Bug 834900 - Selinux prevents boinc client from reading log file
Selinux prevents boinc client from reading log file
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: boinc-client (Show other bugs)
17
All Linux
unspecified Severity medium
: ---
: ---
Assigned To: Milos Jakubicek
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-06-24 14:01 EDT by John Horne
Modified: 2012-07-11 19:56 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-07-11 19:56:15 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Selinux error msg (2.47 KB, application/octet-stream)
2012-06-24 14:01 EDT, John Horne
no flags Details

  None (edit)
Description John Horne 2012-06-24 14:01:26 EDT
Created attachment 594032 [details]
Selinux error msg

Description of problem:
Boinc has two log files in /var/log which are accessed via symbolic links in /var/lib/boinc. Selinux seems to be preventing the boinc client read access to those log files.


Version-Release number of selected component (if applicable):
boinc-client-6.12.43-2.r25218svn.fc17.x86_64
selinux-policy-3.10.0-132.fc17.noarch
selinux-policy-targeted-3.10.0-132.fc17.noarch


How reproducible:
Always

Steps to Reproduce:
1. start boinc using 'systemctl start boinc-client.service'
2. monitor /var/log/audit/audit.log file
3.
  
Actual results:
Attachments have the selinux details

Expected results:
Boinc should start up with no selinux problems

Additional info:
There are two log files involved:

================================
cd /var/lib/boinc
ls -l std*
lrwxrwxrwx. 1 boinc boinc 21 Jun 23 13:50 stderrdae.txt -> /var/log/boincerr.log
lrwxrwxrwx. 1 boinc boinc 18 Jun 23 13:50 stdoutdae.txt -> /var/log/boinc.log
ls -lL std*
-rw-r--r--. 1 boinc boinc     0 Jun 23 14:05 stderrdae.txt
-rw-r--r--. 1 boinc boinc 50961 Jun 24 18:44 stdoutdae.txt
================================
Comment 1 Milos Jakubicek 2012-06-24 14:13:20 EDT
Thanks for spotting that, I will fix that asap.
Comment 2 Milos Jakubicek 2012-06-26 09:18:00 EDT
That's strange, I reverted that change and redirect the output of boinc from a wrapper script around, which is sort of what was the case with SysVInit, but I still get an AVC denied writing to file (not a symlink anymore!):

SELinux is preventing /usr/bin/bash from open access on the file /var/log/boinc.log.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that bash should be allowed open access on the boinc.log file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep boinc /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:boinc_t:s0
Target Context                system_u:object_r:var_log_t:s0
Target Objects                /var/log/boinc.log [ file ]
Source                        boinc
Source Path                   /usr/bin/bash
Port                          <Neznámé>
Host                          ioel
Source RPM Packages           bash-4.2.29-1.fc17.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.10.0-132.fc17.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     ioel
Platform                      Linux ioel 3.4.3-1.fc17.x86_64 #1 SMP Mon Jun 18
                              19:53:17 UTC 2012 x86_64 x86_64
Alert Count                   1
First Seen                    Út 26. červen 2012, 15:14:28 CEST
Last Seen                     Út 26. červen 2012, 15:14:28 CEST
Local ID                      17a578f7-984e-44f7-b9af-18a0d864b0c5

Raw Audit Messages
type=AVC msg=audit(1340716468.5:755): avc:  denied  { open } for  pid=5793 comm="boinc" name="boinc.log" dev="dm-1" ino=1311162 scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file


type=SYSCALL msg=audit(1340716468.5:755): arch=x86_64 syscall=open success=no exit=EACCES a0=1f0e4a0 a1=401 a2=1b6 a3=13 items=0 ppid=5792 pid=5793 auid=4294967295 uid=104 gid=103 euid=104 suid=104 fsuid=104 egid=103 sgid=103 fsgid=103 tty=(none) ses=4294967295 comm=boinc exe=/usr/bin/bash subj=system_u:system_r:boinc_t:s0 key=(null)

Hash: boinc,boinc_t,var_log_t,file,open

audit2allowunable to open /sys/fs/selinux/policy:  Permission denied


audit2allow -Runable to open /sys/fs/selinux/policy:  Permission denied

CC'ing SELinux maintainers, were there any changes in handling SELinux access to  /var/log files between F16 and F17? Or is it because of the SysVInit->systemd transition? You can have a look at a preliminary version here:
http://koji.fedoraproject.org/koji/taskinfo?taskID=4196528
Comment 3 Miroslav Grepl 2012-06-27 01:32:15 EDT
We don't have boinc log in the policy.
Comment 4 Miroslav Grepl 2012-06-27 01:35:58 EDT
Fixed in selinux-policy-3.10.0-134.fc17.noarch
Comment 5 Miroslav Grepl 2012-06-27 01:43:23 EDT
I also adde support for systemd.
Comment 6 Milos Jakubicek 2012-06-27 11:38:56 EDT
Miroslav, are you sure it is selinux-policy-3.10.0-134.fc17 and not selinux-policy-3.11.0-7.fc18?
Comment 7 Miroslav Grepl 2012-06-28 07:22:42 EDT
# git log f17

commit 880755276bfbc0a0ff0cc33c5685e0a195cccb6c
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Wed Jun 27 07:50:56 2012 +0200

    Allow boinc domains to manage boinc_lib_t lnk_files

commit b1f69176de44a8ce2d7fb00ae5ff89aa9f63f525
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Wed Jun 27 07:41:46 2012 +0200

    Add support for boinc-client.service unit file

commit eca1500482e8f221304c9c424a275a658ba0f219
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Wed Jun 27 07:35:06 2012 +0200

    add support for boinc.log


So it has been added to F17 too.
Comment 8 Milos Jakubicek 2012-06-28 09:24:09 EDT
Well, just checked out selinux-policy in git:

>git log f17 | grep "Allow boinc"
    - Allow boinc to read passwd
    - Allow boinc projects to gconf config files
    - Allow boinc project to getattr on fs
    - Allow boinc_project to use shm
    Allow boinc_project to use shm
    Allow boinc projects to execute java

So you did not push that and it is not part of selinux-policy-3.10.0-134.fc17 -- right?
Comment 9 Miroslav Grepl 2012-06-28 09:36:18 EDT
Ah, I apologize .. I wanted to wrote

Fixed in selinux-policy-3.10.0-135.fc17.noarch
Comment 10 Milos Jakubicek 2012-06-28 10:07:05 EDT
Great, right -- thanks for a fast response!
Comment 11 Fedora Update System 2012-07-10 03:28:51 EDT
boinc-client-7.0.29-1.r25790svn.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/FEDORA-2012-9859/boinc-client-7.0.29-1.r25790svn.fc17
Comment 12 Fedora Update System 2012-07-11 19:56:15 EDT
boinc-client-7.0.29-1.r25790svn.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.