1711682 – Allow systemd unit file flag ReadWritePaths=/var/lib/boinc

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1711682 - Allow systemd unit file flag ReadWritePaths=/var/lib/boinc

Summary: Allow systemd unit file flag ReadWritePaths=/var/lib/boinc

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	30
Hardware:	Unspecified
OS:	Unspecified
Priority:	urgent
Severity:	urgent
Target Milestone:	---
Assignee:	Lukas Vrabec
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-05-19 15:34 UTC by Germano Massullo
Modified:	2019-06-20 02:54 UTC (History)
CC List:	9 users (show)
Fixed In Version:	selinux-policy-3.14.3-39.fc30
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	1779070 (view as bug list)
Environment:
Last Closed:	2019-06-20 02:54:59 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Germano Massullo 2019-05-19 15:34:50 UTC

Updating from Fedora 29 to 30 leads to SELinux being updated from 3.14.2-57.fc29 to 3.14.3-35.fc30. This new versions unables BOINC client from starting as client.


===============
# systemctl status boinc-client
● boinc-client.service - Berkeley Open Infrastructure Network Computing Client
   Loaded: loaded (/etc/systemd/system/boinc-client.service; enabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Sun 2019-05-19 17:14:28 CEST; 18min ago
     Docs: man:boinc(1)
  Process: 3459 ExecStart=/usr/bin/boinc (code=exited, status=226/NAMESPACE)
  Process: 3460 ExecStopPost=/bin/rm -f lockfile (code=exited, status=226/NAMESPACE)
 Main PID: 3459 (code=exited, status=226/NAMESPACE)

mag 19 17:14:28 office-machine systemd[1]: Started Berkeley Open Infrastructure Network Computing Client.
mag 19 17:14:28 office-machine systemd[3459]: boinc-client.service: Failed to set up mount namespacing: Permission denied
mag 19 17:14:28 office-machine systemd[3459]: boinc-client.service: Failed at step NAMESPACE spawning /usr/bin/boinc: Permission denied
mag 19 17:14:28 office-machine systemd[1]: boinc-client.service: Main process exited, code=exited, status=226/NAMESPACE
mag 19 17:14:28 office-machine systemd[3460]: boinc-client.service: Failed to set up mount namespacing: Permission denied
mag 19 17:14:28 office-machine systemd[3460]: boinc-client.service: Failed at step NAMESPACE spawning /bin/rm: Permission denied
mag 19 17:14:28 office-machine systemd[1]: boinc-client.service: Control process exited, code=exited, status=226/NAMESPACE
mag 19 17:14:28 office-machine systemd[1]: boinc-client.service: Failed with result 'exit-code'.
===============


and it causes SELinux to trigger the following alerts


===============
# ausearch -m avc -ts recent
----
time->Sun May 19 17:12:10 2019
type=AVC msg=audit(1558278730.833:253): avc:  denied  { mounton } for  pid=1992 comm="(boinc)" path="/run/systemd/unit-root/var/lib/boinc" dev="dm-2" ino=5505250 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:boinc_var_lib_t:s0 tclass=dir permissive=0
----
time->Sun May 19 17:12:10 2019
type=AVC msg=audit(1558278730.845:254): avc:  denied  { mounton } for  pid=1993 comm="(rm)" path="/run/systemd/unit-root/var/lib/boinc" dev="dm-2" ino=5505250 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:boinc_var_lib_t:s0 tclass=dir permissive=0
----
time->Sun May 19 17:13:38 2019
type=AVC msg=audit(1558278818.286:335): avc:  denied  { mounton } for  pid=3341 comm="(boinc)" path="/run/systemd/unit-root/var/lib/boinc" dev="dm-2" ino=5505250 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:boinc_var_lib_t:s0 tclass=dir permissive=1
----
time->Sun May 19 17:13:38 2019
type=AVC msg=audit(1558278818.513:336): avc:  denied  { read } for  pid=3359 comm="lsmod" name="modules.softdep" dev="dm-2" ino=9307896 scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:object_r:modules_dep_t:s0 tclass=file permissive=1
----
time->Sun May 19 17:13:38 2019
type=AVC msg=audit(1558278818.513:337): avc:  denied  { open } for  pid=3359 comm="lsmod" path="/usr/lib/modules/5.0.16-300.fc30.x86_64/modules.softdep" dev="dm-2" ino=9307896 scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:object_r:modules_dep_t:s0 tclass=file permissive=1
----
time->Sun May 19 17:13:38 2019
type=AVC msg=audit(1558278818.584:338): avc:  denied  { unlink } for  pid=3341 comm="boinc" name="output.tgz" dev="dm-2" ino=5505836 scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:object_r:boinc_project_var_lib_t:s0 tclass=lnk_file permissive=1
----
time->Sun May 19 17:13:38 2019
type=AVC msg=audit(1558278818.588:339): avc:  denied  { getattr } for  pid=3341 comm="boinc" path="/var/lib/boinc/slots/206/cernvm/shared/tmp/tmp.gb65xnkdnx/generator.hepmc" dev="dm-2" ino=5507008 scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:object_r:boinc_project_var_lib_t:s0 tclass=fifo_file permissive=1
----
time->Sun May 19 17:13:38 2019
type=AVC msg=audit(1558278818.588:340): avc:  denied  { unlink } for  pid=3341 comm="boinc" name="generator.hepmc" dev="dm-2" ino=5507008 scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:object_r:boinc_project_var_lib_t:s0 tclass=fifo_file permissive=1
----
time->Sun May 19 17:14:21 2019
type=AVC msg=audit(1558278861.954:341): avc:  denied  { mounton } for  pid=3452 comm="(boinccmd)" path="/run/systemd/unit-root/var/lib/boinc" dev="dm-2" ino=5505250 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:boinc_var_lib_t:s0 tclass=dir permissive=1
----
time->Sun May 19 17:14:28 2019
type=AVC msg=audit(1558278868.565:347): avc:  denied  { mounton } for  pid=3459 comm="(boinc)" path="/run/systemd/unit-root/var/lib/boinc" dev="dm-2" ino=5505250 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:boinc_var_lib_t:s0 tclass=dir permissive=0
----
time->Sun May 19 17:14:28 2019
type=AVC msg=audit(1558278868.574:348): avc:  denied  { mounton } for  pid=3460 comm="(rm)" path="/run/systemd/unit-root/var/lib/boinc" dev="dm-2" ino=5505250 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:boinc_var_lib_t:s0 tclass=dir permissive=0
===============

Comment 1 Germano Massullo 2019-05-20 15:24:26 UTC

thanks to grift of #selinux Freenode IRC channel we found out that the problem is originated by
ReadWritePaths=/var/lib/boinc
boinc-client systemd unit file flag.
Can you please allow it in next selinux-policy release?

Comment 2 Germano Massullo 2019-05-20 15:42:32 UTC

For information completeness, 
ReadWritePaths=/var/lib/boinc
is not yet in BOINC stable, I was testing it during process of testing of the following pull request https://github.com/BOINC/boinc/pull/2873/files
So it will be arrive soon in a new BOINC version

Comment 3 Lukas Vrabec 2019-05-20 16:22:15 UTC

commit e2b3b2f154fe28e051fcadec2ddec76f36b36a16 (HEAD -> rawhide, origin/rawhide, origin/HEAD)
Author: Lukas Vrabec <lvrabec>
Date:   Mon May 20 18:01:23 2019 +0200

    Make boinc_var_lib_t mountpoint BZ(1711682)


Will be part of next selinux-policy update.

Comment 4 Germano Massullo 2019-05-21 10:31:45 UTC

Thank you very much Lukas.
Have a nice day

Comment 5 Fedora Update System 2019-05-31 08:37:11 UTC

FEDORA-2019-3f20be4d52 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-3f20be4d52

Comment 6 Fedora Update System 2019-06-01 01:35:07 UTC

selinux-policy-3.14.3-38.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-3f20be4d52

Comment 7 Fedora Update System 2019-06-18 11:32:17 UTC

FEDORA-2019-9da5c35472 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-9da5c35472

Comment 8 Fedora Update System 2019-06-19 01:03:06 UTC

selinux-policy-3.14.3-39.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-9da5c35472

Comment 9 Fedora Update System 2019-06-20 02:54:59 UTC

selinux-policy-3.14.3-39.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.