Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1303070
Summary: | boinc-client runs unconfined | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | DaveG <daveg> | ||||
Component: | boinc-client | Assignee: | Laurence Field <Laurence.Field> | ||||
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | high | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 23 | CC: | cheekyboinc, daveg, dwalsh, germano.massullo, Laurence.Field, lvrabec, mattia.verga, mgrepl, mmahut, plautrba, xjakub | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | boinc-client-7.6.22-4.fc23 boinc-client-7.6.22-4.fc22 | Doc Type: | Bug Fix | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2016-05-26 10:55:31 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Minor issue: The systemd unit file should not have execute permission. install -p -m755 %{SOURCE1} $RPM_BUILD_ROOT%{_unitdir}/%{name}.service should be install -p -m644 %{SOURCE1} $RPM_BUILD_ROOT%{_unitdir}/%{name}.service Ref: http://pkgs.fedoraproject.org/cgit/rpms/boinc-client.git/tree/boinc-client.spec#n217 Thank you DaveG for your extensive explanation. Could CC'ed SELinux developers please provide a feedback about this problem? Thank you for your time. boinc-client-7.6.22-1.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-268bdbd1df boinc-client-7.6.22-1.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-89ece19b35 boinc-client-7.6.22-1.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2016-8e698a1a52 boinc-client-7.6.22-1.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-8e698a1a52 boinc-client-7.6.22-1.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-89ece19b35 boinc-client-7.6.22-1.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-268bdbd1df boinc-client-7.6.22-3.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-2623b55517 boinc-client-7.6.22-4.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-2623b55517 boinc-client-7.6.22-4.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2016-06a48f3a5f boinc-client-7.6.22-4.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-06a48f3a5f boinc-client-7.6.22-4.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-2623b55517 Hi Dave, on F24, using the following .service file, I still get problems with the SELinux's BOINC confinement. ====== # ps -efZ | fgrep boinc_client system_u:system_r:boinc_t:s0 boinc 9509 1 0 12:30 ? 00:00:32 /usr/bin/boinc_client --daemon --start_delay 1 unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 21752 21655 0 22:34 pts/2 00:00:00 grep -F --color=auto boinc_client ====== ========== [Unit] Description=Berkeley Open Infrastructure Network Computing Client Documentation=man:boinc(1) After=network-online.target [Service] Type=forking Nice=10 User=boinc Group=boinc PermissionsStartOnly=yes WorkingDirectory=/var/lib/boinc ExecStartPre=/usr/bin/touch /var/log/boinc.log /var/log/boinc_err.log ExecStartPre=/bin/chown boinc:boinc /var/log/boinc.log /var/log/boinc_err.log ExecStart=/usr/bin/boinc_client --daemon --start_delay 1 ExecStop=/usr/bin/boinccmd --quit ExecReload=/usr/bin/boinccmd --read_cc_config ExecStopPost=/bin/rm -f /var/lib/boinc/lockfile IOSchedulingClass=idle Environment=LOGFILE=/var/log/boinc.log Environment=ERRORLOG=/var/log/boinc_err.log Environment=SYSTEMD_LOG_LEVEL=debug [Install] WantedBy=multi-user.target ========== I inserted [Enviroment] while (still unsuccessful) trying to find out why BOINC does not fill logs files. [1][2] Do you have any idea? Have a nice day [1]: https://boinc.berkeley.edu/dev/forum_thread.php?id=11011 [2]: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/K3LSOGW2CL3UYFMALIWNMGEYOBP7C3V4/ Logging has stopped for me too. Last entry on 2016-05-16. Looks like it's SELinux file context on the stderr log file triggering an AVC and boinc is giving up on all logging. Managed to fix it for me (F22) with: semanage fcontext --add --type boinc_log_t --ftype f '/var/log/boincerr\.log.*' restorecon -Fv /var/log/boinc* systemctl restart boinc-client.service Check your logs for AVCs on client start. Still need to check that logrotate still works... Is boinc in flux? The man page has ... --daemon Run as daemon. Will redirect stderr and stdout to syslog. ... and the code appears to use syslog.h but my client still uses stderrdae.txt and stdoutdae.txt when run with --daemon. Still, no worries. FYI, my (now working config)... # cat /etc/systemd/system/boinc-client.service [Unit] Description=Berkeley Open Infrastructure Network Computing Client Documentation=man:boinc(1) After=network-online.target [Service] Type=forking Nice=10 User=boinc WorkingDirectory=/var/lib/boinc ExecStart=/usr/bin/boinc_client --daemon --start_delay 1 ExecStop=/usr/bin/boinccmd --quit ExecReload=/usr/bin/boinccmd --read_cc_config [Install] WantedBy=multi-user.target # cat /etc/logrotate.d/boinc-client /var/log/boinc.log /var/log/boincerr.log { missingok notifempty copytruncate compress delaycompress nomail } # ls -lZ /var/log/boinc* -rw-rw-r--. 1 boinc boinc system_u:object_r:boinc_log_t:s0 0 Jan 14 13:04 /var/log/boincerr.log -rw-rw-r--. 1 boinc boinc system_u:object_r:boinc_log_t:s0 3465 May 22 22:37 /var/log/boinc.log # ls -lZ /var/lib/boinc/std* lrwxrwxrwx. 1 root root unconfined_u:object_r:boinc_var_lib_t:s0 21 May 22 22:29 /var/lib/boinc/stderrdae.txt -> /var/log/boincerr.log -rw-r--r--. 1 boinc boinc system_u:object_r:boinc_var_lib_t:s0 0 Feb 25 2014 /var/lib/boinc/stderrgpudetect.txt lrwxrwxrwx. 1 root root unconfined_u:object_r:boinc_var_lib_t:s0 18 May 22 22:29 /var/lib/boinc/stdoutdae.txt -> /var/log/boinc.log -rw-r--r--. 1 boinc boinc system_u:object_r:boinc_var_lib_t:s0 8364 May 22 22:37 /var/lib/boinc/stdoutgpudetect.txt # ls -lZ /usr/bin/boinc_client -rwxr-xr-x. 1 root root system_u:object_r:boinc_exec_t:s0 929448 Jan 31 17:42 /usr/bin/boinc_client My error: Lukas Vrabec told me that ====== # ps -efZ | fgrep boinc_client system_u:system_r:boinc_t:s0 boinc 9509 1 0 12:30 ? 00:00:32 /usr/bin/boinc_client --daemon --start_delay 1 unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 21752 21655 0 22:34 pts/2 00:00:00 grep -F --color=auto boinc_client ====== in Comment 14 is fine since system_u:system_r:boinc_t:s0 boinc 9509 1 0 12:30 ? 00:00:32 /usr/bin/boinc_client --daemon --start_delay 1 is confined and unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 21752 21655 0 22:34 pts/2 00:00:00 grep -F --color=auto boinc_client is related to the grep command. So I can push the builds on stable. For the log bug I am going to open another bugreport where we can co-operate, if you want (I would be glad!). boinc-client-7.6.22-4.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report. boinc-client-7.6.22-4.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report. |
Created attachment 1119423 [details] /etc/systemd/system/boinc-client.service Description of problem: The BOINC client service should be running in a confined context but there appears to be a disconnect in the SELinux transition, probably due to the introduction of a “wrapper script”. Rather than run the client service directly, the systemd unit file executes the wrapper that then runs the service, redirecting stderr and stdout. Unit (boinc_unit_file_t) and binary (boinc_exec_t) files are both correctly tagged but the bash wrapper has default context (bin_t). The result is that the service process runs as unconfined_service_t rather than boinc_t, as intended. Version-Release number of selected component (if applicable): F22 through rawhide. How reproducible: Always. Steps to Reproduce: 1. Install and start boinc-client. 2. ps -efZ | fgrep boinc_client Actual results: system_u:system_r:unconfined_service_t:s0 boinc 1259 1 0 Jan21 ? 00:10:28 /usr/bin/boinc_client ... Expected results: system_u:system_r:boinc_t:s0 boinc 1259 1 0 Jan21 ? 00:10:28 /usr/bin/boinc_client ... Additional info: The problem is the wrapper script, /usr/bin/boinc. It's function is to redirect detailed logging from BOINC to log files under /var/log. One alternative that I currently use is to run the BOINC client in daemon mode (forking) directly from the systemd unit file. In daemon mode stderr and stdout are written to files in the working directory, /var/lib/boinc/{stderrdae.txt,stdoutdae.txt}. These are symbolic links to files in /var/log. This changes the unit file service type from simple to forking. The BOINC client does not have a PID file option but systemd guesses the PID accurately. My working systemd unit file is attached. Either the package or the unit file would need to set up the symbolic links. Without the wrapper script the SELinux transitions work as expected and the BOINC client runs confined.