1959747 – the usbmuxd service triggers a couple of SELinux denials

Bug 1959747 - the usbmuxd service triggers a couple of SELinux denials

Summary: the usbmuxd service triggers a couple of SELinux denials

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	34
Hardware:	x86_64
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Zdenek Pytela
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1964993 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-05-12 09:29 UTC by Milos Malik
Modified:	2021-06-11 01:15 UTC (History)
CC List:	8 users (show)
Fixed In Version:	selinux-policy-34.11-1.fc34
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-06-11 01:15:23 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Milos Malik 2021-05-12 09:29:32 UTC

Description of problem:
 * the usbmuxd service seems to run successfully, but few SELinux denials appear

Version-Release number of selected component (if applicable):
selinux-policy-3.14.8-7.fc35.noarch
selinux-policy-targeted-3.14.8-7.fc35.noarch
usbmuxd-1.1.1-5.fc35.x86_64

How reproducible:
 * always

Steps to Reproduce:
1. get a Fedora rawhide machine (targeted policy is active)
2. start the usbmuxd service
3. search for SELinux denials

Actual results:
----
type=PROCTITLE msg=audit(05/12/2021 04:12:22.764:564) : proctitle=/usr/sbin/usbmuxd --user usbmuxd --systemd 
type=PATH msg=audit(05/12/2021 04:12:22.764:564) : item=0 name=/proc/1/environ nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(05/12/2021 04:12:22.764:564) : cwd=/ 
type=SYSCALL msg=audit(05/12/2021 04:12:22.764:564) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x7ffcb96400c0 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=2983 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=usbmuxd exe=/usr/sbin/usbmuxd subj=system_u:system_r:usbmuxd_t:s0 key=(null) 
type=AVC msg=audit(05/12/2021 04:12:22.764:564) : avc:  denied  { search } for  pid=2983 comm=usbmuxd name=1 dev="proc" ino=13279 scontext=system_u:system_r:usbmuxd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dir permissive=0 
----
type=PROCTITLE msg=audit(05/12/2021 04:12:22.766:565) : proctitle=/usr/sbin/usbmuxd --user usbmuxd --systemd 
type=PATH msg=audit(05/12/2021 04:12:22.766:565) : item=0 name=/sys/fs/cgroup/ inode=1 dev=00:1b mode=dir,555 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:cgroup_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(05/12/2021 04:12:22.766:565) : cwd=/ 
type=SYSCALL msg=audit(05/12/2021 04:12:22.766:565) : arch=x86_64 syscall=statfs success=no exit=EACCES(Permission denied) a0=0x7f71491bf515 a1=0x7ffcb9640180 a2=0x7f714a5d4220 a3=0xffffffff items=1 ppid=1 pid=2983 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=usbmuxd exe=/usr/sbin/usbmuxd subj=system_u:system_r:usbmuxd_t:s0 key=(null) 
type=AVC msg=audit(05/12/2021 04:12:22.766:565) : avc:  denied  { getattr } for  pid=2983 comm=usbmuxd name=/ dev="cgroup2" ino=1 scontext=system_u:system_r:usbmuxd_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=filesystem permissive=0
----

Expected results:
 * no SELinux denials

Additional info:
 * the second SELinux denial is already mentioned in BZ#1936705 as fixed, but it still appears

Comment 1 Milos Malik 2021-05-12 09:31:50 UTC

SELinux denials caught in permissive mode:
----
type=PROCTITLE msg=audit(05/12/2021 05:30:08.988:573) : proctitle=/usr/sbin/usbmuxd --user usbmuxd --systemd 
type=PATH msg=audit(05/12/2021 05:30:08.988:573) : item=0 name=/proc/1/environ inode=13425 dev=00:16 mode=file,400 ouid=root ogid=root rdev=00:00 obj=system_u:system_r:init_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(05/12/2021 05:30:08.988:573) : cwd=/ 
type=SYSCALL msg=audit(05/12/2021 05:30:08.988:573) : arch=x86_64 syscall=openat success=yes exit=8 a0=0xffffff9c a1=0x7fff33daac20 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=3325 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=usbmuxd exe=/usr/sbin/usbmuxd subj=system_u:system_r:usbmuxd_t:s0 key=(null) 
type=AVC msg=audit(05/12/2021 05:30:08.988:573) : avc:  denied  { open } for  pid=3325 comm=usbmuxd path=/proc/1/environ dev="proc" ino=13425 scontext=system_u:system_r:usbmuxd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file permissive=1 
type=AVC msg=audit(05/12/2021 05:30:08.988:573) : avc:  denied  { read } for  pid=3325 comm=usbmuxd name=environ dev="proc" ino=13425 scontext=system_u:system_r:usbmuxd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file permissive=1 
type=AVC msg=audit(05/12/2021 05:30:08.988:573) : avc:  denied  { search } for  pid=3325 comm=usbmuxd name=1 dev="proc" ino=13279 scontext=system_u:system_r:usbmuxd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dir permissive=1 
----
type=PROCTITLE msg=audit(05/12/2021 05:30:08.990:574) : proctitle=/usr/sbin/usbmuxd --user usbmuxd --systemd 
type=PATH msg=audit(05/12/2021 05:30:08.990:574) : item=0 name= inode=13425 dev=00:16 mode=file,400 ouid=root ogid=root rdev=00:00 obj=system_u:system_r:init_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(05/12/2021 05:30:08.990:574) : cwd=/ 
type=SYSCALL msg=audit(05/12/2021 05:30:08.990:574) : arch=x86_64 syscall=newfstatat success=yes exit=0 a0=0x8 a1=0x7f677b1bd95a a2=0x7fff33daaa20 a3=0x1000 items=1 ppid=1 pid=3325 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=usbmuxd exe=/usr/sbin/usbmuxd subj=system_u:system_r:usbmuxd_t:s0 key=(null) 
type=AVC msg=audit(05/12/2021 05:30:08.990:574) : avc:  denied  { getattr } for  pid=3325 comm=usbmuxd path=/proc/1/environ dev="proc" ino=13425 scontext=system_u:system_r:usbmuxd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(05/12/2021 05:30:08.992:575) : proctitle=/usr/sbin/usbmuxd --user usbmuxd --systemd 
type=SYSCALL msg=audit(05/12/2021 05:30:08.992:575) : arch=x86_64 syscall=ioctl success=no exit=ENOTTY(Inappropriate ioctl for device) a0=0x8 a1=TCGETS a2=0x7fff33daaaf0 a3=0x1000 items=0 ppid=1 pid=3325 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=usbmuxd exe=/usr/sbin/usbmuxd subj=system_u:system_r:usbmuxd_t:s0 key=(null) 
type=AVC msg=audit(05/12/2021 05:30:08.992:575) : avc:  denied  { ioctl } for  pid=3325 comm=usbmuxd path=/proc/1/environ dev="proc" ino=13425 ioctlcmd=TCGETS scontext=system_u:system_r:usbmuxd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(05/12/2021 05:30:08.993:576) : proctitle=/usr/sbin/usbmuxd --user usbmuxd --systemd 
type=PATH msg=audit(05/12/2021 05:30:08.993:576) : item=0 name=/sys/fs/cgroup/ inode=1 dev=00:1b mode=dir,555 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:cgroup_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(05/12/2021 05:30:08.993:576) : cwd=/ 
type=SYSCALL msg=audit(05/12/2021 05:30:08.993:576) : arch=x86_64 syscall=statfs success=yes exit=0 a0=0x7f6779602515 a1=0x7fff33daace0 a2=0x7f677aa17220 a3=0xffffffff items=1 ppid=1 pid=3325 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=usbmuxd exe=/usr/sbin/usbmuxd subj=system_u:system_r:usbmuxd_t:s0 key=(null) 
type=AVC msg=audit(05/12/2021 05:30:08.993:576) : avc:  denied  { getattr } for  pid=3325 comm=usbmuxd name=/ dev="cgroup2" ino=1 scontext=system_u:system_r:usbmuxd_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=filesystem permissive=1
----

Comment 3 Zdenek Pytela 2021-05-12 09:57:44 UTC

(In reply to Milos Malik from comment #0)
> Description of problem:
>  * the usbmuxd service seems to run successfully, but few SELinux denials
> appear
> 
> Version-Release number of selected component (if applicable):
> selinux-policy-3.14.8-7.fc35.noarch
> selinux-policy-targeted-3.14.8-7.fc35.noarch
Please update to selinux-policy-34.3-1 or newer.

The other denials were dontaudited in bz#1932689, but for daemon only whic usbmuxd_t seems not to be.

Comment 4 Zdenek Pytela 2021-06-04 19:30:15 UTC

I've submitted a Fedora PR to address the issue:
https://github.com/fedora-selinux/selinux-policy/pull/770

Comment 5 Zdenek Pytela 2021-06-04 19:31:20 UTC

*** Bug 1964993 has been marked as a duplicate of this bug. ***

Comment 6 Fedora Update System 2021-06-09 16:19:03 UTC

FEDORA-2021-d8e34dbd6e has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-d8e34dbd6e

Comment 7 Fedora Update System 2021-06-10 01:20:23 UTC

FEDORA-2021-d8e34dbd6e has been pushed to the Fedora 34 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-d8e34dbd6e`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-d8e34dbd6e

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 8 Fedora Update System 2021-06-11 01:15:23 UTC

FEDORA-2021-d8e34dbd6e has been pushed to the Fedora 34 stable repository.
If problem still persists, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.