Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be available on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 1574985 - SELinux is preventing (geoclue) from using the 'nnp_transition' accesses on a process.
Summary: SELinux is preventing (geoclue) from using the 'nnp_transition' accesses on a...
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: x86_64
OS: Unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
Whiteboard: abrt_hash:3708be733a626350ddc1ad54197...
Depends On:
TreeView+ depends on / blocked
Reported: 2018-05-04 13:05 UTC by Nicolas Mailhot
Modified: 2018-06-02 22:21 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2018-06-02 22:21:26 UTC
Type: ---

Attachments (Terms of Use)

Description Nicolas Mailhot 2018-05-04 13:05:42 UTC
Description of problem:
On clean boot
SELinux is preventing (geoclue) from using the 'nnp_transition' accesses on a process.

*****  Plugin catchall (100. confidence) suggests   **************************

Si vous pensez que (geoclue) devrait être autorisé à accéder nnp_transition sur les processus étiquetés geoclue_t par défaut.
Then vous devriez rapporter ceci en tant qu'anomalie.
Vous pouvez générer un module de stratégie local pour autoriser cet accès.
autoriser cet accès pour le moment en exécutant :
# ausearch -c "(geoclue)" --raw | audit2allow -M my-geoclue
# semodule -X 300 -i my-geoclue.pp

Additional Information:
Source Context                system_u:system_r:init_t:s0
Target Context                system_u:system_r:geoclue_t:s0
Target Objects                Unknown [ process2 ]
Source                        (geoclue)
Source Path                   (geoclue)
Port                          <Inconnu>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.14.2-16.fc29.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 4.17.0-0.rc3.git3.1.fc29.x86_64 #1
                              SMP Thu May 3 20:42:06 UTC 2018 x86_64 x86_64
Alert Count                   2
First Seen                    2018-05-04 15:04:31 CEST
Last Seen                     2018-05-04 15:04:44 CEST
Local ID                      7a686673-4beb-4022-8227-49ece9834e5a

Raw Audit Messages
type=AVC msg=audit(1525439084.98:245): avc:  denied  { nnp_transition } for  pid=1979 comm="(geoclue)" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:geoclue_t:s0 tclass=process2 permissive=1

Hash: (geoclue),init_t,geoclue_t,process2,nnp_transition

Version-Release number of selected component:

Additional info:
component:      selinux-policy
reporter:       libreport-2.9.5
hashmarkername: setroubleshoot
kernel:         4.17.0-0.rc3.git3.1.fc29.x86_64
type:           libreport

Comment 1 Lukas Slebodnik 2018-05-17 07:07:27 UTC
Description of problem:
It happened after reboot

Version-Release number of selected component:

Additional info:
reporter:       libreport-2.9.5
hashmarkername: setroubleshoot
kernel:         4.16.8-300.fc28.x86_64
type:           libreport

Comment 2 Lukas Slebodnik 2018-05-17 07:12:12 UTC
[root@host ~]# ausearch -m avc -ts today -i
type=PROCTITLE msg=audit(05/17/2018 08:16:21.165:259) : proctitle=(geoclue) 
type=PATH msg=audit(05/17/2018 08:16:21.165:259) : item=0 name=/usr/libexec/geoclue inode=11932919 dev=00:29 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:geoclue_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=CWD msg=audit(05/17/2018 08:16:21.165:259) : cwd=/ 
type=SYSCALL msg=audit(05/17/2018 08:16:21.165:259) : arch=x86_64 syscall=execve success=no exit=EACCES(Permission denied) a0=0x56001c4ae8c0 a1=0x56001c4928e0 a2=0x56001c352e30 a3=0x56001c47eb00 items=1 ppid=1 pid=2928 auid=unset uid=geoclue gid=geoclue euid=geoclue suid=geoclue fsuid=geoclue egid=geoclue sgid=geoclue fsgid=geoclue tty=(none) ses=unset comm=(geoclue) exe=/usr/lib/systemd/systemd subj=system_u:system_r:init_t:s0 key=(null) 
type=AVC msg=audit(05/17/2018 08:16:21.165:259) : avc:  denied  { execute_no_trans } for  pid=2928 comm=(geoclue) path=/usr/libexec/geoclue dev="dm-2" ino=11932919 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:geoclue_exec_t:s0 tclass=file permissive=0 
type=SELINUX_ERR msg=audit(05/17/2018 08:16:21.165:259) : op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:init_t:s0 newcontext=system_u:system_r:geoclue_t:s0 
type=AVC msg=audit(05/17/2018 08:16:21.165:259) : avc:  denied  { nnp_transition } for  pid=2928 comm=(geoclue) scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:geoclue_t:s0 tclass=process2 permissive=0

Comment 3 Lukas Slebodnik 2018-05-17 07:25:07 UTC
I would say it is caused by following change in systemd servide file

[alcik@graviton][/tmp/data]$ diff -u ./usr/lib/systemd/system/geoclue.service /usr/lib/systemd/system/geoclue.service
--- ./usr/lib/systemd/system/geoclue.service    2018-05-17 09:19:59.150076832 +0200
+++ /usr/lib/systemd/system/geoclue.service     2018-05-03 16:55:06.000000000 +0200
@@ -6,3 +6,25 @@
+# Filesystem lockdown
+# Network
+# Execute Mappings
+# Modules
+# Real-time
+# Privilege escalation


It was introduced in geoclue2-2.4.10-1.fc29
Is it bug in selinux-policy or in kernel? SELINUX_ERR is quite unusual

Note You need to log in before you can comment on or make changes to this bug.