Bug 1575212

Summary: nnp_transition and execute_no_trans denials for geoclue2 2.4.10 prevent it working (F27)
Product: [Fedora] Fedora Reporter: Adam Williamson <awilliam>
Component: selinux-policy-targetedAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Ben Levenson <benl>
Severity: high Docs Contact:
Priority: unspecified    
Version: 27CC: bnocera, dwalsh
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-08-08 15:34:13 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Adam Williamson 2018-05-05 06:21:08 UTC 
An update for geoclue2 from 2.4.7 to 2.4.10 landed in F27 updates-testing recently:

https://bodhi.fedoraproject.org/updates/FEDORA-2018-68f9572fe5

however, the service fails to start with this version of the package, apparently due to a couple of SELinux denials:

May 03 11:43:31 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[1048]: AVC avc:  denied  { nnp_transition } for  pid=1048 comm="(geoclue)" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:geoclue_t:s0 tclass=process2 permissive=0
May 03 11:43:31 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[1048]: AVC avc:  denied  { execute_no_trans } for  pid=1048 comm="(geoclue)" path="/usr/libexec/geoclue" dev="dm-0" ino=151254 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:geoclue_exec_t:s0 tclass=file permissive=0

with the previous version of the package, the service started fine.
Comment 1 Bastien Nocera 2018-05-07 13:36:14 UTC 
Are we going to have to modify the policy for every daemon we lockdown using systemd? We've already had to do this for fprintd, and the process is seriously tedious.
Comment 2 Daniel Walsh 2018-05-07 14:19:30 UTC 
We should probably add this for a init daemons.
Comment 3 Bastien Nocera 2018-05-07 15:16:44 UTC 
Please add the fixed packages to the FEDORA-2018-68f9572fe5 update once it's fixed, so that the geoclue update can be pushed.
Comment 4 Adam Williamson 2018-05-07 23:46:54 UTC 
This is also affecting Rawhide, so it'd be good to have it fixed in Rawhide selinux-policy ASAP.
Comment 5 Lukas Vrabec 2018-05-16 00:20:56 UTC 
Hi, 

I'm traveling, I have all fixes on github repo, I'll try to do builds ASAP.
Comment 6 Bastien Nocera 2018-05-22 09:44:27 UTC 
The bug has been filed 2 weeks ago. Can we please get some movement on this?
Comment 7 Lukas Vrabec 2018-05-22 09:55:55 UTC 
Hi, 

Could you please try the latest build of selinux-policy? 

Thanks,
Lukas.
Comment 8 Bastien Nocera 2018-05-29 17:34:35 UTC 
Are we not going to fix this probably instead of having to add a patch for each one of the daemons we end up sandboxing?

https://github.com/fedora-selinux/selinux-policy-contrib/commit/d4eec964a759758e6de017b3dd4eaf16a38f6e70

Why aren't daemons already allowed to use NoNewPrivs when the point of it is to disallow requesting more privs?
Comment 9 Bastien Nocera 2018-05-29 17:41:09 UTC 
(In reply to Bastien Nocera from comment #3)
> Please add the fixed packages to the FEDORA-2018-68f9572fe5 update once it's
> fixed, so that the geoclue update can be pushed.

And this wasn't done either, and instead released as separate updates. At least a heads-up would have been nice.
Comment 10 Fedora Update System 2018-07-27 09:23:11 UTC 
selinux-policy-3.13.1-284.37.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-4bb4de2d86
Comment 11 Fedora Update System 2018-07-27 15:39:19 UTC 
selinux-policy-3.13.1-284.37.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-4bb4de2d86
Comment 12 Fedora Update System 2018-08-08 15:34:13 UTC 
selinux-policy-3.13.1-284.37.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.