1303070 – boinc-client runs unconfined

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1303070 - boinc-client runs unconfined

Summary: boinc-client runs unconfined

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	boinc-client
Sub Component:
Version:	23
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	---
Assignee:	Laurence Field
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-01-29 13:02 UTC by DaveG
Modified:	2016-05-31 09:22 UTC (History)
CC List:	11 users (show)
Fixed In Version:	boinc-client-7.6.22-4.fc23 boinc-client-7.6.22-4.fc22
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-05-26 10:55:31 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
/etc/systemd/system/boinc-client.service (392 bytes, text/plain) 2016-01-29 13:02 UTC, DaveG	no flags	Details
View All

Description DaveG 2016-01-29 13:02:49 UTC

Created attachment 1119423 [details]
/etc/systemd/system/boinc-client.service

Description of problem:

The BOINC client service should be running in a confined context but there appears to be a disconnect in the SELinux transition, probably due to the introduction of a “wrapper script”.

Rather than run the client service directly, the systemd unit file executes the wrapper that then runs the service, redirecting stderr and stdout. Unit (boinc_unit_file_t) and binary (boinc_exec_t) files are both correctly tagged but the bash wrapper has default context (bin_t).

The result is that the service process runs as unconfined_service_t rather than boinc_t, as intended.


Version-Release number of selected component (if applicable):

F22 through rawhide.


How reproducible:

Always.


Steps to Reproduce:
1. Install and start boinc-client.
2. ps -efZ | fgrep boinc_client


Actual results:

system_u:system_r:unconfined_service_t:s0    boinc     1259     1  0 Jan21 ?        00:10:28 /usr/bin/boinc_client ...



Expected results:

system_u:system_r:boinc_t:s0    boinc     1259     1  0 Jan21 ?        00:10:28 /usr/bin/boinc_client ...


Additional info:

The problem is the wrapper script, /usr/bin/boinc. It's function is to redirect detailed logging from BOINC to log files under /var/log.

One alternative that I currently use is to run the BOINC client in daemon mode (forking) directly from the systemd unit file. In daemon mode stderr and stdout are written to files in the working directory, /var/lib/boinc/{stderrdae.txt,stdoutdae.txt}. These are symbolic links to files in /var/log.

This changes the unit file service type from simple to forking. The BOINC client does not have a PID file option but systemd guesses the PID accurately.

My working systemd unit file is attached.

Either the package or the unit file would need to set up the symbolic links.

Without the wrapper script the SELinux transitions work as expected and the BOINC client runs confined.

Comment 1 DaveG 2016-01-29 13:23:50 UTC

Minor issue:

The systemd unit file should not have execute permission.

install -p -m755 %{SOURCE1} $RPM_BUILD_ROOT%{_unitdir}/%{name}.service
  should be
install -p -m644 %{SOURCE1} $RPM_BUILD_ROOT%{_unitdir}/%{name}.service

Ref:
http://pkgs.fedoraproject.org/cgit/rpms/boinc-client.git/tree/boinc-client.spec#n217

Comment 2 Germano Massullo 2016-01-29 14:11:08 UTC

Thank you DaveG for your extensive explanation.
Could CC'ed SELinux developers please provide a feedback about this problem?
Thank you for your time.

Comment 3 Fedora Update System 2016-02-25 10:22:30 UTC

boinc-client-7.6.22-1.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-268bdbd1df

Comment 4 Fedora Update System 2016-02-25 10:22:30 UTC

boinc-client-7.6.22-1.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-89ece19b35

Comment 5 Fedora Update System 2016-02-25 10:23:10 UTC

boinc-client-7.6.22-1.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2016-8e698a1a52

Comment 6 Fedora Update System 2016-02-26 20:52:31 UTC

boinc-client-7.6.22-1.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-8e698a1a52

Comment 7 Fedora Update System 2016-02-26 20:53:39 UTC

boinc-client-7.6.22-1.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-89ece19b35

Comment 8 Fedora Update System 2016-02-27 02:20:34 UTC

boinc-client-7.6.22-1.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-268bdbd1df

Comment 9 Fedora Update System 2016-05-16 16:28:03 UTC

boinc-client-7.6.22-3.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-2623b55517

Comment 10 Fedora Update System 2016-05-16 18:50:58 UTC

boinc-client-7.6.22-4.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-2623b55517

Comment 11 Fedora Update System 2016-05-16 19:36:37 UTC

boinc-client-7.6.22-4.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2016-06a48f3a5f

Comment 12 Fedora Update System 2016-05-17 22:00:55 UTC

boinc-client-7.6.22-4.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-06a48f3a5f

Comment 13 Fedora Update System 2016-05-17 22:00:59 UTC

boinc-client-7.6.22-4.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-2623b55517

Comment 14 Germano Massullo 2016-05-22 20:39:49 UTC

Hi Dave, on F24, using the following .service file, I still get problems with the SELinux's BOINC confinement.

======
# ps -efZ | fgrep boinc_client
system_u:system_r:boinc_t:s0    boinc     9509     1  0 12:30 ?        00:00:32 /usr/bin/boinc_client --daemon --start_delay 1
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 21752 21655  0 22:34 pts/2 00:00:00 grep -F --color=auto boinc_client
======

==========
[Unit]
Description=Berkeley Open Infrastructure Network Computing Client
Documentation=man:boinc(1)
After=network-online.target

[Service]
Type=forking
Nice=10
User=boinc
Group=boinc
PermissionsStartOnly=yes
WorkingDirectory=/var/lib/boinc
ExecStartPre=/usr/bin/touch /var/log/boinc.log /var/log/boinc_err.log
ExecStartPre=/bin/chown boinc:boinc /var/log/boinc.log /var/log/boinc_err.log
ExecStart=/usr/bin/boinc_client --daemon --start_delay 1
ExecStop=/usr/bin/boinccmd --quit
ExecReload=/usr/bin/boinccmd --read_cc_config
ExecStopPost=/bin/rm -f /var/lib/boinc/lockfile
IOSchedulingClass=idle
Environment=LOGFILE=/var/log/boinc.log
Environment=ERRORLOG=/var/log/boinc_err.log
Environment=SYSTEMD_LOG_LEVEL=debug

[Install]
WantedBy=multi-user.target
==========

I inserted [Enviroment] while (still unsuccessful) trying to find out why BOINC does not fill logs files. [1][2]

Do you have any idea?
Have a nice day

[1]: https://boinc.berkeley.edu/dev/forum_thread.php?id=11011
[2]: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/K3LSOGW2CL3UYFMALIWNMGEYOBP7C3V4/

Comment 15 DaveG 2016-05-22 21:58:35 UTC

Logging has stopped for me too. Last entry on 2016-05-16.

Looks like it's SELinux file context on the stderr log file triggering an AVC and boinc is giving up on all logging.

Managed to fix it for me (F22) with:

semanage fcontext --add --type boinc_log_t --ftype f '/var/log/boincerr\.log.*'
restorecon -Fv /var/log/boinc*
systemctl restart boinc-client.service

Check your logs for AVCs on client start.

Still need to check that logrotate still works...

Is boinc in flux? The man page has ...
       --daemon
              Run as daemon. Will redirect stderr and stdout to syslog.

... and the code appears to use syslog.h but my client still uses stderrdae.txt and stdoutdae.txt when run with --daemon. Still, no worries.

FYI, my (now working config)...
# cat /etc/systemd/system/boinc-client.service
[Unit]
Description=Berkeley Open Infrastructure Network Computing Client
Documentation=man:boinc(1)
After=network-online.target

[Service]
Type=forking
Nice=10
User=boinc
WorkingDirectory=/var/lib/boinc
ExecStart=/usr/bin/boinc_client --daemon --start_delay 1
ExecStop=/usr/bin/boinccmd --quit
ExecReload=/usr/bin/boinccmd --read_cc_config

[Install]
WantedBy=multi-user.target

# cat /etc/logrotate.d/boinc-client
/var/log/boinc.log /var/log/boincerr.log {
	missingok
	notifempty
	copytruncate
	compress
	delaycompress
	nomail
}

# ls -lZ /var/log/boinc*
-rw-rw-r--. 1 boinc boinc system_u:object_r:boinc_log_t:s0     0 Jan 14 13:04 /var/log/boincerr.log
-rw-rw-r--. 1 boinc boinc system_u:object_r:boinc_log_t:s0  3465 May 22 22:37 /var/log/boinc.log

# ls -lZ /var/lib/boinc/std*
lrwxrwxrwx. 1 root  root  unconfined_u:object_r:boinc_var_lib_t:s0   21 May 22 22:29 /var/lib/boinc/stderrdae.txt -> /var/log/boincerr.log
-rw-r--r--. 1 boinc boinc system_u:object_r:boinc_var_lib_t:s0        0 Feb 25  2014 /var/lib/boinc/stderrgpudetect.txt
lrwxrwxrwx. 1 root  root  unconfined_u:object_r:boinc_var_lib_t:s0   18 May 22 22:29 /var/lib/boinc/stdoutdae.txt -> /var/log/boinc.log
-rw-r--r--. 1 boinc boinc system_u:object_r:boinc_var_lib_t:s0     8364 May 22 22:37 /var/lib/boinc/stdoutgpudetect.txt

# ls -lZ /usr/bin/boinc_client
-rwxr-xr-x. 1 root root system_u:object_r:boinc_exec_t:s0 929448 Jan 31 17:42 /usr/bin/boinc_client

Comment 16 Germano Massullo 2016-05-23 14:20:40 UTC

My error:  Lukas Vrabec told me that
======
# ps -efZ | fgrep boinc_client
system_u:system_r:boinc_t:s0    boinc     9509     1  0 12:30 ?        00:00:32 /usr/bin/boinc_client --daemon --start_delay 1
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 21752 21655  0 22:34 pts/2 00:00:00 grep -F --color=auto boinc_client
======

in Comment 14 is fine since

system_u:system_r:boinc_t:s0    boinc     9509     1  0 12:30 ?        00:00:32 /usr/bin/boinc_client --daemon --start_delay 1

is confined and 

unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 21752 21655  0 22:34 pts/2 00:00:00 grep -F --color=auto boinc_client

is related to the grep command. So I can push the builds on stable.
For the log bug I am going to open another bugreport where we can co-operate, if you want (I would be glad!).

Comment 17 Fedora Update System 2016-05-26 10:55:20 UTC

boinc-client-7.6.22-4.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 18 Fedora Update System 2016-05-31 09:22:06 UTC

boinc-client-7.6.22-4.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.