1808527 – SELinux prevents usbguard from logging via Linux audit subsystem

Bug 1808527 - SELinux prevents usbguard from logging via Linux audit subsystem

Summary: SELinux prevents usbguard from logging via Linux audit subsystem

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	usbguard
Sub Component:
Version:	32
Hardware:	x86_64
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Daniel Kopeček
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-02-28 18:07 UTC by Milos Malik
Modified:	2020-07-03 01:37 UTC (History)
CC List:	2 users (show)
Fixed In Version:	usbguard-0.7.8-1.fc32 usbguard-0.7.8-1.fc31
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-07-03 01:18:25 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Milos Malik 2020-02-28 18:07:55 UTC

Description of problem:

Version-Release number of selected component (if applicable):
selinux-policy-3.14.5-28.fc32.noarch
selinux-policy-targeted-3.14.5-28.fc32.noarch
usbguard-0.7.6-8.fc32.x86_64
usbguard-selinux-0.7.6-8.fc32.noarch

How reproducible:
 * always

Steps to Reproduce:
1. get a Fedora 32 machine (targeted policy is active)
2. set 'AuditBackend=LinuxAudit' in /etc/usbguard/usbguard-daemon.conf
3. restart the usbguard service
4. search for SELinux denials

Actual results (enforcing mode):
----
type=PROCTITLE msg=audit(02/28/2020 13:04:25.622:475) : proctitle=/usr/sbin/usbguard-daemon -k -c /etc/usbguard/usbguard-daemon.conf 
type=SYSCALL msg=audit(02/28/2020 13:04:25.622:475) : arch=x86_64 syscall=socket success=no exit=EACCES(Permission denied) a0=netlink a1=SOCK_RAW a2=igp a3=0x20 items=0 ppid=1 pid=2181 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=usbguard-daemon exe=/usr/sbin/usbguard-daemon subj=system_u:system_r:usbguard_t:s0 key=(null) 
type=AVC msg=audit(02/28/2020 13:04:25.622:475) : avc:  denied  { create } for  pid=2181 comm=usbguard-daemon scontext=system_u:system_r:usbguard_t:s0 tcontext=system_u:system_r:usbguard_t:s0 tclass=netlink_audit_socket permissive=0 
----

Expected results:
 * no SELinux denials

Comment 1 Milos Malik 2020-02-28 18:09:43 UTC

----
type=PROCTITLE msg=audit(02/28/2020 13:08:18.364:499) : proctitle=/usr/sbin/usbguard-daemon -k -c /etc/usbguard/usbguard-daemon.conf 
type=SYSCALL msg=audit(02/28/2020 13:08:18.364:499) : arch=x86_64 syscall=socket success=yes exit=9 a0=netlink a1=SOCK_RAW a2=igp a3=0x20 items=0 ppid=1 pid=2217 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=usbguard-daemon exe=/usr/sbin/usbguard-daemon subj=system_u:system_r:usbguard_t:s0 key=(null) 
type=AVC msg=audit(02/28/2020 13:08:18.364:499) : avc:  denied  { create } for  pid=2217 comm=usbguard-daemon scontext=system_u:system_r:usbguard_t:s0 tcontext=system_u:system_r:usbguard_t:s0 tclass=netlink_audit_socket permissive=1 
----
type=PROCTITLE msg=audit(02/28/2020 13:08:18.366:500) : proctitle=/usr/sbin/usbguard-daemon -k -c /etc/usbguard/usbguard-daemon.conf 
type=SOCKADDR msg=audit(02/28/2020 13:08:18.366:500) : saddr={ saddr_fam=netlink nlnk-fam=16 nlnk-pid=0 } 
type=SYSCALL msg=audit(02/28/2020 13:08:18.366:500) : arch=x86_64 syscall=sendto success=yes exit=652 a0=0x9 a1=0x7fff6cca1a80 a2=0x28c a3=0x0 items=0 ppid=1 pid=2217 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=usbguard-daemon exe=/usr/sbin/usbguard-daemon subj=system_u:system_r:usbguard_t:s0 key=(null) 
type=AVC msg=audit(02/28/2020 13:08:18.366:500) : avc:  denied  { nlmsg_relay } for  pid=2217 comm=usbguard-daemon scontext=system_u:system_r:usbguard_t:s0 tcontext=system_u:system_r:usbguard_t:s0 tclass=netlink_audit_socket permissive=1 
----

Comment 2 Fedora Update System 2020-06-24 17:46:11 UTC

FEDORA-2020-f502be60a4 has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-f502be60a4

Comment 3 Fedora Update System 2020-06-24 17:46:30 UTC

FEDORA-2020-c30d6afc1c has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2020-c30d6afc1c

Comment 4 Fedora Update System 2020-06-25 00:58:35 UTC

FEDORA-2020-c30d6afc1c has been pushed to the Fedora 31 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-c30d6afc1c`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-c30d6afc1c

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 5 Fedora Update System 2020-06-25 01:04:02 UTC

FEDORA-2020-f502be60a4 has been pushed to the Fedora 32 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-f502be60a4`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-f502be60a4

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 6 Fedora Update System 2020-07-03 01:18:25 UTC

FEDORA-2020-f502be60a4 has been pushed to the Fedora 32 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 7 Fedora Update System 2020-07-03 01:37:37 UTC

FEDORA-2020-c30d6afc1c has been pushed to the Fedora 31 stable repository.
If problem still persists, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.