789279 – SELinux makes BOINC fail GPU calculus

Bug 789279 - SELinux makes BOINC fail GPU calculus

Summary: SELinux makes BOINC fail GPU calculus

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	16
Hardware:	Unspecified
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-02-10 09:37 UTC by Germano Massullo
Modified:	2012-04-22 03:36 UTC (History)
CC List:	3 users (show)
Fixed In Version:	selinux-policy-3.10.0-84.fc16
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2012-04-22 03:36:09 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Germano Massullo 2012-02-10 09:37:53 UTC

Description of problem:
Today I tried again to execute BOINC GPU calculus while having SELinux active, but I had problems as before.
Before doing this test, I did a SELinux relabeling.

I started Einstein@home and then I switched from permissive to enforcing mode, so the status of processing GPU working unit was "Calculus error" (my personal translation from the Italian verison).

The strange thing is that I don't get SELinux notifications for this kind of problem.


Additional info:

Kernel 3.2.3-2.fc16.x86_64
nVidia drivers 290.10
SELinux-policy 3.10.0-75.fc16
SELinux-policy-targeted 3.10.0-75.fc16

Comment 1 Miroslav Grepl 2012-02-10 10:02:48 UTC

Is auditd daemon running?

$ systemctl status auditd.status

If yes what does

$ ausearch -m user_avc

Comment 2 Germano Massullo 2012-02-10 12:29:42 UTC

$ systemctl status auditd.status
Failed to issue method call: Unit name auditd.status is not valid.

Comment 3 Germano Massullo 2012-02-10 17:16:37 UTC

Grift in #fedora-selinux suggested me to do:

emodule -DB, reproduce the bug by switching in enforcing mode,semodule -B, ausearch -m avc -ts recent and this is the output

----
time->Fri Feb 10 18:08:33 2012
type=SYSCALL msg=audit(1328893713.748:183): arch=c000003e syscall=59 success=yes exit=0 a0=7f109166aa40 a1=7f109cddc9c0 a2=0 a3=662f73747865746e items=0 ppid=6849 pid=6870 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="setfiles" exe="/sbin/setfiles" subj=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1328893713.748:183): avc:  denied  { noatsecure } for  pid=6870 comm="setfiles" scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1328893713.748:183): avc:  denied  { siginh } for  pid=6870 comm="setfiles" scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1328893713.748:183): avc:  denied  { rlimitinh } for  pid=6870 comm="setfiles" scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=process
----
time->Fri Feb 10 18:08:47 2012
type=SYSCALL msg=audit(1328893727.250:184): arch=c000003e syscall=59 success=yes exit=0 a0=170c850 a1=170c770 a2=170b010 a3=15 items=0 ppid=6874 pid=6875 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="fprintd" exe="/usr/libexec/fprintd" subj=system_u:system_r:fprintd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1328893727.250:184): avc:  denied  { noatsecure } for  pid=6875 comm="fprintd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:fprintd_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1328893727.250:184): avc:  denied  { siginh } for  pid=6875 comm="fprintd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:fprintd_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1328893727.250:184): avc:  denied  { rlimitinh } for  pid=6875 comm="fprintd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:fprintd_t:s0-s0:c0.c1023 tclass=process
----
time->Fri Feb 10 18:09:01 2012
type=SYSCALL msg=audit(1328893741.133:189): arch=c000003e syscall=59 success=yes exit=0 a0=1bdef70 a1=1bdf250 a2=1bddf00 a3=18 items=0 ppid=6883 pid=6885 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="semodule" exe="/usr/sbin/semodule" subj=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1328893741.133:189): avc:  denied  { write } for  pid=6885 comm="semodule" path="/home/caterpillar/.xsession-errors" dev=sdd1 ino=262413 scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:xdm_home_t:s0 tclass=file
----
time->Fri Feb 10 18:09:48 2012
type=SYSCALL msg=audit(1328893788.019:197): arch=c000003e syscall=59 success=yes exit=0 a0=7fff25cb15c0 a1=7fff25cb0e80 a2=183bab0 a3=732f73652e736976 items=0 ppid=6945 pid=6956 auid=4294967295 uid=494 gid=491 euid=494 suid=494 fsuid=494 egid=491 sgid=491 fsgid=491 tty=(none) ses=4294967295 comm="sanidad_1.01_i6" exe="/var/lib/boinc/projects/registro.ibercivis.es/sanidad_1.01_i686-pc-linux-gnu" subj=system_u:system_r:boinc_project_t:s0 key=(null)
type=AVC msg=audit(1328893788.019:197): avc:  denied  { noatsecure } for  pid=6956 comm="sanidad_1.01_i6" scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:system_r:boinc_project_t:s0 tclass=process
type=AVC msg=audit(1328893788.019:197): avc:  denied  { siginh } for  pid=6956 comm="sanidad_1.01_i6" scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:system_r:boinc_project_t:s0 tclass=process
type=AVC msg=audit(1328893788.019:197): avc:  denied  { rlimitinh } for  pid=6956 comm="sanidad_1.01_i6" scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:system_r:boinc_project_t:s0 tclass=process
type=AVC msg=audit(1328893788.019:197): avc:  denied  { read write } for  pid=6956 comm="sanidad_1.01_i6" path="socket:[128625]" dev=sockfs ino=128625 scontext=system_u:system_r:boinc_project_t:s0 tcontext=system_u:system_r:boinc_t:s0 tclass=udp_socket
----
time->Fri Feb 10 18:09:48 2012
type=SYSCALL msg=audit(1328893788.016:198): arch=c000003e syscall=59 success=yes exit=0 a0=7fff25cb15c0 a1=7fff25cb0e80 a2=1822810 a3=6e696c2d63702d36 items=0 ppid=6945 pid=6955 auid=4294967295 uid=494 gid=491 euid=494 suid=494 fsuid=494 egid=491 sgid=491 fsgid=491 tty=(none) ses=4294967295 comm="wcgrid_cep2_6.4" exe="/var/lib/boinc/projects/www.worldcommunitygrid.org/wcgrid_cep2_6.40_i686-pc-linux-gnu" subj=system_u:system_r:boinc_project_t:s0 key=(null)
type=AVC msg=audit(1328893788.016:198): avc:  denied  { noatsecure } for  pid=6955 comm="wcgrid_cep2_6.4" scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:system_r:boinc_project_t:s0 tclass=process
type=AVC msg=audit(1328893788.016:198): avc:  denied  { siginh } for  pid=6955 comm="wcgrid_cep2_6.4" scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:system_r:boinc_project_t:s0 tclass=process
type=AVC msg=audit(1328893788.016:198): avc:  denied  { rlimitinh } for  pid=6955 comm="wcgrid_cep2_6.4" scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:system_r:boinc_project_t:s0 tclass=process
type=AVC msg=audit(1328893788.016:198): avc:  denied  { read write } for  pid=6955 comm="wcgrid_cep2_6.4" path="socket:[128625]" dev=sockfs ino=128625 scontext=system_u:system_r:boinc_project_t:s0 tcontext=system_u:system_r:boinc_t:s0 tclass=udp_socket
----
time->Fri Feb 10 18:09:48 2012
type=SYSCALL msg=audit(1328893788.300:199): arch=c000003e syscall=59 success=yes exit=0 a0=7fff25cb15c0 a1=7fff25cb0e80 a2=183bc70 a3=2d63702d36383669 items=0 ppid=6945 pid=6960 auid=4294967295 uid=494 gid=491 euid=494 suid=494 fsuid=494 egid=491 sgid=491 fsgid=491 tty=(none) ses=4294967295 comm="einsteinbinary_" exe="/var/lib/boinc/projects/einstein.phys.uwm.edu/einsteinbinary_BRP4_1.00_i686-pc-linux-gnu__BRP3cuda32nv270" subj=system_u:system_r:boinc_project_t:s0 key=(null)
type=AVC msg=audit(1328893788.300:199): avc:  denied  { noatsecure } for  pid=6960 comm="einsteinbinary_" scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:system_r:boinc_project_t:s0 tclass=process
type=AVC msg=audit(1328893788.300:199): avc:  denied  { siginh } for  pid=6960 comm="einsteinbinary_" scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:system_r:boinc_project_t:s0 tclass=process
type=AVC msg=audit(1328893788.300:199): avc:  denied  { rlimitinh } for  pid=6960 comm="einsteinbinary_" scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:system_r:boinc_project_t:s0 tclass=process
type=AVC msg=audit(1328893788.300:199): avc:  denied  { read write } for  pid=6960 comm="einsteinbinary_" path="socket:[128625]" dev=sockfs ino=128625 scontext=system_u:system_r:boinc_project_t:s0 tcontext=system_u:system_r:boinc_t:s0 tclass=udp_socket
----
time->Fri Feb 10 18:09:49 2012
type=SYSCALL msg=audit(1328893789.874:201): arch=c000003e syscall=59 success=yes exit=0 a0=7fff25cb15c0 a1=7fff25cb0e80 a2=1822780 a3=2d63702d36383669 items=0 ppid=6945 pid=6966 auid=4294967295 uid=494 gid=491 euid=494 suid=494 fsuid=494 egid=491 sgid=491 fsgid=491 tty=(none) ses=4294967295 comm="einsteinbinary_" exe="/var/lib/boinc/projects/einstein.phys.uwm.edu/einsteinbinary_BRP4_1.00_i686-pc-linux-gnu__BRP3cuda32nv270" subj=system_u:system_r:boinc_project_t:s0 key=(null)
type=AVC msg=audit(1328893789.874:201): avc:  denied  { noatsecure } for  pid=6966 comm="einsteinbinary_" scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:system_r:boinc_project_t:s0 tclass=process
type=AVC msg=audit(1328893789.874:201): avc:  denied  { siginh } for  pid=6966 comm="einsteinbinary_" scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:system_r:boinc_project_t:s0 tclass=process
type=AVC msg=audit(1328893789.874:201): avc:  denied  { rlimitinh } for  pid=6966 comm="einsteinbinary_" scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:system_r:boinc_project_t:s0 tclass=process
type=AVC msg=audit(1328893789.874:201): avc:  denied  { read write } for  pid=6966 comm="einsteinbinary_" path="socket:[126907]" dev=sockfs ino=126907 scontext=system_u:system_r:boinc_project_t:s0 tcontext=system_u:system_r:boinc_t:s0 tclass=tcp_socket
type=AVC msg=audit(1328893789.874:201): avc:  denied  { read write } for  pid=6966 comm="einsteinbinary_" path="socket:[128625]" dev=sockfs ino=128625 scontext=system_u:system_r:boinc_project_t:s0 tcontext=system_u:system_r:boinc_t:s0 tclass=udp_socket
----
time->Fri Feb 10 18:09:51 2012
type=SYSCALL msg=audit(1328893791.348:202): arch=c000003e syscall=59 success=yes exit=0 a0=7fff25cb15c0 a1=7fff25cb0e80 a2=183cd20 a3=2d63702d36383669 items=0 ppid=6945 pid=6968 auid=4294967295 uid=494 gid=491 euid=494 suid=494 fsuid=494 egid=491 sgid=491 fsgid=491 tty=(none) ses=4294967295 comm="einsteinbinary_" exe="/var/lib/boinc/projects/einstein.phys.uwm.edu/einsteinbinary_BRP4_1.00_i686-pc-linux-gnu__BRP3cuda32nv270" subj=system_u:system_r:boinc_project_t:s0 key=(null)
type=AVC msg=audit(1328893791.348:202): avc:  denied  { noatsecure } for  pid=6968 comm="einsteinbinary_" scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:system_r:boinc_project_t:s0 tclass=process
type=AVC msg=audit(1328893791.348:202): avc:  denied  { siginh } for  pid=6968 comm="einsteinbinary_" scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:system_r:boinc_project_t:s0 tclass=process
type=AVC msg=audit(1328893791.348:202): avc:  denied  { rlimitinh } for  pid=6968 comm="einsteinbinary_" scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:system_r:boinc_project_t:s0 tclass=process
type=AVC msg=audit(1328893791.348:202): avc:  denied  { read write } for  pid=6968 comm="einsteinbinary_" path="socket:[128633]" dev=sockfs ino=128633 scontext=system_u:system_r:boinc_project_t:s0 tcontext=system_u:system_r:boinc_t:s0 tclass=tcp_socket
type=AVC msg=audit(1328893791.348:202): avc:  denied  { read write } for  pid=6968 comm="einsteinbinary_" path="socket:[126907]" dev=sockfs ino=126907 scontext=system_u:system_r:boinc_project_t:s0 tcontext=system_u:system_r:boinc_t:s0 tclass=tcp_socket
type=AVC msg=audit(1328893791.348:202): avc:  denied  { read write } for  pid=6968 comm="einsteinbinary_" path="socket:[128625]" dev=sockfs ino=128625 scontext=system_u:system_r:boinc_project_t:s0 tcontext=system_u:system_r:boinc_t:s0 tclass=udp_socket
----
time->Fri Feb 10 18:09:52 2012
type=SYSCALL msg=audit(1328893792.741:204): arch=c000003e syscall=59 success=yes exit=0 a0=7fff25cb15c0 a1=7fff25cb0e80 a2=1838ed0 a3=2d63702d36383669 items=0 ppid=6945 pid=6969 auid=4294967295 uid=494 gid=491 euid=494 suid=494 fsuid=494 egid=491 sgid=491 fsgid=491 tty=(none) ses=4294967295 comm="einsteinbinary_" exe="/var/lib/boinc/projects/einstein.phys.uwm.edu/einsteinbinary_BRP4_1.00_i686-pc-linux-gnu__BRP3cuda32nv270" subj=system_u:system_r:boinc_project_t:s0 key=(null)
type=AVC msg=audit(1328893792.741:204): avc:  denied  { noatsecure } for  pid=6969 comm="einsteinbinary_" scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:system_r:boinc_project_t:s0 tclass=process
type=AVC msg=audit(1328893792.741:204): avc:  denied  { siginh } for  pid=6969 comm="einsteinbinary_" scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:system_r:boinc_project_t:s0 tclass=process
type=AVC msg=audit(1328893792.741:204): avc:  denied  { rlimitinh } for  pid=6969 comm="einsteinbinary_" scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:system_r:boinc_project_t:s0 tclass=process
type=AVC msg=audit(1328893792.741:204): avc:  denied  { read write } for  pid=6969 comm="einsteinbinary_" path="socket:[128633]" dev=sockfs ino=128633 scontext=system_u:system_r:boinc_project_t:s0 tcontext=system_u:system_r:boinc_t:s0 tclass=tcp_socket
type=AVC msg=audit(1328893792.741:204): avc:  denied  { read write } for  pid=6969 comm="einsteinbinary_" path="socket:[126907]" dev=sockfs ino=126907 scontext=system_u:system_r:boinc_project_t:s0 tcontext=system_u:system_r:boinc_t:s0 tclass=tcp_socket
type=AVC msg=audit(1328893792.741:204): avc:  denied  { read write } for  pid=6969 comm="einsteinbinary_" path="socket:[128625]" dev=sockfs ino=128625 scontext=system_u:system_r:boinc_project_t:s0 tcontext=system_u:system_r:boinc_t:s0 tclass=udp_socket
----
time->Fri Feb 10 18:09:55 2012
type=SYSCALL msg=audit(1328893795.564:206): arch=c000003e syscall=59 success=yes exit=0 a0=7fff25cb15c0 a1=7fff25cb0e80 a2=1836b90 a3=2d63702d36383669 items=0 ppid=6945 pid=6972 auid=4294967295 uid=494 gid=491 euid=494 suid=494 fsuid=494 egid=491 sgid=491 fsgid=491 tty=(none) ses=4294967295 comm="einsteinbinary_" exe="/var/lib/boinc/projects/einstein.phys.uwm.edu/einsteinbinary_BRP4_1.00_i686-pc-linux-gnu__BRP3cuda32nv270" subj=system_u:system_r:boinc_project_t:s0 key=(null)
type=AVC msg=audit(1328893795.564:206): avc:  denied  { noatsecure } for  pid=6972 comm="einsteinbinary_" scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:system_r:boinc_project_t:s0 tclass=process
type=AVC msg=audit(1328893795.564:206): avc:  denied  { siginh } for  pid=6972 comm="einsteinbinary_" scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:system_r:boinc_project_t:s0 tclass=process
type=AVC msg=audit(1328893795.564:206): avc:  denied  { rlimitinh } for  pid=6972 comm="einsteinbinary_" scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:system_r:boinc_project_t:s0 tclass=process
type=AVC msg=audit(1328893795.564:206): avc:  denied  { read write } for  pid=6972 comm="einsteinbinary_" path="socket:[128633]" dev=sockfs ino=128633 scontext=system_u:system_r:boinc_project_t:s0 tcontext=system_u:system_r:boinc_t:s0 tclass=tcp_socket
type=AVC msg=audit(1328893795.564:206): avc:  denied  { read write } for  pid=6972 comm="einsteinbinary_" path="socket:[126907]" dev=sockfs ino=126907 scontext=system_u:system_r:boinc_project_t:s0 tcontext=system_u:system_r:boinc_t:s0 tclass=tcp_socket
type=AVC msg=audit(1328893795.564:206): avc:  denied  { read write } for  pid=6972 comm="einsteinbinary_" path="socket:[128625]" dev=sockfs ino=128625 scontext=system_u:system_r:boinc_project_t:s0 tcontext=system_u:system_r:boinc_t:s0 tclass=udp_socket
----
time->Fri Feb 10 18:09:54 2012
type=SYSCALL msg=audit(1328893794.176:205): arch=c000003e syscall=59 success=yes exit=0 a0=7fff25cb15c0 a1=7fff25cb0e80 a2=183a610 a3=2d63702d36383669 items=0 ppid=6945 pid=6971 auid=4294967295 uid=494 gid=491 euid=494 suid=494 fsuid=494 egid=491 sgid=491 fsgid=491 tty=(none) ses=4294967295 comm="einsteinbinary_" exe="/var/lib/boinc/projects/einstein.phys.uwm.edu/einsteinbinary_BRP4_1.00_i686-pc-linux-gnu__BRP3cuda32nv270" subj=system_u:system_r:boinc_project_t:s0 key=(null)
type=AVC msg=audit(1328893794.176:205): avc:  denied  { noatsecure } for  pid=6971 comm="einsteinbinary_" scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:system_r:boinc_project_t:s0 tclass=process
type=AVC msg=audit(1328893794.176:205): avc:  denied  { siginh } for  pid=6971 comm="einsteinbinary_" scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:system_r:boinc_project_t:s0 tclass=process
type=AVC msg=audit(1328893794.176:205): avc:  denied  { rlimitinh } for  pid=6971 comm="einsteinbinary_" scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:system_r:boinc_project_t:s0 tclass=process
type=AVC msg=audit(1328893794.176:205): avc:  denied  { read write } for  pid=6971 comm="einsteinbinary_" path="socket:[128633]" dev=sockfs ino=128633 scontext=system_u:system_r:boinc_project_t:s0 tcontext=system_u:system_r:boinc_t:s0 tclass=tcp_socket
type=AVC msg=audit(1328893794.176:205): avc:  denied  { read write } for  pid=6971 comm="einsteinbinary_" path="socket:[126907]" dev=sockfs ino=126907 scontext=system_u:system_r:boinc_project_t:s0 tcontext=system_u:system_r:boinc_t:s0 tclass=tcp_socket
type=AVC msg=audit(1328893794.176:205): avc:  denied  { read write } for  pid=6971 comm="einsteinbinary_" path="socket:[128625]" dev=sockfs ino=128625 scontext=system_u:system_r:boinc_project_t:s0 tcontext=system_u:system_r:boinc_t:s0 tclass=udp_socket
----
time->Fri Feb 10 18:10:58 2012
type=SYSCALL msg=audit(1328893858.743:207): arch=c000003e syscall=59 success=yes exit=0 a0=7f2e81cfa710 a1=7f2e81cfa480 a2=0 a3=7fff0d9274c0 items=0 ppid=6976 pid=6978 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="load_policy" exe="/sbin/load_policy" subj=unconfined_u:unconfined_r:load_policy_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1328893858.743:207): avc:  denied  { noatsecure } for  pid=6978 comm="load_policy" scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:load_policy_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1328893858.743:207): avc:  denied  { siginh } for  pid=6978 comm="load_policy" scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:load_policy_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1328893858.743:207): avc:  denied  { rlimitinh } for  pid=6978 comm="load_policy" scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:load_policy_t:s0-s0:c0.c1023 tclass=process

Comment 4 Germano Massullo 2012-02-10 17:47:09 UTC

Grift fixed the bug, here the chat log so you can read how we get it






[18:14:59] <grift> ok lets try something:
[18:16:04] <Caterpillar> ok
[18:16:53] <grift> mkdir ~/mytest; cd ~/mytest; echo "policy_module(mytest, 1.0.0) gen_require(\` type boinc_project_t, boinc_t; ') allow boinc_project_t boinc_t:tcp_socket { read write };" > mytest,te;
[18:17:09] <grift> make -f /usr/share/selinux/devel/Makefile mytest.pp
[18:17:17] <grift> sudo semodule -i mytest.pp
[18:17:21] <grift> setenforce 1
[18:17:26] <grift> test again see if it works
[18:18:16] <Caterpillar> no rules to generate <<mytest.pp>>. Stop
[18:18:24] <Caterpillar> at the second command you gave me
[18:18:34] <Caterpillar> $
[18:19:06] <grift> cd ~/mytest; make -f /usr/share/selinux/devel/Makefile mytest.pp
[18:19:37] <grift> o is that a comma or dot in mytest.te?
[18:19:44] <Caterpillar> comma
[18:19:45] <Caterpillar> :D
[18:19:53] <grift> mv mytest,te mytest.te
[18:20:08] <grift> make -f /usr/share/selinux/devel/Makefile mytest.pp
[18:22:39] <Caterpillar> grift: same as before
[18:22:50] <Caterpillar> calculus failure
[18:22:57] <grift> ok open the mytest.te
[18:23:03] <grift> and add below:
[18:23:43] <grift> allow boinc_project_t boinc_t:udp_socket { read write };
[18:23:48] <grift> then:
[18:23:52] <grift> make -f /usr/share/selinux/devel/Makefile mytest.pp
[18:24:00] <grift> sudo semodule -i mytest.pp
[18:24:04] <grift> and test again
[18:24:14] <grift> make sure you restart boince
[18:28:44] <Caterpillar> boinc is downloading new working units, please wait
[18:28:45] <Caterpillar> :)
[18:29:00] <grift> ok so now it works?
[18:29:14] <Caterpillar> we have to wait until it finishes to download
[18:29:19] <grift> k
[18:29:51] <Caterpillar> GPU working units have a lot of megabytes
[18:30:23] <grift> ok that sounds like its atleast less than a gigabyte
[18:31:04] <Caterpillar> no, for Einstein@home there are a lot of little pieces of 4mb each
[18:31:25] <Caterpillar> Calculus failure again
[18:32:00] <grift> ok open mytest.te
[18:32:04] <grift> add:
[18:32:46] <grift> allow boinc_t boinc_project_t:process noatsecure;
[18:32:53] <grift> make -f /usr/share/selinux/devel/Makefile mytest.pp
[18:32:58] <grift> sudo semodule -i mytest.pp
[18:33:01] <grift> test again
[18:33:06] <grift> make sure to restart boinc
[18:33:27] <Caterpillar> of course
[18:36:07] <Caterpillar> grift: uh it works
[18:36:15] <grift> ok open mytest,te
[18:36:42] <grift> comment out the two lines that start with " allow" except the last one 9the one that as the noatsecure
[18:36:51] <grift> then:
[18:36:55] <grift> make -f /usr/share/selinux/devel/Makefile mytest.pp
[18:36:58] <grift> sudo semodule -i mytest.pp
[18:37:02] <grift> test again
[18:37:08] <grift> make sure to restart boinc
[18:37:27] <grift> so the lines with udp_scoket and tcp-socket
[18:37:32] <grift> need to be commented out
[18:37:58] <Caterpillar> in mytest,te I have
[18:38:00] <Caterpillar> policy_module(mytest, 1.0.0) gen_require(` type boinc_project_t, boinc_t; ') allow boinc_project_t boinc_t:tcp_socket { read write };
[18:38:00] <Caterpillar> allow boinc_project_t boinc_t:udp_socket { read write };
[18:38:00] <Caterpillar> allow boinc_t boinc_project_t:process noatsecure;
[18:38:11] <grift> comment out:
[18:38:19] <grift>  allow boinc_project_t boinc_t:tcp_socket { read write };
[18:38:29] <grift> allow boinc_project_t boinc_t:udp_socket { read write };
[18:38:37] <Caterpillar> I have to comment it with # or with // ?
[18:38:38] <grift> put a # in front of those lines
[18:38:41] <Caterpillar> ok
[18:38:43] <grift>  a #
[18:39:01] <Caterpillar> policy_module(mytest, 1.0.0) gen_require(` type boinc_project_t, boinc_t; ') #allow boinc_project_t boinc_t:tcp_socket { read write };
[18:39:01] <Caterpillar> #allow boinc_project_t boinc_t:udp_socket { read write };
[18:39:01] <Caterpillar> allow boinc_t boinc_project_t:process noatsecure;
[18:39:04] <Caterpillar> it's okay?
[18:39:15] <grift> yes
[18:39:25] <grift> err
[18:39:34] <grift> i guess it is
[18:39:48] <grift> try it
[18:40:07] <grift> but i am pretty sure i know what the culprit is
[18:41:21] <Caterpillar> it works
[18:41:32] <grift> ok so the fix is this rule:
[18:41:40] <grift> allow boinc_t boinc_project_t:process noatsecure;
[18:41:54] <grift> that needs to be added to policy
[18:42:34] <grift> make sure to run semodule -B if you havent done so already
[18:42:53] <grift> also make sure you are enforcing if you havent done so alreay (setenforce 1)
[18:43:22] <Caterpillar> don't know how to apply allow boinc_t boinc_project_t:process noatsecure;
[18:43:39] <grift> you already have
[18:43:51] <grift> just put in the bugzilla that that needs to be added
[18:44:01] <Caterpillar> I would like to post this chat log to let others know about the fix
[18:44:10] <grift> k
[18:44:14] <grift> whatever
[18:44:24] <grift> but also add the fix to your bugzilla
[18:44:30] <grift> so that miroslav can fix it

Comment 5 Miroslav Grepl 2012-03-16 10:46:29 UTC

I am doing a lot of fixes for boinc and I am adding this fix too. Thank you.

Comment 6 Fedora Update System 2012-04-18 12:54:01 UTC

selinux-policy-3.10.0-84.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-84.fc16

Comment 7 Fedora Update System 2012-04-22 03:36:09 UTC

selinux-policy-3.10.0-84.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.