1627880 – SELinux is preventing geoclue from 'getattr' accesses on the filesystem /.

Bug 1627880 - SELinux is preventing geoclue from 'getattr' accesses on the filesystem /.

Summary: SELinux is preventing geoclue from 'getattr' accesses on the filesystem /.

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	29
Hardware:	x86_64
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Lukas Vrabec
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	abrt_hash:f90a7627294c565a5b35be33201...
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-09-11 18:44 UTC by Adam Williamson
Modified:	2018-10-05 16:01 UTC (History)
CC List:	4 users (show)
Fixed In Version:	selinux-policy-3.14.2-35.fc29
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-10-05 16:01:25 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Adam Williamson 2018-09-11 18:44:58 UTC

Description of problem:
This just happens during regular use of my F29 system (which is enrolled a FreeIPA client, in case it's relevant). There is actually a string of denials:

----
time->Mon Sep 10 15:07:43 2018
type=AVC msg=audit(1536617263.999:2534): avc:  denied  { getattr } for  pid=24141 comm="geoclue" name="/" dev="dm-2" ino=2 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=0
----
time->Mon Sep 10 15:07:44 2018
type=AVC msg=audit(1536617264.000:2535): avc:  denied  { map } for  pid=24141 comm="geoclue" path=2F746D702F666669724373663455202864656C6574656429 dev="tmpfs" ino=339358 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:geoclue_tmp_t:s0 tclass=file permissive=0
----
time->Mon Sep 10 15:07:44 2018
type=AVC msg=audit(1536617264.000:2536): avc:  denied  { map } for  pid=24141 comm="geoclue" path=2F7661722F746D702F666669446561426C45202864656C6574656429 dev="dm-2" ino=12363 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:geoclue_tmp_t:s0 tclass=file permissive=0
----
time->Mon Sep 10 15:07:44 2018
type=AVC msg=audit(1536617264.000:2537): avc:  denied  { write } for  pid=24141 comm="geoclue" name="/" dev="tmpfs" ino=18441 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=0
----
time->Mon Sep 10 15:07:44 2018
type=AVC msg=audit(1536617264.000:2538): avc:  denied  { map } for  pid=24141 comm="geoclue" path=2F7661722F6C69622F67656F636C75652F666669344A486C5536202864656C6574656429 dev="dm-2" ino=12363 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:geoclue_var_lib_t:s0 tclass=file permissive=0
----
time->Mon Sep 10 15:07:44 2018
type=AVC msg=audit(1536617264.000:2539): avc:  denied  { write } for  pid=24141 comm="geoclue" name="/" dev="tmpfs" ino=18441 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=0
----
time->Mon Sep 10 15:07:44 2018
type=AVC msg=audit(1536617264.000:2540): avc:  denied  { write } for  pid=24141 comm="geoclue" name="/" dev="mqueue" ino=15358 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=0
----
time->Mon Sep 10 15:07:44 2018
type=AVC msg=audit(1536617264.000:2541): avc:  denied  { write } for  pid=24141 comm="geoclue" name="/" dev="cifs" ino=137234957 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:cifs_t:s0 tclass=dir permissive=0
----
time->Mon Sep 10 15:07:44 2018
type=AVC msg=audit(1536617264.000:2542): avc:  denied  { map } for  pid=24141 comm="geoclue" path=2F746D702F666669704E76506251202864656C6574656429 dev="tmpfs" ino=339359 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:geoclue_tmp_t:s0 tclass=file permissive=0
----
time->Mon Sep 10 15:07:44 2018
type=AVC msg=audit(1536617264.000:2543): avc:  denied  { write } for  pid=24141 comm="geoclue" name="/" dev="tmpfs" ino=18441 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=0
----
time->Mon Sep 10 15:07:44 2018
type=AVC msg=audit(1536617264.000:2544): avc:  denied  { write } for  pid=24141 comm="geoclue" name="/" dev="mqueue" ino=15358 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=0
----
time->Mon Sep 10 15:07:44 2018
type=AVC msg=audit(1536617264.000:2545): avc:  denied  { write } for  pid=24141 comm="geoclue" name="/" dev="cifs" ino=137234957 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:cifs_t:s0 tclass=dir permissive=0
----
time->Mon Sep 10 15:07:44 2018
type=AVC msg=audit(1536617264.000:2546): avc:  denied  { map } for  pid=24141 comm="geoclue" path=2F72756E2F73797374656D642F756E69742D726F6F742F746D702F6666696C4A756E747A202864656C6574656429 dev="tmpfs" ino=339360 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:geoclue_tmp_t:s0 tclass=file permissive=0
----
time->Mon Sep 10 15:07:44 2018
type=AVC msg=audit(1536617264.001:2547): avc:  denied  { write } for  pid=24141 comm="geoclue" name="/" dev="tmpfs" ino=18441 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=0
----
time->Mon Sep 10 15:07:44 2018
type=AVC msg=audit(1536617264.001:2548): avc:  denied  { write } for  pid=24141 comm="geoclue" name="/" dev="mqueue" ino=15358 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=0
----
time->Mon Sep 10 15:07:44 2018
type=AVC msg=audit(1536617264.001:2549): avc:  denied  { write } for  pid=24141 comm="geoclue" name="/" dev="cifs" ino=137234957 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:cifs_t:s0 tclass=dir permissive=0
----
time->Mon Sep 10 15:07:44 2018
type=AVC msg=audit(1536617264.001:2550): avc:  denied  { map } for  pid=24141 comm="geoclue" path=2F746D702F666669584C6E5A4B69202864656C6574656429 dev="tmpfs" ino=339361 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:geoclue_tmp_t:s0 tclass=file permissive=0
----
time->Mon Sep 10 15:07:44 2018
type=AVC msg=audit(1536617264.001:2551): avc:  denied  { write } for  pid=24141 comm="geoclue" name="/" dev="tmpfs" ino=18441 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=0
----
time->Mon Sep 10 15:07:44 2018
type=AVC msg=audit(1536617264.001:2552): avc:  denied  { write } for  pid=24141 comm="geoclue" name="/" dev="mqueue" ino=15358 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=0
----
time->Mon Sep 10 15:07:44 2018
type=AVC msg=audit(1536617264.001:2553): avc:  denied  { write } for  pid=24141 comm="geoclue" name="/" dev="cifs" ino=137234957 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:cifs_t:s0 tclass=dir permissive=0
----
time->Mon Sep 10 15:07:44 2018
type=AVC msg=audit(1536617264.001:2554): avc:  denied  { map } for  pid=24141 comm="geoclue" path=2F72756E2F73797374656D642F756E69742D726F6F742F746D702F666669693679453231202864656C6574656429 dev="tmpfs" ino=339362 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:geoclue_tmp_t:s0 tclass=file permissive=0
----
time->Mon Sep 10 15:07:44 2018
type=AVC msg=audit(1536617264.002:2555): avc:  denied  { map } for  pid=24141 comm="geoclue" path="/etc/pki/ca-trust/source/README" dev="dm-2" ino=793032 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=0
----
time->Mon Sep 10 15:07:44 2018
type=AVC msg=audit(1536617264.002:2557): avc:  denied  { map } for  pid=24141 comm="geoclue" path="/etc/pki/ca-trust/source/anchors/ipa-happyassassin.crt" dev="dm-2" ino=786635 scontext=system_u:system_r:geoclue_t:s0 tcontext=unconfined_u:object_r:cert_t:s0 tclass=file permissive=0
----
time->Mon Sep 10 15:07:44 2018
type=AVC msg=audit(1536617264.002:2558): avc:  denied  { map } for  pid=24141 comm="geoclue" path="/etc/pki/ca-trust/source/anchors/2015-RH-IT-Root-CA.pem" dev="dm-2" ino=787655 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=0
----
time->Mon Sep 10 15:07:44 2018
type=AVC msg=audit(1536617264.002:2559): avc:  denied  { map } for  pid=24141 comm="geoclue" path="/etc/pki/ca-trust/source/anchors/newca.crt" dev="dm-2" ino=793277 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=0
----
time->Mon Sep 10 15:07:44 2018
type=AVC msg=audit(1536617264.002:2560): avc:  denied  { map } for  pid=24141 comm="geoclue" path="/etc/pki/ca-trust/source/anchors/oracle_ebs.crt" dev="dm-2" ino=794181 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=0
----
time->Mon Sep 10 15:07:44 2018
type=AVC msg=audit(1536617264.002:2561): avc:  denied  { map } for  pid=24141 comm="geoclue" path="/usr/share/pki/ca-trust-source/README" dev="dm-2" ino=789723 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=0
----
time->Mon Sep 10 15:07:44 2018
type=AVC msg=audit(1536617264.002:2562): avc:  denied  { map } for  pid=24141 comm="geoclue" path="/usr/share/pki/ca-trust-source/ca-bundle.trust.p11-kit" dev="dm-2" ino=786721 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=0
----
time->Mon Sep 10 15:07:44 2018
type=AVC msg=audit(1536617264.003:2563): avc:  denied  { map } for  pid=24141 comm="geoclue" path="/etc/pki/ca-trust/source/anchors/ipa-happyassassin.crt" dev="dm-2" ino=786635 scontext=system_u:system_r:geoclue_t:s0 tcontext=unconfined_u:object_r:cert_t:s0 tclass=file permissive=0
----
time->Mon Sep 10 15:07:44 2018
type=AVC msg=audit(1536617264.003:2564): avc:  denied  { map } for  pid=24141 comm="geoclue" path="/etc/pki/ca-trust/source/anchors/2015-RH-IT-Root-CA.pem" dev="dm-2" ino=787655 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=0
----
time->Mon Sep 10 15:07:44 2018
type=AVC msg=audit(1536617264.003:2565): avc:  denied  { map } for  pid=24141 comm="geoclue" path="/etc/pki/ca-trust/source/anchors/newca.crt" dev="dm-2" ino=793277 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=0
----
time->Mon Sep 10 15:07:44 2018
type=AVC msg=audit(1536617264.003:2566): avc:  denied  { map } for  pid=24141 comm="geoclue" path="/etc/pki/ca-trust/source/anchors/oracle_ebs.crt" dev="dm-2" ino=794181 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=0

and a couple of geoclue errors logged in the journal:

Sep 10 15:07:44 adam.happyassassin.net geoclue[24141]: ffi_closure_alloc failed
Sep 10 15:07:44 adam.happyassassin.net geoclue[24141]: p11-kit: shouldn't be reached at init_wrapper_funcs
Sep 10 15:07:44 adam.happyassassin.net geoclue[24141]: Failed to query location: Unacceptable TLS certificate
SELinux is preventing geoclue from 'getattr' accesses on the filesystem /.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that geoclue should be allowed getattr access on the  filesystem by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'geoclue' --raw | audit2allow -M my-geoclue
# semodule -X 300 -i my-geoclue.pp

Additional Information:
Source Context                system_u:system_r:geoclue_t:s0
Target Context                system_u:object_r:fs_t:s0
Target Objects                / [ filesystem ]
Source                        geoclue
Source Path                   geoclue
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           filesystem-3.9-2.fc29.x86_64
Policy RPM                    selinux-policy-3.14.2-32.fc29.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.18.5-300.fc29.x86_64 #1 SMP Fri
                              Aug 24 17:16:35 UTC 2018 x86_64 x86_64
Alert Count                   7
First Seen                    2018-09-01 09:04:45 PDT
Last Seen                     2018-09-10 15:07:43 PDT
Local ID                      68c4adf0-165e-4bcb-bbfb-cecb2aaf20a0

Raw Audit Messages
type=AVC msg=audit(1536617263.999:2534): avc:  denied  { getattr } for  pid=24141 comm="geoclue" name="/" dev="dm-2" ino=2 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=0


Hash: geoclue,geoclue_t,fs_t,filesystem,getattr

Version-Release number of selected component:
selinux-policy-3.14.2-32.fc29.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.9.5
hashmarkername: setroubleshoot
kernel:         4.18.5-300.fc29.x86_64
type:           libreport

Comment 1 Fedora Update System 2018-09-20 10:39:35 UTC

selinux-policy-3.14.2-35.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-d4ddac7543

Comment 2 Fedora Update System 2018-09-20 16:19:17 UTC

selinux-policy-3.14.2-35.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-d4ddac7543

Comment 3 Fedora Update System 2018-10-05 16:01:25 UTC

selinux-policy-3.14.2-35.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.