Bug 647610

Summary: SELinux empêche l'accès en « unix_read unix_write » à /usr/sbin/gpsd
Product: [Fedora] Fedora Reporter: Michael Scherer <misc>
Component: udevAssignee: udev-maint
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 14CC: dwalsh, harald, jonathan, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:81d9d3e8a931cffc0d4e7fe63ddffb890ca3ac8a596a46f60085b8d050e832e9
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-08-16 12:53:37 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Michael Scherer 2010-10-28 17:55:00 EDT

SELinux empêche l'accès en « unix_read unix_write » à /usr/sbin/gpsd

Description détaillée:

SELinux a refusé l'accès demandé par gpsd. Il n'est pas prévu que cet accès soit
requis par gpsd et cet accès peut signaler une tentative d'intrusion. Il est
également possible que cette version ou cette configuration spécifique de
l'application provoque cette demande d'accès supplémenta

Autoriser l'accès:

Vous pouvez créer un module de stratégie locale pour autoriser cet accès - lisez
la FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Merci de
remplir un rapport de bogue.

Informations complémentaires:

Contexte source               unconfined_u:unconfined_r:gpsd_t:s0-s0:c0.c1023
Contexte cible                system_u:system_r:udev_t:s0-s0:c0.c1023
Objets du contexte            None [ shm ]
source                        gpsd
Chemin de la source           /usr/sbin/gpsd
Port                          <Inconnu>
Hôte                          (supprimé)
Paquetages RPM source         gpsd-2.95-2.fc14
Paquetages RPM cible          
Politique RPM                 selinux-policy-3.9.7-3.fc14
Selinux activé                True
Type de politique             targeted
Mode strict                   Enforcing
Nom du plugin                 catchall
Nom de l'hôte                 (supprimé)
Plateforme                    Linux (supprimé)
                              #1 SMP Wed Oct 13 21:29:27 UTC 2010 i686 i686
Compteur d'alertes            16
Première alerte               jeu. 28 oct. 2010 21:20:55 CEST
Dernière alerte               jeu. 28 oct. 2010 21:23:55 CEST
ID local                      310bcbaa-4db2-4aa9-8eb9-7ea2b7316659
Numéros des lignes            

Messages d'audit bruts        

node=(supprimé) type=AVC msg=audit(1288293835.454:1692): avc:  denied  { unix_read unix_write } for  pid=4121 comm="gpsd" key=1314148403  scontext=unconfined_u:unconfined_r:gpsd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=shm

node=(supprimé) type=SYSCALL msg=audit(1288293835.454:1692): arch=40000003 syscall=117 success=no exit=-13 a0=17 a1=4e545033 a2=50 a3=3b6 items=0 ppid=1 pid=4121 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=171 comm="gpsd" exe="/usr/sbin/gpsd" subj=unconfined_u:unconfined_r:gpsd_t:s0-s0:c0.c1023 key=(null)

Hash String generated from  catchall,gpsd,gpsd_t,udev_t,shm,unix_read,unix_write
audit2allow suggests:

#============= gpsd_t ==============
allow gpsd_t udev_t:shm { unix_read unix_write };
Comment 1 Michael Scherer 2010-10-28 19:23:57 EDT
This happen just by running gpsd as root. The unix_read and write is needed as gpsd can be controled by a socket in /var/
Comment 2 Daniel Walsh 2010-10-29 08:26:06 EDT
This show gpsd trying to communicate with an application running as udev_t?

ps -eZ | grep udev_t
Comment 3 Michael Scherer 2010-10-29 09:44:16 EDT
~ $ ps -eZ | grep udev_t 
system_u:system_r:udev_t:s0-s0:c0.c1023 516 ?  00:00:04 udevd
system_u:system_r:udev_t:s0-s0:c0.c1023 823 ?  00:00:00 udevd
system_u:system_r:udev_t:s0-s0:c0.c1023 824 ?  00:00:00 udevd
~ $ ps -eZ | grep gps    
unconfined_u:unconfined_r:gpsd_t:s0-s0:c0.c1023 4121 ? 00:00:02 gpsd

It may communicate with udevd, since it will read the gps device in /dev/, but I am not sure about the exact interaction. 

The bug likely requires a real GPS to be plugged, unfortunatly, and I do not have it now, but if you give me some test to do, I will give any needed information.
Comment 4 Daniel Walsh 2010-10-29 09:52:05 EDT
Harald, do you have any ideas?  I guess we can allow this.
Comment 5 Harald Hoyer 2010-10-29 10:02:43 EDT
(In reply to comment #4)
> Harald, do you have any ideas?  I guess we can allow this.

No, I have no ideas. What is the problem? Is it denied to use /dev/shm?
Comment 6 Daniel Walsh 2010-10-29 10:07:58 EDT
No it looks like gpsd is trying to communicate though shared memory owned by udev.   gpsd communicates with GPS devices using shared memory, ordinarily.
Comment 7 Daniel Walsh 2010-10-29 10:08:43 EDT
 sesearch -A -s gpsd_t -c shm
Found 3 semantic av rules:
   allow gpsd_t gpsd_t : shm { create destroy getattr setattr read write associate unix_read unix_write lock } ; 
   allow gpsd_t ntpd_t : shm { getattr read write associate unix_read unix_write lock } ; 
   allow gpsd_t chronyd_t : shm { getattr read write associate unix_read unix_write lock } ;
Comment 8 Fedora Admin XMLRPC Client 2011-10-20 12:09:59 EDT
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 9 Fedora Admin XMLRPC Client 2011-10-20 12:11:53 EDT
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 10 Fedora Admin XMLRPC Client 2011-10-20 12:14:39 EDT
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 11 Fedora End Of Life 2012-08-16 12:53:40 EDT
This message is a notice that Fedora 14 is now at end of life. Fedora 
has stopped maintaining and issuing updates for Fedora 14. It is 
Fedora's policy to close all bug reports from releases that are no 
longer maintained.  At this time, all open bugs with a Fedora 'version'
of '14' have been closed as WONTFIX.

(Please note: Our normal process is to give advanced warning of this 
occurring, but we forgot to do that. A thousand apologies.)

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, feel free to reopen 
this bug and simply change the 'version' to a later Fedora version.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we were unable to fix it before Fedora 14 reached end of life. If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora, you are encouraged to click on 
"Clone This Bug" (top right of this page) and open it against that 
version of Fedora.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: