Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1357877 - boinc-manager started from confined SELinux (can't add boinc stats)
Summary: boinc-manager started from confined SELinux (can't add boinc stats)
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: boinc-client
Version: 24
Hardware: x86_64
OS: Linux
unspecified
high
Target Milestone: ---
Assignee: Laurence Field
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-07-19 12:56 UTC by Kees de Jong
Modified: 2016-07-19 15:09 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-07-19 15:09:34 UTC


Attachments (Terms of Use)

Description Kees de Jong 2016-07-19 12:56:38 UTC
Description of problem: On IRC I read that Fedora 24 now has systemd in SELinux confined mode. This has some consequences for boinc-manager, it can't add projects or account managers when SELinux is set to enforced.


Version-Release number of selected component (if applicable):
boinc-manager-7.6.22-6.fc24.x86_64

[root@defiant ~]# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      30


How reproducible: Open the boinc-manager from the command line in it's home directory (/var/lib/boinc), this is due to another bug: https://bugzilla.redhat.com/show_bug.cgi?id=1344729

Then click on Tools --> Add Project/Account Manager
This will not succeed and you'll get the error that the project/account manager is 'temporally' unavailable. When SELinux is disabled (`setenforce 0`) it works as expected.


Actual results: SELinux stops this with e.g. this AVC:
type=AVC msg=audit(1468930917.992:276): avc:  denied  { name_connect } for  pid=1179 comm="boinc_client" dest=443 scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:object_r:ssh_port_t:s0 tclass=tcp_socket permissive=1

Please note that I have configured my ssh port to also accept port 443, this may be the cause that ssh_port_t is mentioned in this AVC.
[root@defiant ~]# semanage port -l | grep ssh_port_t
ssh_port_t                     tcp      443, 22

Comment 1 Germano Massullo 2016-07-19 15:09:34 UTC
Change SSH port or make a custom SELinux rule that allows you to make such changes


Note You need to log in before you can comment on or make changes to this bug.