Bug 1575212 - nnp_transition and execute_no_trans denials for geoclue2 2.4.10 prevent it working (F27)
Summary: nnp_transition and execute_no_trans denials for geoclue2 2.4.10 prevent it wo...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 27
Hardware: All
OS: Linux
unspecified
high
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-05-05 06:21 UTC by Adam Williamson
Modified: 2018-08-08 15:34 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-08-08 15:34:13 UTC
Type: Bug


Attachments (Terms of Use)

Description Adam Williamson 2018-05-05 06:21:08 UTC
An update for geoclue2 from 2.4.7 to 2.4.10 landed in F27 updates-testing recently:

https://bodhi.fedoraproject.org/updates/FEDORA-2018-68f9572fe5

however, the service fails to start with this version of the package, apparently due to a couple of SELinux denials:

May 03 11:43:31 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[1048]: AVC avc:  denied  { nnp_transition } for  pid=1048 comm="(geoclue)" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:geoclue_t:s0 tclass=process2 permissive=0
May 03 11:43:31 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[1048]: AVC avc:  denied  { execute_no_trans } for  pid=1048 comm="(geoclue)" path="/usr/libexec/geoclue" dev="dm-0" ino=151254 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:geoclue_exec_t:s0 tclass=file permissive=0

with the previous version of the package, the service started fine.

Comment 1 Bastien Nocera 2018-05-07 13:36:14 UTC
Are we going to have to modify the policy for every daemon we lockdown using systemd? We've already had to do this for fprintd, and the process is seriously tedious.

Comment 2 Daniel Walsh 2018-05-07 14:19:30 UTC
We should probably add this for a init daemons.

Comment 3 Bastien Nocera 2018-05-07 15:16:44 UTC
Please add the fixed packages to the FEDORA-2018-68f9572fe5 update once it's fixed, so that the geoclue update can be pushed.

Comment 4 Adam Williamson 2018-05-07 23:46:54 UTC
This is also affecting Rawhide, so it'd be good to have it fixed in Rawhide selinux-policy ASAP.

Comment 5 Lukas Vrabec 2018-05-16 00:20:56 UTC
Hi, 

I'm traveling, I have all fixes on github repo, I'll try to do builds ASAP.

Comment 6 Bastien Nocera 2018-05-22 09:44:27 UTC
The bug has been filed 2 weeks ago. Can we please get some movement on this?

Comment 7 Lukas Vrabec 2018-05-22 09:55:55 UTC
Hi, 

Could you please try the latest build of selinux-policy? 

Thanks,
Lukas.

Comment 8 Bastien Nocera 2018-05-29 17:34:35 UTC
Are we not going to fix this probably instead of having to add a patch for each one of the daemons we end up sandboxing?

https://github.com/fedora-selinux/selinux-policy-contrib/commit/d4eec964a759758e6de017b3dd4eaf16a38f6e70

Why aren't daemons already allowed to use NoNewPrivs when the point of it is to disallow requesting more privs?

Comment 9 Bastien Nocera 2018-05-29 17:41:09 UTC
(In reply to Bastien Nocera from comment #3)
> Please add the fixed packages to the FEDORA-2018-68f9572fe5 update once it's
> fixed, so that the geoclue update can be pushed.

And this wasn't done either, and instead released as separate updates. At least a heads-up would have been nice.

Comment 10 Fedora Update System 2018-07-27 09:23:11 UTC
selinux-policy-3.13.1-284.37.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-4bb4de2d86

Comment 11 Fedora Update System 2018-07-27 15:39:19 UTC
selinux-policy-3.13.1-284.37.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-4bb4de2d86

Comment 12 Fedora Update System 2018-08-08 15:34:13 UTC
selinux-policy-3.13.1-284.37.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.