Description of problem: SELinux is preventing gpsd from 'sys_ptrace' accesses on the cap_userns labeled gpsd_t. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that gpsd should be allowed sys_ptrace access on cap_userns labeled gpsd_t by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'gpsd' --raw | audit2allow -M my-gpsd # semodule -X 300 -i my-gpsd.pp Additional Information: Source Context unconfined_u:unconfined_r:gpsd_t:s0-s0:c0.c1023 Target Context unconfined_u:unconfined_r:gpsd_t:s0-s0:c0.c1023 Target Objects Unknown [ cap_userns ] Source gpsd Source Path gpsd Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-37.15-1.fc37.noarch Local Policy RPM selinux-policy-targeted-37.15-1.fc37.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 6.0.12-300.fc37.x86_64 #1 SMP PREEMPT_DYNAMIC Thu Dec 8 16:58:47 UTC 2022 x86_64 x86_64 Alert Count 1 First Seen 2022-12-16 00:19:25 CST Last Seen 2022-12-16 00:19:25 CST Local ID 93ac6375-0c6f-419e-8d62-d51b5ab0cacc Raw Audit Messages type=AVC msg=audit(1671121165.313:830): avc: denied { sys_ptrace } for pid=15428 comm="gpsd" capability=19 scontext=unconfined_u:unconfined_r:gpsd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:gpsd_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 Hash: gpsd,gpsd_t,gpsd_t,cap_userns,sys_ptrace Version-Release number of selected component: selinux-policy-targeted-37.15-1.fc37.noarch Additional info: component: selinux-policy reporter: libreport-2.17.4 hashmarkername: setroubleshoot kernel: 6.0.12-300.fc37.x86_64 type: libreport Potential duplicate: bug 1541958
Hi, Do you know how to reproduce problem or what is the triggering condition? If possible, please upload avc denials with full auditing enabled: 1) Open the /etc/audit/rules.d/audit.rules file in an editor. 2) Remove the following line if it exists: -a task,never 3) Add the following line to the end of the file: -w /etc/shadow -p w 4) Restart the audit daemon: # service auditd restart 5) Re-run your scenario. 6) Collect AVC denials: # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today
(In reply to Zdenek Pytela from comment #1) > Hi, > > Do you know how to reproduce problem or what is the triggering condition? > > If possible, please upload avc denials with full auditing enabled: > 1) Open the /etc/audit/rules.d/audit.rules file in an editor. > 2) Remove the following line if it exists: > -a task,never > 3) Add the following line to the end of the file: > -w /etc/shadow -p w > 4) Restart the audit daemon: > # service auditd restart > 5) Re-run your scenario. > 6) Collect AVC denials: > # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today setenforce is set to 0. If 1, gpsd will simply exit without any output and will not display any SELinux alerts. When I run "gpsmon localhost:4400", that alert is show up. I got that from ausearch: ---- type=PROCTITLE msg=audit(12/17/2022 01:47:25.547:577) : proctitle=gpsd -N -S 4400 -D3 /dev/ttyUSB0 type=PATH msg=audit(12/17/2022 01:47:25.547:577) : item=0 name=/proc/2996/fd/0 inode=39277 dev=00:15 mode=link,500 ouid=ml ogid=ml rdev=00:00 obj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(12/17/2022 01:47:25.547:577) : cwd=/home/ml type=SYSCALL msg=audit(12/17/2022 01:47:25.547:577) : arch=x86_64 syscall=readlink success=yes exit=9 a0=0x7ffe775bf240 a1=0x7ffe775bf2c0 a2=0x7f a3=0x1000 items=1 ppid=9813 pid=18353 auid=ml uid=ml gid=ml euid=ml suid=ml fsuid=ml egid=ml sgid=ml fsgid=ml tty=pts3 ses=3 comm=gpsd exe=/usr/sbin/gpsd subj=unconfined_u:unconfined_r:gpsd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(12/17/2022 01:47:25.547:577) : avc: denied { sys_ptrace } for pid=18353 comm=gpsd capability=sys_ptrace scontext=unconfined_u:unconfined_r:gpsd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:gpsd_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1
Thank you for your cooperation. Could you try policy with fixes for both the bzs? https://github.com/fedora-selinux/selinux-policy/pull/1525 Checks -> Artifacts -> rpms.zip Note the policy version will contain f38 so will not be a subject of regular updates.
FEDORA-2022-fc84e3e4d5 has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2022-fc84e3e4d5
FEDORA-2022-fc84e3e4d5 has been pushed to the Fedora 37 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-fc84e3e4d5` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-fc84e3e4d5 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2022-fc84e3e4d5 has been pushed to the Fedora 37 stable repository. If problem still persists, please make note of it in this bug report.