Description of problem: Today I tried again to execute BOINC GPU calculus while having SELinux active, but I had problems as before. Before doing this test, I did a SELinux relabeling. I started Einstein@home and then I switched from permissive to enforcing mode, so the status of processing GPU working unit was "Calculus error" (my personal translation from the Italian verison). The strange thing is that I don't get SELinux notifications for this kind of problem. Additional info: Kernel 3.2.3-2.fc16.x86_64 nVidia drivers 290.10 SELinux-policy 3.10.0-75.fc16 SELinux-policy-targeted 3.10.0-75.fc16
Is auditd daemon running? $ systemctl status auditd.status If yes what does $ ausearch -m user_avc
$ systemctl status auditd.status Failed to issue method call: Unit name auditd.status is not valid.
Grift in #fedora-selinux suggested me to do: emodule -DB, reproduce the bug by switching in enforcing mode,semodule -B, ausearch -m avc -ts recent and this is the output ---- time->Fri Feb 10 18:08:33 2012 type=SYSCALL msg=audit(1328893713.748:183): arch=c000003e syscall=59 success=yes exit=0 a0=7f109166aa40 a1=7f109cddc9c0 a2=0 a3=662f73747865746e items=0 ppid=6849 pid=6870 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="setfiles" exe="/sbin/setfiles" subj=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1328893713.748:183): avc: denied { noatsecure } for pid=6870 comm="setfiles" scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=process type=AVC msg=audit(1328893713.748:183): avc: denied { siginh } for pid=6870 comm="setfiles" scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=process type=AVC msg=audit(1328893713.748:183): avc: denied { rlimitinh } for pid=6870 comm="setfiles" scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=process ---- time->Fri Feb 10 18:08:47 2012 type=SYSCALL msg=audit(1328893727.250:184): arch=c000003e syscall=59 success=yes exit=0 a0=170c850 a1=170c770 a2=170b010 a3=15 items=0 ppid=6874 pid=6875 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="fprintd" exe="/usr/libexec/fprintd" subj=system_u:system_r:fprintd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1328893727.250:184): avc: denied { noatsecure } for pid=6875 comm="fprintd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:fprintd_t:s0-s0:c0.c1023 tclass=process type=AVC msg=audit(1328893727.250:184): avc: denied { siginh } for pid=6875 comm="fprintd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:fprintd_t:s0-s0:c0.c1023 tclass=process type=AVC msg=audit(1328893727.250:184): avc: denied { rlimitinh } for pid=6875 comm="fprintd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:fprintd_t:s0-s0:c0.c1023 tclass=process ---- time->Fri Feb 10 18:09:01 2012 type=SYSCALL msg=audit(1328893741.133:189): arch=c000003e syscall=59 success=yes exit=0 a0=1bdef70 a1=1bdf250 a2=1bddf00 a3=18 items=0 ppid=6883 pid=6885 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="semodule" exe="/usr/sbin/semodule" subj=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1328893741.133:189): avc: denied { write } for pid=6885 comm="semodule" path="/home/caterpillar/.xsession-errors" dev=sdd1 ino=262413 scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:xdm_home_t:s0 tclass=file ---- time->Fri Feb 10 18:09:48 2012 type=SYSCALL msg=audit(1328893788.019:197): arch=c000003e syscall=59 success=yes exit=0 a0=7fff25cb15c0 a1=7fff25cb0e80 a2=183bab0 a3=732f73652e736976 items=0 ppid=6945 pid=6956 auid=4294967295 uid=494 gid=491 euid=494 suid=494 fsuid=494 egid=491 sgid=491 fsgid=491 tty=(none) ses=4294967295 comm="sanidad_1.01_i6" exe="/var/lib/boinc/projects/registro.ibercivis.es/sanidad_1.01_i686-pc-linux-gnu" subj=system_u:system_r:boinc_project_t:s0 key=(null) type=AVC msg=audit(1328893788.019:197): avc: denied { noatsecure } for pid=6956 comm="sanidad_1.01_i6" scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:system_r:boinc_project_t:s0 tclass=process type=AVC msg=audit(1328893788.019:197): avc: denied { siginh } for pid=6956 comm="sanidad_1.01_i6" scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:system_r:boinc_project_t:s0 tclass=process type=AVC msg=audit(1328893788.019:197): avc: denied { rlimitinh } for pid=6956 comm="sanidad_1.01_i6" scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:system_r:boinc_project_t:s0 tclass=process type=AVC msg=audit(1328893788.019:197): avc: denied { read write } for pid=6956 comm="sanidad_1.01_i6" path="socket:[128625]" dev=sockfs ino=128625 scontext=system_u:system_r:boinc_project_t:s0 tcontext=system_u:system_r:boinc_t:s0 tclass=udp_socket ---- time->Fri Feb 10 18:09:48 2012 type=SYSCALL msg=audit(1328893788.016:198): arch=c000003e syscall=59 success=yes exit=0 a0=7fff25cb15c0 a1=7fff25cb0e80 a2=1822810 a3=6e696c2d63702d36 items=0 ppid=6945 pid=6955 auid=4294967295 uid=494 gid=491 euid=494 suid=494 fsuid=494 egid=491 sgid=491 fsgid=491 tty=(none) ses=4294967295 comm="wcgrid_cep2_6.4" exe="/var/lib/boinc/projects/www.worldcommunitygrid.org/wcgrid_cep2_6.40_i686-pc-linux-gnu" subj=system_u:system_r:boinc_project_t:s0 key=(null) type=AVC msg=audit(1328893788.016:198): avc: denied { noatsecure } for pid=6955 comm="wcgrid_cep2_6.4" scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:system_r:boinc_project_t:s0 tclass=process type=AVC msg=audit(1328893788.016:198): avc: denied { siginh } for pid=6955 comm="wcgrid_cep2_6.4" scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:system_r:boinc_project_t:s0 tclass=process type=AVC msg=audit(1328893788.016:198): avc: denied { rlimitinh } for pid=6955 comm="wcgrid_cep2_6.4" scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:system_r:boinc_project_t:s0 tclass=process type=AVC msg=audit(1328893788.016:198): avc: denied { read write } for pid=6955 comm="wcgrid_cep2_6.4" path="socket:[128625]" dev=sockfs ino=128625 scontext=system_u:system_r:boinc_project_t:s0 tcontext=system_u:system_r:boinc_t:s0 tclass=udp_socket ---- time->Fri Feb 10 18:09:48 2012 type=SYSCALL msg=audit(1328893788.300:199): arch=c000003e syscall=59 success=yes exit=0 a0=7fff25cb15c0 a1=7fff25cb0e80 a2=183bc70 a3=2d63702d36383669 items=0 ppid=6945 pid=6960 auid=4294967295 uid=494 gid=491 euid=494 suid=494 fsuid=494 egid=491 sgid=491 fsgid=491 tty=(none) ses=4294967295 comm="einsteinbinary_" exe="/var/lib/boinc/projects/einstein.phys.uwm.edu/einsteinbinary_BRP4_1.00_i686-pc-linux-gnu__BRP3cuda32nv270" subj=system_u:system_r:boinc_project_t:s0 key=(null) type=AVC msg=audit(1328893788.300:199): avc: denied { noatsecure } for pid=6960 comm="einsteinbinary_" scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:system_r:boinc_project_t:s0 tclass=process type=AVC msg=audit(1328893788.300:199): avc: denied { siginh } for pid=6960 comm="einsteinbinary_" scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:system_r:boinc_project_t:s0 tclass=process type=AVC msg=audit(1328893788.300:199): avc: denied { rlimitinh } for pid=6960 comm="einsteinbinary_" scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:system_r:boinc_project_t:s0 tclass=process type=AVC msg=audit(1328893788.300:199): avc: denied { read write } for pid=6960 comm="einsteinbinary_" path="socket:[128625]" dev=sockfs ino=128625 scontext=system_u:system_r:boinc_project_t:s0 tcontext=system_u:system_r:boinc_t:s0 tclass=udp_socket ---- time->Fri Feb 10 18:09:49 2012 type=SYSCALL msg=audit(1328893789.874:201): arch=c000003e syscall=59 success=yes exit=0 a0=7fff25cb15c0 a1=7fff25cb0e80 a2=1822780 a3=2d63702d36383669 items=0 ppid=6945 pid=6966 auid=4294967295 uid=494 gid=491 euid=494 suid=494 fsuid=494 egid=491 sgid=491 fsgid=491 tty=(none) ses=4294967295 comm="einsteinbinary_" exe="/var/lib/boinc/projects/einstein.phys.uwm.edu/einsteinbinary_BRP4_1.00_i686-pc-linux-gnu__BRP3cuda32nv270" subj=system_u:system_r:boinc_project_t:s0 key=(null) type=AVC msg=audit(1328893789.874:201): avc: denied { noatsecure } for pid=6966 comm="einsteinbinary_" scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:system_r:boinc_project_t:s0 tclass=process type=AVC msg=audit(1328893789.874:201): avc: denied { siginh } for pid=6966 comm="einsteinbinary_" scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:system_r:boinc_project_t:s0 tclass=process type=AVC msg=audit(1328893789.874:201): avc: denied { rlimitinh } for pid=6966 comm="einsteinbinary_" scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:system_r:boinc_project_t:s0 tclass=process type=AVC msg=audit(1328893789.874:201): avc: denied { read write } for pid=6966 comm="einsteinbinary_" path="socket:[126907]" dev=sockfs ino=126907 scontext=system_u:system_r:boinc_project_t:s0 tcontext=system_u:system_r:boinc_t:s0 tclass=tcp_socket type=AVC msg=audit(1328893789.874:201): avc: denied { read write } for pid=6966 comm="einsteinbinary_" path="socket:[128625]" dev=sockfs ino=128625 scontext=system_u:system_r:boinc_project_t:s0 tcontext=system_u:system_r:boinc_t:s0 tclass=udp_socket ---- time->Fri Feb 10 18:09:51 2012 type=SYSCALL msg=audit(1328893791.348:202): arch=c000003e syscall=59 success=yes exit=0 a0=7fff25cb15c0 a1=7fff25cb0e80 a2=183cd20 a3=2d63702d36383669 items=0 ppid=6945 pid=6968 auid=4294967295 uid=494 gid=491 euid=494 suid=494 fsuid=494 egid=491 sgid=491 fsgid=491 tty=(none) ses=4294967295 comm="einsteinbinary_" exe="/var/lib/boinc/projects/einstein.phys.uwm.edu/einsteinbinary_BRP4_1.00_i686-pc-linux-gnu__BRP3cuda32nv270" subj=system_u:system_r:boinc_project_t:s0 key=(null) type=AVC msg=audit(1328893791.348:202): avc: denied { noatsecure } for pid=6968 comm="einsteinbinary_" scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:system_r:boinc_project_t:s0 tclass=process type=AVC msg=audit(1328893791.348:202): avc: denied { siginh } for pid=6968 comm="einsteinbinary_" scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:system_r:boinc_project_t:s0 tclass=process type=AVC msg=audit(1328893791.348:202): avc: denied { rlimitinh } for pid=6968 comm="einsteinbinary_" scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:system_r:boinc_project_t:s0 tclass=process type=AVC msg=audit(1328893791.348:202): avc: denied { read write } for pid=6968 comm="einsteinbinary_" path="socket:[128633]" dev=sockfs ino=128633 scontext=system_u:system_r:boinc_project_t:s0 tcontext=system_u:system_r:boinc_t:s0 tclass=tcp_socket type=AVC msg=audit(1328893791.348:202): avc: denied { read write } for pid=6968 comm="einsteinbinary_" path="socket:[126907]" dev=sockfs ino=126907 scontext=system_u:system_r:boinc_project_t:s0 tcontext=system_u:system_r:boinc_t:s0 tclass=tcp_socket type=AVC msg=audit(1328893791.348:202): avc: denied { read write } for pid=6968 comm="einsteinbinary_" path="socket:[128625]" dev=sockfs ino=128625 scontext=system_u:system_r:boinc_project_t:s0 tcontext=system_u:system_r:boinc_t:s0 tclass=udp_socket ---- time->Fri Feb 10 18:09:52 2012 type=SYSCALL msg=audit(1328893792.741:204): arch=c000003e syscall=59 success=yes exit=0 a0=7fff25cb15c0 a1=7fff25cb0e80 a2=1838ed0 a3=2d63702d36383669 items=0 ppid=6945 pid=6969 auid=4294967295 uid=494 gid=491 euid=494 suid=494 fsuid=494 egid=491 sgid=491 fsgid=491 tty=(none) ses=4294967295 comm="einsteinbinary_" exe="/var/lib/boinc/projects/einstein.phys.uwm.edu/einsteinbinary_BRP4_1.00_i686-pc-linux-gnu__BRP3cuda32nv270" subj=system_u:system_r:boinc_project_t:s0 key=(null) type=AVC msg=audit(1328893792.741:204): avc: denied { noatsecure } for pid=6969 comm="einsteinbinary_" scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:system_r:boinc_project_t:s0 tclass=process type=AVC msg=audit(1328893792.741:204): avc: denied { siginh } for pid=6969 comm="einsteinbinary_" scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:system_r:boinc_project_t:s0 tclass=process type=AVC msg=audit(1328893792.741:204): avc: denied { rlimitinh } for pid=6969 comm="einsteinbinary_" scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:system_r:boinc_project_t:s0 tclass=process type=AVC msg=audit(1328893792.741:204): avc: denied { read write } for pid=6969 comm="einsteinbinary_" path="socket:[128633]" dev=sockfs ino=128633 scontext=system_u:system_r:boinc_project_t:s0 tcontext=system_u:system_r:boinc_t:s0 tclass=tcp_socket type=AVC msg=audit(1328893792.741:204): avc: denied { read write } for pid=6969 comm="einsteinbinary_" path="socket:[126907]" dev=sockfs ino=126907 scontext=system_u:system_r:boinc_project_t:s0 tcontext=system_u:system_r:boinc_t:s0 tclass=tcp_socket type=AVC msg=audit(1328893792.741:204): avc: denied { read write } for pid=6969 comm="einsteinbinary_" path="socket:[128625]" dev=sockfs ino=128625 scontext=system_u:system_r:boinc_project_t:s0 tcontext=system_u:system_r:boinc_t:s0 tclass=udp_socket ---- time->Fri Feb 10 18:09:55 2012 type=SYSCALL msg=audit(1328893795.564:206): arch=c000003e syscall=59 success=yes exit=0 a0=7fff25cb15c0 a1=7fff25cb0e80 a2=1836b90 a3=2d63702d36383669 items=0 ppid=6945 pid=6972 auid=4294967295 uid=494 gid=491 euid=494 suid=494 fsuid=494 egid=491 sgid=491 fsgid=491 tty=(none) ses=4294967295 comm="einsteinbinary_" exe="/var/lib/boinc/projects/einstein.phys.uwm.edu/einsteinbinary_BRP4_1.00_i686-pc-linux-gnu__BRP3cuda32nv270" subj=system_u:system_r:boinc_project_t:s0 key=(null) type=AVC msg=audit(1328893795.564:206): avc: denied { noatsecure } for pid=6972 comm="einsteinbinary_" scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:system_r:boinc_project_t:s0 tclass=process type=AVC msg=audit(1328893795.564:206): avc: denied { siginh } for pid=6972 comm="einsteinbinary_" scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:system_r:boinc_project_t:s0 tclass=process type=AVC msg=audit(1328893795.564:206): avc: denied { rlimitinh } for pid=6972 comm="einsteinbinary_" scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:system_r:boinc_project_t:s0 tclass=process type=AVC msg=audit(1328893795.564:206): avc: denied { read write } for pid=6972 comm="einsteinbinary_" path="socket:[128633]" dev=sockfs ino=128633 scontext=system_u:system_r:boinc_project_t:s0 tcontext=system_u:system_r:boinc_t:s0 tclass=tcp_socket type=AVC msg=audit(1328893795.564:206): avc: denied { read write } for pid=6972 comm="einsteinbinary_" path="socket:[126907]" dev=sockfs ino=126907 scontext=system_u:system_r:boinc_project_t:s0 tcontext=system_u:system_r:boinc_t:s0 tclass=tcp_socket type=AVC msg=audit(1328893795.564:206): avc: denied { read write } for pid=6972 comm="einsteinbinary_" path="socket:[128625]" dev=sockfs ino=128625 scontext=system_u:system_r:boinc_project_t:s0 tcontext=system_u:system_r:boinc_t:s0 tclass=udp_socket ---- time->Fri Feb 10 18:09:54 2012 type=SYSCALL msg=audit(1328893794.176:205): arch=c000003e syscall=59 success=yes exit=0 a0=7fff25cb15c0 a1=7fff25cb0e80 a2=183a610 a3=2d63702d36383669 items=0 ppid=6945 pid=6971 auid=4294967295 uid=494 gid=491 euid=494 suid=494 fsuid=494 egid=491 sgid=491 fsgid=491 tty=(none) ses=4294967295 comm="einsteinbinary_" exe="/var/lib/boinc/projects/einstein.phys.uwm.edu/einsteinbinary_BRP4_1.00_i686-pc-linux-gnu__BRP3cuda32nv270" subj=system_u:system_r:boinc_project_t:s0 key=(null) type=AVC msg=audit(1328893794.176:205): avc: denied { noatsecure } for pid=6971 comm="einsteinbinary_" scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:system_r:boinc_project_t:s0 tclass=process type=AVC msg=audit(1328893794.176:205): avc: denied { siginh } for pid=6971 comm="einsteinbinary_" scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:system_r:boinc_project_t:s0 tclass=process type=AVC msg=audit(1328893794.176:205): avc: denied { rlimitinh } for pid=6971 comm="einsteinbinary_" scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:system_r:boinc_project_t:s0 tclass=process type=AVC msg=audit(1328893794.176:205): avc: denied { read write } for pid=6971 comm="einsteinbinary_" path="socket:[128633]" dev=sockfs ino=128633 scontext=system_u:system_r:boinc_project_t:s0 tcontext=system_u:system_r:boinc_t:s0 tclass=tcp_socket type=AVC msg=audit(1328893794.176:205): avc: denied { read write } for pid=6971 comm="einsteinbinary_" path="socket:[126907]" dev=sockfs ino=126907 scontext=system_u:system_r:boinc_project_t:s0 tcontext=system_u:system_r:boinc_t:s0 tclass=tcp_socket type=AVC msg=audit(1328893794.176:205): avc: denied { read write } for pid=6971 comm="einsteinbinary_" path="socket:[128625]" dev=sockfs ino=128625 scontext=system_u:system_r:boinc_project_t:s0 tcontext=system_u:system_r:boinc_t:s0 tclass=udp_socket ---- time->Fri Feb 10 18:10:58 2012 type=SYSCALL msg=audit(1328893858.743:207): arch=c000003e syscall=59 success=yes exit=0 a0=7f2e81cfa710 a1=7f2e81cfa480 a2=0 a3=7fff0d9274c0 items=0 ppid=6976 pid=6978 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="load_policy" exe="/sbin/load_policy" subj=unconfined_u:unconfined_r:load_policy_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1328893858.743:207): avc: denied { noatsecure } for pid=6978 comm="load_policy" scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:load_policy_t:s0-s0:c0.c1023 tclass=process type=AVC msg=audit(1328893858.743:207): avc: denied { siginh } for pid=6978 comm="load_policy" scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:load_policy_t:s0-s0:c0.c1023 tclass=process type=AVC msg=audit(1328893858.743:207): avc: denied { rlimitinh } for pid=6978 comm="load_policy" scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:load_policy_t:s0-s0:c0.c1023 tclass=process
Grift fixed the bug, here the chat log so you can read how we get it [18:14:59] <grift> ok lets try something: [18:16:04] <Caterpillar> ok [18:16:53] <grift> mkdir ~/mytest; cd ~/mytest; echo "policy_module(mytest, 1.0.0) gen_require(\` type boinc_project_t, boinc_t; ') allow boinc_project_t boinc_t:tcp_socket { read write };" > mytest,te; [18:17:09] <grift> make -f /usr/share/selinux/devel/Makefile mytest.pp [18:17:17] <grift> sudo semodule -i mytest.pp [18:17:21] <grift> setenforce 1 [18:17:26] <grift> test again see if it works [18:18:16] <Caterpillar> no rules to generate <<mytest.pp>>. Stop [18:18:24] <Caterpillar> at the second command you gave me [18:18:34] <Caterpillar> $ [18:19:06] <grift> cd ~/mytest; make -f /usr/share/selinux/devel/Makefile mytest.pp [18:19:37] <grift> o is that a comma or dot in mytest.te? [18:19:44] <Caterpillar> comma [18:19:45] <Caterpillar> :D [18:19:53] <grift> mv mytest,te mytest.te [18:20:08] <grift> make -f /usr/share/selinux/devel/Makefile mytest.pp [18:22:39] <Caterpillar> grift: same as before [18:22:50] <Caterpillar> calculus failure [18:22:57] <grift> ok open the mytest.te [18:23:03] <grift> and add below: [18:23:43] <grift> allow boinc_project_t boinc_t:udp_socket { read write }; [18:23:48] <grift> then: [18:23:52] <grift> make -f /usr/share/selinux/devel/Makefile mytest.pp [18:24:00] <grift> sudo semodule -i mytest.pp [18:24:04] <grift> and test again [18:24:14] <grift> make sure you restart boince [18:28:44] <Caterpillar> boinc is downloading new working units, please wait [18:28:45] <Caterpillar> :) [18:29:00] <grift> ok so now it works? [18:29:14] <Caterpillar> we have to wait until it finishes to download [18:29:19] <grift> k [18:29:51] <Caterpillar> GPU working units have a lot of megabytes [18:30:23] <grift> ok that sounds like its atleast less than a gigabyte [18:31:04] <Caterpillar> no, for Einstein@home there are a lot of little pieces of 4mb each [18:31:25] <Caterpillar> Calculus failure again [18:32:00] <grift> ok open mytest.te [18:32:04] <grift> add: [18:32:46] <grift> allow boinc_t boinc_project_t:process noatsecure; [18:32:53] <grift> make -f /usr/share/selinux/devel/Makefile mytest.pp [18:32:58] <grift> sudo semodule -i mytest.pp [18:33:01] <grift> test again [18:33:06] <grift> make sure to restart boinc [18:33:27] <Caterpillar> of course [18:36:07] <Caterpillar> grift: uh it works [18:36:15] <grift> ok open mytest,te [18:36:42] <grift> comment out the two lines that start with " allow" except the last one 9the one that as the noatsecure [18:36:51] <grift> then: [18:36:55] <grift> make -f /usr/share/selinux/devel/Makefile mytest.pp [18:36:58] <grift> sudo semodule -i mytest.pp [18:37:02] <grift> test again [18:37:08] <grift> make sure to restart boinc [18:37:27] <grift> so the lines with udp_scoket and tcp-socket [18:37:32] <grift> need to be commented out [18:37:58] <Caterpillar> in mytest,te I have [18:38:00] <Caterpillar> policy_module(mytest, 1.0.0) gen_require(` type boinc_project_t, boinc_t; ') allow boinc_project_t boinc_t:tcp_socket { read write }; [18:38:00] <Caterpillar> allow boinc_project_t boinc_t:udp_socket { read write }; [18:38:00] <Caterpillar> allow boinc_t boinc_project_t:process noatsecure; [18:38:11] <grift> comment out: [18:38:19] <grift> allow boinc_project_t boinc_t:tcp_socket { read write }; [18:38:29] <grift> allow boinc_project_t boinc_t:udp_socket { read write }; [18:38:37] <Caterpillar> I have to comment it with # or with // ? [18:38:38] <grift> put a # in front of those lines [18:38:41] <Caterpillar> ok [18:38:43] <grift> a # [18:39:01] <Caterpillar> policy_module(mytest, 1.0.0) gen_require(` type boinc_project_t, boinc_t; ') #allow boinc_project_t boinc_t:tcp_socket { read write }; [18:39:01] <Caterpillar> #allow boinc_project_t boinc_t:udp_socket { read write }; [18:39:01] <Caterpillar> allow boinc_t boinc_project_t:process noatsecure; [18:39:04] <Caterpillar> it's okay? [18:39:15] <grift> yes [18:39:25] <grift> err [18:39:34] <grift> i guess it is [18:39:48] <grift> try it [18:40:07] <grift> but i am pretty sure i know what the culprit is [18:41:21] <Caterpillar> it works [18:41:32] <grift> ok so the fix is this rule: [18:41:40] <grift> allow boinc_t boinc_project_t:process noatsecure; [18:41:54] <grift> that needs to be added to policy [18:42:34] <grift> make sure to run semodule -B if you havent done so already [18:42:53] <grift> also make sure you are enforcing if you havent done so alreay (setenforce 1) [18:43:22] <Caterpillar> don't know how to apply allow boinc_t boinc_project_t:process noatsecure; [18:43:39] <grift> you already have [18:43:51] <grift> just put in the bugzilla that that needs to be added [18:44:01] <Caterpillar> I would like to post this chat log to let others know about the fix [18:44:10] <grift> k [18:44:14] <grift> whatever [18:44:24] <grift> but also add the fix to your bugzilla [18:44:30] <grift> so that miroslav can fix it
I am doing a lot of fixes for boinc and I am adding this fix too. Thank you.
selinux-policy-3.10.0-84.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-84.fc16
selinux-policy-3.10.0-84.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.