Hide Forgot
An update for geoclue2 from 2.4.7 to 2.4.10 landed in F27 updates-testing recently: https://bodhi.fedoraproject.org/updates/FEDORA-2018-68f9572fe5 however, the service fails to start with this version of the package, apparently due to a couple of SELinux denials: May 03 11:43:31 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[1048]: AVC avc: denied { nnp_transition } for pid=1048 comm="(geoclue)" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:geoclue_t:s0 tclass=process2 permissive=0 May 03 11:43:31 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[1048]: AVC avc: denied { execute_no_trans } for pid=1048 comm="(geoclue)" path="/usr/libexec/geoclue" dev="dm-0" ino=151254 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:geoclue_exec_t:s0 tclass=file permissive=0 with the previous version of the package, the service started fine.
Are we going to have to modify the policy for every daemon we lockdown using systemd? We've already had to do this for fprintd, and the process is seriously tedious.
We should probably add this for a init daemons.
Please add the fixed packages to the FEDORA-2018-68f9572fe5 update once it's fixed, so that the geoclue update can be pushed.
This is also affecting Rawhide, so it'd be good to have it fixed in Rawhide selinux-policy ASAP.
Hi, I'm traveling, I have all fixes on github repo, I'll try to do builds ASAP.
The bug has been filed 2 weeks ago. Can we please get some movement on this?
Hi, Could you please try the latest build of selinux-policy? Thanks, Lukas.
Are we not going to fix this probably instead of having to add a patch for each one of the daemons we end up sandboxing? https://github.com/fedora-selinux/selinux-policy-contrib/commit/d4eec964a759758e6de017b3dd4eaf16a38f6e70 Why aren't daemons already allowed to use NoNewPrivs when the point of it is to disallow requesting more privs?
(In reply to Bastien Nocera from comment #3) > Please add the fixed packages to the FEDORA-2018-68f9572fe5 update once it's > fixed, so that the geoclue update can be pushed. And this wasn't done either, and instead released as separate updates. At least a heads-up would have been nice.
selinux-policy-3.13.1-284.37.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-4bb4de2d86
selinux-policy-3.13.1-284.37.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-4bb4de2d86
selinux-policy-3.13.1-284.37.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.