Hide Forgot
Just had this warning while running BOINC project Einstein@home on nVidia GPU SELinux is preventing /var/lib/boinc/projects/einstein.phys.uwm.edu/einsteinbinary_BRP4_1.22_i686-pc-linux-gnu__BRP4cuda32nv270 from write access on the cartella /var/lib/boinc/.nv/ComputeCache. ***** Plugin catchall (100. confidence) suggerisce**************************** Seyou believe that einsteinbinary_BRP4_1.22_i686-pc-linux-gnu__BRP4cuda32nv270 should be allowed write access on the ComputeCache directory by default. Quindiyou should report this as a bug. You can generate a local policy module to allow this access. Fai allow this access for now by executing: # grep einsteinbinary_ /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Informazioni addizionali: Contesto della sorgente system_u:system_r:boinc_project_t:s0 Contesto target system_u:object_r:boinc_var_lib_t:s0 Oggetti target /var/lib/boinc/.nv/ComputeCache [ dir ] Sorgente einsteinbinary_ Percorso della sorgente /var/lib/boinc/projects/einstein.phys.uwm.edu/eins teinbinary_BRP4_1.22_i686-pc-linux- gnu__BRP4cuda32nv270 Porta <Sconosciuto> Host Magic-4 Sorgente Pacchetti RPM Pacchetti RPM target RPM della policy selinux-policy-3.10.0-75.fc16.noarch Selinux abilitato True Tipo di policy targeted Modalità Enforcing Enforcing Host Name Magic-4 Piattaforma Linux Magic-4 3.2.7-1.fc16.x86_64 #1 SMP Tue Feb 21 01:40:47 UTC 2012 x86_64 x86_64 Conteggio avvisi 4 Primo visto sab 03 mar 2012 08:51:46 CET Ultimo visto sab 03 mar 2012 08:59:08 CET ID locale Messaggi Raw Audit type=AVC msg=audit(1330761548.289:117): avc: denied { write } for pid=3387 comm="einsteinbinary_" name="ComputeCache" dev=sdd1 ino=3801106 scontext=system_u:system_r:boinc_project_t:s0 tcontext=system_u:object_r:boinc_var_lib_t:s0 tclass=dir type=SYSCALL msg=audit(1330761548.289:117): arch=i386 syscall=getpid success=no exit=4294967283 a0=9f36f70 a1=1c0 a2=23 a3=9f36f90 items=0 ppid=2828 pid=3387 auid=4294967295 uid=494 gid=491 euid=494 suid=494 fsuid=494 egid=491 sgid=491 fsgid=491 tty=(none) ses=4294967295 comm=einsteinbinary_ exe=/var/lib/boinc/projects/einstein.phys.uwm.edu/einsteinbinary_BRP4_1.22_i686-pc-linux-gnu__BRP4cuda32nv270 subj=system_u:system_r:boinc_project_t:s0 key=(null) Hash: einsteinbinary_,boinc_project_t,boinc_var_lib_t,dir,write audit2allow #============= boinc_project_t ============== #!!!! The source type 'boinc_project_t' can write to a 'dir' of the following types: # boinc_project_tmp_t, var_lib_t, boinc_project_var_lib_t, tmp_t allow boinc_project_t boinc_var_lib_t:dir write; audit2allow -R #============= boinc_project_t ============== #!!!! The source type 'boinc_project_t' can write to a 'dir' of the following types: # boinc_project_tmp_t, var_lib_t, boinc_project_var_lib_t, tmp_t allow boinc_project_t boinc_var_lib_t:dir write;
Grift on #fedora-selinux found out a fix, here the procedure: #semanage permissive -a boinc_project_t so waited for another warning and then I did #semanage permissive -d boinc_project_t the paste of the warning is ---- time->Sun Mar 4 19:56:12 2012 type=SYSCALL msg=audit(1330887372.400:347): arch=40000003 syscall=39 success=yes exit=0 a0=a39b770 a1=1c0 a2=23 a3=a39b790 items=0 ppid=3590 pid=9766 auid=4294967295 uid=494 gid=491 euid=494 suid=494 fsuid=494 egid=491 sgid=491 fsgid=491 tty=(none) ses=4294967295 comm="einsteinbinary_" exe="/var/lib/boinc/projects/einstein.phys.uwm.edu/einsteinbinary_BRP4_1.23_i686-pc-linux-gnu__BRP4cuda32nv270" subj=system_u:system_r:boinc_project_t:s0 key=(null) type=AVC msg=audit(1330887372.400:347): avc: denied { create } for pid=9766 comm="einsteinbinary_" name="9" scontext=system_u:system_r:boinc_project_t:s0 tcontext=system_u:object_r:boinc_var_lib_t:s0 tclass=dir type=AVC msg=audit(1330887372.400:347): avc: denied { add_name } for pid=9766 comm="einsteinbinary_" name="9" scontext=system_u:system_r:boinc_project_t:s0 tcontext=system_u:object_r:boinc_var_lib_t:s0 tclass=dir type=AVC msg=audit(1330887372.400:347): avc: denied { write } for pid=9766 comm="einsteinbinary_" name="ComputeCache" dev=sdd1 ino=3801106 scontext=system_u:system_r:boinc_project_t:s0 tcontext=system_u:object_r:boinc_var_lib_t:s0 tclass=dir ---- time->Sun Mar 4 19:56:12 2012 type=SYSCALL msg=audit(1330887372.427:348): arch=40000003 syscall=5 success=yes exit=26 a0=a39b740 a1=241 a2=1b6 a3=0 items=0 ppid=3590 pid=9766 auid=4294967295 uid=494 gid=491 euid=494 suid=494 fsuid=494 egid=491 sgid=491 fsgid=491 tty=(none) ses=4294967295 comm="einsteinbinary_" exe="/var/lib/boinc/projects/einstein.phys.uwm.edu/einsteinbinary_BRP4_1.23_i686-pc-linux-gnu__BRP4cuda32nv270" subj=system_u:system_r:boinc_project_t:s0 key=(null) type=AVC msg=audit(1330887372.427:348): avc: denied { create } for pid=9766 comm="einsteinbinary_" name="626ce3" scontext=system_u:system_r:boinc_project_t:s0 tcontext=system_u:object_r:boinc_var_lib_t:s0 tclass=file $mkdir ~/myboinc; cd ~/myboinc $echo "policy_module(myboinc, 1.0.0) gen_require(\` type boinc_project_t, boinc_var_lib_t; ') create_files_pattern(boinc_project_t, boinc_var_lib_t, boinc_var_lib_t) allow boinc_project_t boinc_var_lib_t:dir create_dir_perms;" > myboinc.te #semodule -i myboinc.pp
Yes, we know about this issue. I am planning to fix up boinc policy.
Fixed in selinux-policy-3.10.0-81.fc16
selinux-policy-3.10.0-84.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-84.fc16
selinux-policy-3.10.0-84.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.