Looks like selinux-policy needs updating for geoclue2-2.7.0-1.fc38: SELinux is preventing geoclue from watch access on the directory /etc. SELinux is preventing pool-geoclue from search access on the directory net. (These are from https://bodhi.fedoraproject.org/updates/FEDORA-2023-8fdae6bd57) Watch access on /etc is probably due to a newly added glib file monitor on /etc/geolocation, https://gitlab.freedesktop.org/geoclue/geoclue/-/commit/cb66669cff959046c8ef02abe13fc4f1a68660c5
SELinux is preventing geoclue from watch access on the directory /etc. ***** Plugin catchall_labels (83.8 confidence) suggests ******************* If you want to allow geoclue to have watch access on the etc directory Then you need to change the label on /etc Do # semanage fcontext -a -t FILE_TYPE '/etc' where FILE_TYPE is one of the following: geoclue_tmp_t, geoclue_var_lib_t. Then execute: restorecon -v '/etc' ***** Plugin catchall (17.1 confidence) suggests ************************** If you believe that geoclue should be allowed watch access on the etc directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'geoclue' --raw | audit2allow -M my-geoclue # semodule -X 300 -i my-geoclue.pp Additional Information: Source Context system_u:system_r:geoclue_t:s0 Target Context system_u:object_r:etc_t:s0 Target Objects /etc [ dir ] Source geoclue Source Path geoclue Port <Unknown> Host xxxxxxxx Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-38.9-1.fc38.noarch Local Policy RPM selinux-policy-targeted-38.9-1.fc38.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name xxxxxxxx Platform Linux xxxxxxxx 6.2.8-300.fc38.x86_64 #1 SMP PREEMPT_DYNAMIC Wed Mar 22 19:29:30 UTC 2023 x86_64 Alert Count 15 First Seen 2023-03-30 13:35:25 CEST Last Seen 2023-03-30 13:36:21 CEST Local ID c6a3fdfe-eeb0-4862-be36-9d0335bf115c Raw Audit Messages type=AVC msg=audit(1680176181.677:232): avc: denied { watch } for pid=1532 comm="gmain" path="/etc" dev="dm-0" ino=134295681 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0 Hash: geoclue,geoclue_t,etc_t,dir,watch SELinux is preventing pool-geoclue from search access on the directory net. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that pool-geoclue should be allowed search access on the net directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'pool-geoclue' --raw | audit2allow -M my-poolgeoclue # semodule -X 300 -i my-poolgeoclue.pp Additional Information: Source Context system_u:system_r:geoclue_t:s0 Target Context system_u:object_r:sysctl_net_t:s0 Target Objects net [ dir ] Source pool-geoclue Source Path pool-geoclue Port <Unknown> Host xxxxxxxx Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-38.9-1.fc38.noarch Local Policy RPM selinux-policy-targeted-38.9-1.fc38.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name xxxxxxxx Platform Linux xxxxxxxx 6.2.8-300.fc38.x86_64 #1 SMP PREEMPT_DYNAMIC Wed Mar 22 19:29:30 UTC 2023 x86_64 Alert Count 28 First Seen 2023-03-30 13:35:27 CEST Last Seen 2023-03-30 13:35:42 CEST Local ID d604119d-8266-4b9f-8894-347c25cdaaa8 Raw Audit Messages type=AVC msg=audit(1680176142.674:209): avc: denied { search } for pid=1532 comm="pool-geoclue" name="net" dev="proc" ino=25312 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir permissive=0 Hash: pool-geoclue,geoclue_t,sysctl_net_t,dir,search
*** Bug 2183028 has been marked as a duplicate of this bug. ***
*** Bug 2183208 has been marked as a duplicate of this bug. ***
Please try the PR's scratchbuild if you can: https://github.com/fedora-selinux/selinux-policy/pull/1632 Checks -> Artifacts -> rpms.zip
Upstream PR 1632 fixes this behavior on my system.
Caught in enforcing mode: ---- type=PROCTITLE msg=audit(03/30/2023 14:28:23.473:571) : proctitle=/usr/libexec/geoclue type=PATH msg=audit(03/30/2023 14:28:23.473:571) : item=0 name=/etc inode=131078 dev=fc:02 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:etc_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(03/30/2023 14:28:23.473:571) : cwd=/ type=SYSCALL msg=audit(03/30/2023 14:28:23.473:571) : arch=x86_64 syscall=inotify_add_watch success=no exit=EACCES(Permission denied) a0=0x9 a1=0x562ed261dfa0 a2=0x1002fce a3=0x4 items=1 ppid=1 pid=1876 auid=unset uid=geoclue gid=geoclue euid=geoclue suid=geoclue fsuid=geoclue egid=geoclue sgid=geoclue fsgid=geoclue tty=(none) ses=unset comm=geoclue exe=/usr/libexec/geoclue subj=system_u:system_r:geoclue_t:s0 key=(null) type=AVC msg=audit(03/30/2023 14:28:23.473:571) : avc: denied { watch } for pid=1876 comm=geoclue path=/etc dev="vda2" ino=131078 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0 ---- type=PROCTITLE msg=audit(03/30/2023 14:28:23.478:573) : proctitle=/usr/libexec/geoclue type=PATH msg=audit(03/30/2023 14:28:23.478:573) : item=0 name=/proc/sys/net/ipv6/conf/all/disable_ipv6 nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(03/30/2023 14:28:23.478:573) : cwd=/ type=SYSCALL msg=audit(03/30/2023 14:28:23.478:573) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7fd5913fbfb0 a2=O_RDONLY|O_NOCTTY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=1876 auid=unset uid=geoclue gid=geoclue euid=geoclue suid=geoclue fsuid=geoclue egid=geoclue sgid=geoclue fsgid=geoclue tty=(none) ses=unset comm=pool-geoclue exe=/usr/libexec/geoclue subj=system_u:system_r:geoclue_t:s0 key=(null) type=AVC msg=audit(03/30/2023 14:28:23.478:573) : avc: denied { search } for pid=1876 comm=pool-geoclue name=net dev="proc" ino=25184 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir permissive=0 ---- # rpm -qa selinux\* geoclue\* | sort geoclue2-2.7.0-1.fc39.x86_64 selinux-policy-38.9-1.fc39.noarch selinux-policy-targeted-38.9-1.fc39.noarch #
Caught in permissive mode: ---- type=PROCTITLE msg=audit(03/30/2023 14:30:55.141:593) : proctitle=/usr/libexec/geoclue type=PATH msg=audit(03/30/2023 14:30:55.141:593) : item=0 name=/etc inode=131078 dev=fc:02 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:etc_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(03/30/2023 14:30:55.141:593) : cwd=/ type=SYSCALL msg=audit(03/30/2023 14:30:55.141:593) : arch=x86_64 syscall=inotify_add_watch success=yes exit=1 a0=0x9 a1=0x5585a6485380 a2=0x1002fce a3=0x4 items=1 ppid=1 pid=1903 auid=unset uid=geoclue gid=geoclue euid=geoclue suid=geoclue fsuid=geoclue egid=geoclue sgid=geoclue fsgid=geoclue tty=(none) ses=unset comm=geoclue exe=/usr/libexec/geoclue subj=system_u:system_r:geoclue_t:s0 key=(null) type=AVC msg=audit(03/30/2023 14:30:55.141:593) : avc: denied { watch } for pid=1903 comm=geoclue path=/etc dev="vda2" ino=131078 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=1 ---- type=PROCTITLE msg=audit(03/30/2023 14:30:55.145:595) : proctitle=/usr/libexec/geoclue type=PATH msg=audit(03/30/2023 14:30:55.145:595) : item=0 name=/proc/sys/net/ipv6/conf/all/disable_ipv6 inode=25298 dev=00:32 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysctl_net_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(03/30/2023 14:30:55.145:595) : cwd=/ type=SYSCALL msg=audit(03/30/2023 14:30:55.145:595) : arch=x86_64 syscall=openat success=yes exit=10 a0=AT_FDCWD a1=0x7fcc41ffbfb0 a2=O_RDONLY|O_NOCTTY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=1903 auid=unset uid=geoclue gid=geoclue euid=geoclue suid=geoclue fsuid=geoclue egid=geoclue sgid=geoclue fsgid=geoclue tty=(none) ses=unset comm=pool-geoclue exe=/usr/libexec/geoclue subj=system_u:system_r:geoclue_t:s0 key=(null) type=AVC msg=audit(03/30/2023 14:30:55.145:595) : avc: denied { open } for pid=1903 comm=pool-geoclue path=/proc/sys/net/ipv6/conf/all/disable_ipv6 dev="proc" ino=25298 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=1 type=AVC msg=audit(03/30/2023 14:30:55.145:595) : avc: denied { read } for pid=1903 comm=pool-geoclue name=disable_ipv6 dev="proc" ino=25298 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=1 type=AVC msg=audit(03/30/2023 14:30:55.145:595) : avc: denied { search } for pid=1903 comm=pool-geoclue name=net dev="proc" ino=25294 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir permissive=1 ---- type=PROCTITLE msg=audit(03/30/2023 14:30:55.145:596) : proctitle=/usr/libexec/geoclue type=PATH msg=audit(03/30/2023 14:30:55.145:596) : item=0 name= inode=25298 dev=00:32 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysctl_net_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(03/30/2023 14:30:55.145:596) : cwd=/ type=SYSCALL msg=audit(03/30/2023 14:30:55.145:596) : arch=x86_64 syscall=newfstatat success=yes exit=0 a0=0xa a1=0x7fcc4435cb8e a2=0x7fcc41ffc010 a3=0x1000 items=1 ppid=1 pid=1903 auid=unset uid=geoclue gid=geoclue euid=geoclue suid=geoclue fsuid=geoclue egid=geoclue sgid=geoclue fsgid=geoclue tty=(none) ses=unset comm=pool-geoclue exe=/usr/libexec/geoclue subj=system_u:system_r:geoclue_t:s0 key=(null) type=AVC msg=audit(03/30/2023 14:30:55.145:596) : avc: denied { getattr } for pid=1903 comm=pool-geoclue path=/proc/sys/net/ipv6/conf/all/disable_ipv6 dev="proc" ino=25298 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=1 ----
*** Bug 2183296 has been marked as a duplicate of this bug. ***
*** Bug 2183298 has been marked as a duplicate of this bug. ***
Thanks for the quick fix, Zdenek!
I am glad we can proactively address a bz reported like this. Policy will probably be updated after GA.
*** Bug 2183315 has been marked as a duplicate of this bug. ***
(In reply to Zdenek Pytela from comment #11) > I am glad we can proactively address a bz reported like this. Policy will > probably be updated after GA. Works for me. I'll submit the geoclue2 update again once we have the updated policy in the repos.
Thank you very much @Kalev and @Zdenek for having addressed the issue so quick - that's collaboration at its best ... awesome !
*** Bug 2183310 has been marked as a duplicate of this bug. ***
*** Bug 2183551 has been marked as a duplicate of this bug. ***
*** Bug 2183553 has been marked as a duplicate of this bug. ***
*** Bug 2183709 has been marked as a duplicate of this bug. ***
*** Bug 2184515 has been marked as a duplicate of this bug. ***
*** Bug 2184532 has been marked as a duplicate of this bug. ***
*** Bug 2184528 has been marked as a duplicate of this bug. ***
FEDORA-2023-9e48ecef73 has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-9e48ecef73
FEDORA-2023-9e48ecef73 has been pushed to the Fedora 38 testing repository. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-9e48ecef73 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
*** Bug 2184732 has been marked as a duplicate of this bug. ***
FEDORA-2023-9e48ecef73 has been pushed to the Fedora 38 stable repository. If problem still persists, please make note of it in this bug report.
*** Bug 2186963 has been marked as a duplicate of this bug. ***
*** Bug 2186964 has been marked as a duplicate of this bug. ***
*** Bug 2186966 has been marked as a duplicate of this bug. ***
*** Bug 2187432 has been marked as a duplicate of this bug. ***
*** Bug 2187657 has been marked as a duplicate of this bug. ***