1930992 – SELinux is preventing usbmuxd from 'getattr' accesses on the filesystem /sys.

Bug 1930992 - SELinux is preventing usbmuxd from 'getattr' accesses on the filesystem /sys.

Summary: SELinux is preventing usbmuxd from 'getattr' accesses on the filesystem /sys.

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	33
Hardware:	x86_64
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Zdenek Pytela
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	abrt_hash:ab0e8f9e63ea052c844c5df4221...
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-02-20 02:27 UTC by redhatbugzilla
Modified:	2021-05-12 09:54 UTC (History)
CC List:	8 users (show)
Fixed In Version:	selinux-policy-3.14.6-35.fc33
Clone Of:
Environment:
Last Closed:	2021-03-04 20:10:22 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description redhatbugzilla 2021-02-20 02:27:15 UTC

Description of problem:
SELinux is preventing usbmuxd from 'getattr' accesses on the filesystem /sys.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that usbmuxd should be allowed getattr access on the sys filesystem by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'usbmuxd' --raw | audit2allow -M my-usbmuxd
# semodule -X 300 -i my-usbmuxd.pp

Additional Information:
Source Context                system_u:system_r:usbmuxd_t:s0
Target Context                system_u:object_r:sysfs_t:s0
Target Objects                /sys [ filesystem ]
Source                        usbmuxd
Source Path                   usbmuxd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           filesystem-3.14-3.fc33.x86_64
SELinux Policy RPM            selinux-policy-targeted-3.14.6-34.fc33.noarch
Local Policy RPM              selinux-policy-targeted-3.14.6-34.fc33.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 5.10.15-200.fc33.x86_64 #1 SMP Wed
                              Feb 10 17:46:55 UTC 2021 x86_64 x86_64
Alert Count                   1
First Seen                    2021-02-19 18:11:20 CST
Last Seen                     2021-02-19 18:11:20 CST
Local ID                      832eac22-c7fd-4255-967d-f762957aa46c

Raw Audit Messages
type=AVC msg=audit(1613779880.30:139): avc:  denied  { getattr } for  pid=940 comm="usbmuxd" name="/" dev="sysfs" ino=1 scontext=system_u:system_r:usbmuxd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=filesystem permissive=0


Hash: usbmuxd,usbmuxd_t,sysfs_t,filesystem,getattr

Version-Release number of selected component:
selinux-policy-targeted-3.14.6-34.fc33.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.14.0
hashmarkername: setroubleshoot
kernel:         5.10.15-200.fc33.x86_64
type:           libreport

Comment 1 Zdenek Pytela 2021-02-20 18:33:15 UTC

It is currently being worked on:
https://github.com/fedora-selinux/selinux-policy/pull/605

Comment 2 Milos Malik 2021-02-24 20:33:20 UTC

Found on my Fedora 33 machine:
----
type=PROCTITLE msg=audit(02/24/2021 21:31:31.624:1621) : proctitle=/usr/sbin/usbmuxd --user usbmuxd --systemd 
type=PATH msg=audit(02/24/2021 21:31:31.624:1621) : item=0 name=/sys inode=1 dev=00:16 mode=dir,555 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysfs_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(02/24/2021 21:31:31.624:1621) : cwd=/ 
type=SYSCALL msg=audit(02/24/2021 21:31:31.624:1621) : arch=x86_64 syscall=statfs success=no exit=EACCES(Permission denied) a0=0x7f072e113777 a1=0x7ffe6d38eaf0 a2=0x7f072e116fa8 a3=0x1000 items=1 ppid=1 pid=56563 auid=unset uid=usbmuxd gid=usbmuxd euid=usbmuxd suid=usbmuxd fsuid=usbmuxd egid=usbmuxd sgid=usbmuxd fsgid=usbmuxd tty=(none) ses=unset comm=usbmuxd exe=/usr/sbin/usbmuxd subj=system_u:system_r:usbmuxd_t:s0 key=(null) 
type=AVC msg=audit(02/24/2021 21:31:31.624:1621) : avc:  denied  { getattr } for  pid=56563 comm=usbmuxd name=/ dev="sysfs" ino=1 scontext=system_u:system_r:usbmuxd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=filesystem permissive=0 
----

Comment 3 Milos Malik 2021-02-24 20:34:44 UTC

The only SELinux denial that appeared in permissive mode:
----
type=PROCTITLE msg=audit(02/24/2021 21:33:40.667:1647) : proctitle=/usr/sbin/usbmuxd --user usbmuxd --systemd 
type=PATH msg=audit(02/24/2021 21:33:40.667:1647) : item=0 name=/sys inode=1 dev=00:16 mode=dir,555 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysfs_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(02/24/2021 21:33:40.667:1647) : cwd=/ 
type=SYSCALL msg=audit(02/24/2021 21:33:40.667:1647) : arch=x86_64 syscall=statfs success=yes exit=0 a0=0x7f3e48821777 a1=0x7ffe01bb87f0 a2=0x7f3e48824fa8 a3=0x1000 items=1 ppid=1 pid=56645 auid=unset uid=usbmuxd gid=usbmuxd euid=usbmuxd suid=usbmuxd fsuid=usbmuxd egid=usbmuxd sgid=usbmuxd fsgid=usbmuxd tty=(none) ses=unset comm=usbmuxd exe=/usr/sbin/usbmuxd subj=system_u:system_r:usbmuxd_t:s0 key=(null) 
type=AVC msg=audit(02/24/2021 21:33:40.667:1647) : avc:  denied  { getattr } for  pid=56645 comm=usbmuxd name=/ dev="sysfs" ino=1 scontext=system_u:system_r:usbmuxd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=filesystem permissive=1 
----

Comment 4 Fedora Update System 2021-03-03 16:56:06 UTC

FEDORA-2021-e9050fdd5c has been submitted as an update to Fedora 33. https://bodhi.fedoraproject.org/updates/FEDORA-2021-e9050fdd5c

Comment 5 Fedora Update System 2021-03-03 23:53:08 UTC

FEDORA-2021-e9050fdd5c has been pushed to the Fedora 33 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-e9050fdd5c`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-e9050fdd5c

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 6 Fedora Update System 2021-03-04 20:10:22 UTC

FEDORA-2021-e9050fdd5c has been pushed to the Fedora 33 stable repository.
If problem still persists, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.