Description of problem: gpsd can't acces an remote gpsd via tcp SELinux is preventing gpsd from 'name_connect' accesses on the tcp_socket port 8000. ***** Plugin catchall (100. confidence) suggests ************************** If sie denken, dass es gpsd standardmässig erlaubt sein sollte, name_connect Zugriff auf port 8000 tcp_socket zu erhalten. Then sie sollten dies als Fehler melden. Um diesen Zugriff zu erlauben, können Sie ein lokales Richtlinien-Modul erstellen. Do zugriff jetzt erlauben, indem Sie die nachfolgenden Befehle ausführen: # grep gpsd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:gpsd_t:s0 Target Context system_u:object_r:soundd_port_t:s0 Target Objects port 8000 [ tcp_socket ] Source gpsd Source Path gpsd Port 8000 Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-128.13.fc22.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 4.1.7-200.fc22.x86_64 #1 SMP Mon Sep 14 20:19:24 UTC 2015 x86_64 x86_64 Alert Count 1 First Seen 2015-10-01 14:10:56 CEST Last Seen 2015-10-01 14:10:56 CEST Local ID 2de9dd85-ff4b-4134-9199-343dc23e4fa9 Raw Audit Messages type=AVC msg=audit(1443701456.985:274): avc: denied { name_connect } for pid=4858 comm="gpsd" dest=8000 scontext=system_u:system_r:gpsd_t:s0 tcontext=system_u:object_r:soundd_port_t:s0 tclass=tcp_socket permissive=0 Hash: gpsd,gpsd_t,soundd_port_t,tcp_socket,name_connect Version-Release number of selected component: selinux-policy-3.13.1-128.13.fc22.noarch Additional info: reporter: libreport-2.6.2 hashmarkername: setroubleshoot kernel: 4.1.7-200.fc22.x86_64 type: libreport
did it happen by default or did you setup tcp/8000 port?
No, only when using the function, that the gpsd receive the data remote. See man: TCP feed A URI with the prefix "tcp://", followed by a hostname, a colon, and a port number. The daemon will open a socket to the indicated address and port and read data packets from it, which will be interpreted as though they had been issued by a serial device. Example: tcp://data.aishub.net:4006. I think it will also happens using UDP and all other remote services.
Ok. You can allow it for now using # grep gpsd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp
This will result in an inflexible rule: module testpol 1.0; require { type soundd_port_t; type unreserved_port_t; type gpsd_t; class tcp_socket name_connect; } #============= gpsd_t ============== allow gpsd_t soundd_port_t:tcp_socket name_connect; #!!!! This avc can be allowed using the boolean 'nis_enabled' allow gpsd_t unreserved_port_t:tcp_socket name_connect; Because when the port is another then all will happens again. I think we need something like for sshd: semanage port -a -t ssh_port_t -p tcp XXX Where ports can be easily added.
It looks we will need to have a boolean for "TCP feed"?
Sounds reasonable to me.
Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.