Created attachment 594032 [details] Selinux error msg Description of problem: Boinc has two log files in /var/log which are accessed via symbolic links in /var/lib/boinc. Selinux seems to be preventing the boinc client read access to those log files. Version-Release number of selected component (if applicable): boinc-client-6.12.43-2.r25218svn.fc17.x86_64 selinux-policy-3.10.0-132.fc17.noarch selinux-policy-targeted-3.10.0-132.fc17.noarch How reproducible: Always Steps to Reproduce: 1. start boinc using 'systemctl start boinc-client.service' 2. monitor /var/log/audit/audit.log file 3. Actual results: Attachments have the selinux details Expected results: Boinc should start up with no selinux problems Additional info: There are two log files involved: ================================ cd /var/lib/boinc ls -l std* lrwxrwxrwx. 1 boinc boinc 21 Jun 23 13:50 stderrdae.txt -> /var/log/boincerr.log lrwxrwxrwx. 1 boinc boinc 18 Jun 23 13:50 stdoutdae.txt -> /var/log/boinc.log ls -lL std* -rw-r--r--. 1 boinc boinc 0 Jun 23 14:05 stderrdae.txt -rw-r--r--. 1 boinc boinc 50961 Jun 24 18:44 stdoutdae.txt ================================
Thanks for spotting that, I will fix that asap.
That's strange, I reverted that change and redirect the output of boinc from a wrapper script around, which is sort of what was the case with SysVInit, but I still get an AVC denied writing to file (not a symlink anymore!): SELinux is preventing /usr/bin/bash from open access on the file /var/log/boinc.log. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that bash should be allowed open access on the boinc.log file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep boinc /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:boinc_t:s0 Target Context system_u:object_r:var_log_t:s0 Target Objects /var/log/boinc.log [ file ] Source boinc Source Path /usr/bin/bash Port <Neznámé> Host ioel Source RPM Packages bash-4.2.29-1.fc17.x86_64 Target RPM Packages Policy RPM selinux-policy-3.10.0-132.fc17.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name ioel Platform Linux ioel 3.4.3-1.fc17.x86_64 #1 SMP Mon Jun 18 19:53:17 UTC 2012 x86_64 x86_64 Alert Count 1 First Seen Út 26. červen 2012, 15:14:28 CEST Last Seen Út 26. červen 2012, 15:14:28 CEST Local ID 17a578f7-984e-44f7-b9af-18a0d864b0c5 Raw Audit Messages type=AVC msg=audit(1340716468.5:755): avc: denied { open } for pid=5793 comm="boinc" name="boinc.log" dev="dm-1" ino=1311162 scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file type=SYSCALL msg=audit(1340716468.5:755): arch=x86_64 syscall=open success=no exit=EACCES a0=1f0e4a0 a1=401 a2=1b6 a3=13 items=0 ppid=5792 pid=5793 auid=4294967295 uid=104 gid=103 euid=104 suid=104 fsuid=104 egid=103 sgid=103 fsgid=103 tty=(none) ses=4294967295 comm=boinc exe=/usr/bin/bash subj=system_u:system_r:boinc_t:s0 key=(null) Hash: boinc,boinc_t,var_log_t,file,open audit2allowunable to open /sys/fs/selinux/policy: Permission denied audit2allow -Runable to open /sys/fs/selinux/policy: Permission denied CC'ing SELinux maintainers, were there any changes in handling SELinux access to /var/log files between F16 and F17? Or is it because of the SysVInit->systemd transition? You can have a look at a preliminary version here: http://koji.fedoraproject.org/koji/taskinfo?taskID=4196528
We don't have boinc log in the policy.
Fixed in selinux-policy-3.10.0-134.fc17.noarch
I also adde support for systemd.
Miroslav, are you sure it is selinux-policy-3.10.0-134.fc17 and not selinux-policy-3.11.0-7.fc18?
# git log f17 commit 880755276bfbc0a0ff0cc33c5685e0a195cccb6c Author: Miroslav Grepl <mgrepl> Date: Wed Jun 27 07:50:56 2012 +0200 Allow boinc domains to manage boinc_lib_t lnk_files commit b1f69176de44a8ce2d7fb00ae5ff89aa9f63f525 Author: Miroslav Grepl <mgrepl> Date: Wed Jun 27 07:41:46 2012 +0200 Add support for boinc-client.service unit file commit eca1500482e8f221304c9c424a275a658ba0f219 Author: Miroslav Grepl <mgrepl> Date: Wed Jun 27 07:35:06 2012 +0200 add support for boinc.log So it has been added to F17 too.
Well, just checked out selinux-policy in git: >git log f17 | grep "Allow boinc" - Allow boinc to read passwd - Allow boinc projects to gconf config files - Allow boinc project to getattr on fs - Allow boinc_project to use shm Allow boinc_project to use shm Allow boinc projects to execute java So you did not push that and it is not part of selinux-policy-3.10.0-134.fc17 -- right?
Ah, I apologize .. I wanted to wrote Fixed in selinux-policy-3.10.0-135.fc17.noarch
Great, right -- thanks for a fast response!
boinc-client-7.0.29-1.r25790svn.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/FEDORA-2012-9859/boinc-client-7.0.29-1.r25790svn.fc17
boinc-client-7.0.29-1.r25790svn.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.