Description of problem: It happened after "gpsdctl add" run. SELinux is preventing gpsd from 'create' accesses on the sock_file gpsd.sock. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that gpsd should be allowed create access on the gpsd.sock sock_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'gpsd' --raw | audit2allow -M my-gpsd # semodule -X 300 -i my-gpsd.pp Additional Information: Source Context unconfined_u:unconfined_r:gpsd_t:s0-s0:c0.c1023 Target Context unconfined_u:object_r:tmp_t:s0 Target Objects gpsd.sock [ sock_file ] Source gpsd Source Path gpsd Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-37.15-1.fc37.noarch Local Policy RPM selinux-policy-targeted-37.15-1.fc37.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 6.0.12-300.fc37.x86_64 #1 SMP PREEMPT_DYNAMIC Thu Dec 8 16:58:47 UTC 2022 x86_64 x86_64 Alert Count 1 First Seen 2022-12-15 22:18:31 CST Last Seen 2022-12-15 22:18:31 CST Local ID a9450e8e-666c-4284-826b-0ddebb0796af Raw Audit Messages type=AVC msg=audit(1671113911.989:582): avc: denied { create } for pid=8305 comm="gpsd" name="gpsd.sock" scontext=unconfined_u:unconfined_r:gpsd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=sock_file permissive=1 Hash: gpsd,gpsd_t,tmp_t,sock_file,create Version-Release number of selected component: selinux-policy-targeted-37.15-1.fc37.noarch Additional info: component: selinux-policy reporter: libreport-2.17.4 hashmarkername: setroubleshoot kernel: 6.0.12-300.fc37.x86_64 type: libreport
Hi, Do you know when this issue started to appear? There are currently no rules for private tmp files for gpsd, so maybe some new feature. Will you be able to upload avc denials with full auditing enabled? 1) Open the /etc/audit/rules.d/audit.rules file in an editor. 2) Remove the following line if it exists: -a task,never 3) Add the following line to the end of the file: -w /etc/shadow -p w 4) Restart the audit daemon: # service auditd restart 5) Re-run your scenario. 6) Collect AVC denials: # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today
(In reply to Zdenek Pytela from comment #1) > Hi, > > Do you know when this issue started to appear? > There are currently no rules for private tmp files for gpsd, so maybe some > new feature. > Will you be able to upload avc denials with full auditing enabled? > > 1) Open the /etc/audit/rules.d/audit.rules file in an editor. > 2) Remove the following line if it exists: > -a task,never > 3) Add the following line to the end of the file: > -w /etc/shadow -p w > 4) Restart the audit daemon: > # service auditd restart > 5) Re-run your scenario. > 6) Collect AVC denials: > # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today I got that from ausearch: ---- type=AVC msg=audit(12/17/2022 01:25:56.902:512) : avc: denied { create } for pid=16694 comm=gpsd name=gpsd.sock scontext=unconfined_u:unconfined_r:gpsd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=sock_file permissive=0 ---- type=AVC msg=audit(12/17/2022 01:27:14.935:516) : avc: denied { create } for pid=16757 comm=gpsd name=gpsd.sock scontext=unconfined_u:unconfined_r:gpsd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=sock_file permissive=0 ---- type=PROCTITLE msg=audit(12/17/2022 01:28:26.437:539) : proctitle=gpsd -F /tmp/gpsd.sock type=PATH msg=audit(12/17/2022 01:28:26.437:539) : item=1 name=/tmp/gpsd.sock nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(12/17/2022 01:28:26.437:539) : item=0 name=/tmp/ inode=1 dev=00:22 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tmp_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(12/17/2022 01:28:26.437:539) : cwd=/home/ml type=SOCKADDR msg=audit(12/17/2022 01:28:26.437:539) : saddr={ saddr_fam=local path=/tmp/gpsd.sock } type=SYSCALL msg=audit(12/17/2022 01:28:26.437:539) : arch=x86_64 syscall=bind success=no exit=EACCES(Permission denied) a0=0x3 a1=0x7fff78cd8e90 a2=0x6e a3=0x2c100800 items=2 ppid=16938 pid=16939 auid=ml uid=ml gid=ml euid=ml suid=ml fsuid=ml egid=ml sgid=ml fsgid=ml tty=(none) ses=3 comm=gpsd exe=/usr/sbin/gpsd subj=unconfined_u:unconfined_r:gpsd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(12/17/2022 01:28:26.437:539) : avc: denied { create } for pid=16939 comm=gpsd name=gpsd.sock scontext=unconfined_u:unconfined_r:gpsd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=sock_file permissive=0
FEDORA-2022-fc84e3e4d5 has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2022-fc84e3e4d5
FEDORA-2022-fc84e3e4d5 has been pushed to the Fedora 37 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-fc84e3e4d5` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-fc84e3e4d5 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2022-fc84e3e4d5 has been pushed to the Fedora 37 stable repository. If problem still persists, please make note of it in this bug report.