/audit/audit.log | audit2allow -D -M mypol # semodule -i mypol.pp ***** Plugin catchall (1.43 confidence) suggests *************************** If you believe that VBoxManage should be allowed execute_no_trans access on the VBoxManage file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep VBoxManage /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:boinc_t:s0 Target Context system_u:object_r:textrel_shlib_t:s0 Target Objects /usr/lib/virtualbox/VBoxManage [ file ] Source VBoxManage Source Path /usr/lib/virtualbox/VBoxManage Port <Unknown> Host (removed) Source RPM Packages VirtualBox-4.1-4.1.16_78094_fedora17-1.x86_64 Target RPM Packages VirtualBox-4.1-4.1.16_78094_fedora17-1.x86_64 Policy RPM selinux-policy-3.10.0-128.fc17.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux fisc-dcj-xpsf 3.3.7-1.fc17.x86_64 #1 SMP Mon May 21 22:32:19 UTC 2012 x86_64 x86_64 Alert Count 1 First Seen Wed 06 Jun 2012 12:39:33 AM EDT Last Seen Wed 06 Jun 2012 12:39:33 AM EDT Local ID 6c53e056-a53d-4283-b58d-7ae61a287d02 Raw Audit Messages type=AVC msg=audit(1338957573.947:96): avc: denied { execute_no_trans } for pid=2120 comm="sh" path="/usr/lib/virtualbox/VBoxManage" dev="dm-1" ino=3158964 scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:object_r:textrel_shlib_t:s0 tclass=file type=SYSCALL msg=audit(1338957573.947:96): arch=x86_64 syscall=execve success=yes exit=0 a0=2172180 a1=21720d0 a2=2171100 a3=18 items=0 ppid=2115 pid=2120 auid=4294967295 uid=992 gid=989 euid=992 suid=992 fsuid=992 egid=989 sgid=989 fsgid=989 tty=(none) ses=4294967295 comm=VBoxManage exe=/usr/lib/virtualbox/VBoxManage subj=system_u:system_r:boinc_t:s0 key=(null) Hash: VBoxManage,boinc_t,textrel_shlib_t,file,execute_no_trans audit2allowunable to open /sys/fs/selinux/policy: Permission denied audit2allow -Runable to open /sys/fs/selinux/policy: Permission denied