Bug 1804713
| Summary: | usbguard prevented from writing conf via dontaudit rule | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Tomas Dolezal <todoleza> |
| Component: | usbguard | Assignee: | Daniel Kopeček <dkopecek> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 31 | CC: | dkopecek, rsroka |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | usbguard-0.7.8-1.fc32 usbguard-0.7.8-1.fc31 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-07-03 01:18:23 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
FEDORA-2020-f502be60a4 has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-f502be60a4 FEDORA-2020-c30d6afc1c has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2020-c30d6afc1c FEDORA-2020-c30d6afc1c has been pushed to the Fedora 31 testing repository. In short time you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-c30d6afc1c` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-c30d6afc1c See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2020-f502be60a4 has been pushed to the Fedora 32 testing repository. In short time you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-f502be60a4` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-f502be60a4 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2020-f502be60a4 has been pushed to the Fedora 32 stable repository. If problem still persists, please make note of it in this bug report. FEDORA-2020-c30d6afc1c has been pushed to the Fedora 31 stable repository. If problem still persists, please make note of it in this bug report. |
Description of problem: permission denied when issuing permanent allowance rules. selinux blocks access silently. Version-Release number of selected component (if applicable): usbguard-0.7.6-6.fc31.x86_64 usbguard-selinux-0.7.6-6.fc31.noarch selinux-policy-3.14.4-47.fc31.noarch How reproducible: always Steps to Reproduce: # usbguard allow-device -p 43 IPC ERROR: request id=1: FileRuleSet saving: /etc/usbguard/rules.conf: Permission denied # semodule -DB # usbguard allow-device -p 43 IPC ERROR: request id=1: FileRuleSet saving: /etc/usbguard/rules.conf: Permission denied # setenforce 0 # usbguard allow-device -p 43 # ausearch -m avc -ts recent ---- time->Wed Feb 19 14:46:56 2020 type=AVC msg=audit(1582120016.357:350): avc: denied { write } for pid=1255 comm="usbguard-daemon" name="rules.conf" dev="dm-1" ino=17282452 scontext=system_u:system_r:usbguard_t:s0 tcontext=unconfined_u:object_r:usbguard_conf_t:s0 tclass=file permissive=0 ---- time->Wed Feb 19 14:47:18 2020 type=AVC msg=audit(1582120038.061:355): avc: denied { write } for pid=1255 comm="usbguard-daemon" name="rules.conf" dev="dm-1" ino=17282452 scontext=system_u:system_r:usbguard_t:s0 tcontext=unconfined_u:object_r:usbguard_conf_t:s0 tclass=file permissive=1 # ausearch -m avc -ts recent -r | audit2allow -R require { type usbguard_conf_t; type usbguard_t; class file write; } #============= usbguard_t ============== #!!!! This avc can be allowed using the boolean 'usbguard_daemon_write_conf' allow usbguard_t usbguard_conf_t:file write; Actual results: present selinux boolean is hidden behind dontaudit rule, no usbguard_selinux page found. It is troublesome to debug unless (usually global) permissive mode is used. Expected results: forbidden access is audited and/or user properly informed from usbguard side that such tunable exists. Additional info: filed against usbguard as I suspect the fault is on it's own sepolicy package.