Description of problem: When using GpsDrive program v2.09 in fedora core 10, the selinux seems to block the interaction of gpsd when it attempts to connect to the gps by usb. The gps shows up in the filesystem but the gpsdrive program doesnt seem to be able to talk to it because of the selinux blockage. This selinux blockage bug seems to be noted as a part of an existing bug (bug#491018) however that previously filed bug seems mostly concerned with the release of an updated version of gpsd more than of the selinux interaction shown in the alert report far below. I opened this new bug (for the selinux issue) since that previous bug#491018 seems to be suspended until fc11 as i read the most recent excerpt from bug#491018: >Comment #14 From Rex Dieter 2009-03-30 15:54:13 EDT ------- > >OK, too much pain, I'd recommend sticking with rawhide only here for now... and >once everything builds and sufficiently tested in rawhide/f11, a re-evaluation >can be made. > The actual alert i receive from selinux is as follows: >Summary: > >SELinux is preventing gpsd (gpsd_t) "read write" unconfined_t. > >Detailed Description: > >SELinux denied access requested by gpsd. It is not expected that this access is >required by gpsd and this access may signal an intrusion attempt. It is also >possible that the specific version or configuration of the application is >causing it to require additional access. > >Allowing Access: > >You can generate a local policy module to allow this access - see FAQ >(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable >SELinux protection altogether. Disabling SELinux protection is not recommended. >Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) >against this package. > >Additional Information: > >Source Context unconfined_u:unconfined_r:gpsd_t:s0 >Target Context unconfined_u:unconfined_r:unconfined_t:s0 >Target Objects socket [ tcp_socket ] >Source gpsd >Source Path /usr/sbin/gpsd >Port <Unknown> >Host localhost.localdomain >Source RPM Packages gpsd-2.37-2.fc9 >Target RPM Packages >Policy RPM selinux-policy-3.5.13-53.fc10 >Selinux Enabled True >Policy Type targeted >MLS Enabled True >Enforcing Mode Enforcing >Plugin Name catchall >Host Name localhost.localdomain >Platform Linux localhost.localdomain >2.6.27.19-170.2.35.fc10.x86_64 > #1 SMP Mon Feb 23 13:00:23 EST 2009 x86_64 x86_64 >Alert Count 2 >First Seen Wed 01 Apr 2009 07:22:23 PM EDT >Last Seen Wed 01 Apr 2009 07:34:32 PM EDT >Local ID cc534812-e532-4c05-b0fb-590607ec4f65 >Line Numbers > >Raw Audit Messages > >node=localhost.localdomain type=AVC msg=audit(1238628872.609:671): avc: denied { >read write } for pid=13950 comm="gpsd" path="socket:[291951]" dev=sockfs >ino=291951 scontext=unconfined_u:unconfined_r:gpsd_t:s0 >tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=tcp_socket > >node=localhost.localdomain type=AVC msg=audit(1238628872.609:671): avc: >denied { read write } for pid=13950 comm="gpsd" path="socket:[293269]" >dev=sockfs ino=293269 scontext=unconfined_u:unconfined_r:gpsd_t:s0 >tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=tcp_socket > >node=localhost.localdomain type=SYSCALL msg=audit(1238628872.609:671): >arch=c000003e syscall=59 success=yes exit=0 a0=20b2430 a1=20b2390 a2=20b0f60 >a3=32e536da70 items=0 ppid=13804 pid=13950 auid=500 uid=500 gid=500 euid=500 >suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="gpsd" >exe="/usr/sbin/gpsd" subj=unconfined_u:unconfined_r:gpsd_t:s0 key=(null) > > Actual results: gpsdrive program doenst seem to communicate with the gps (even though the gps seems to mount to the filesystem ok) when start the gpsd in garmin mode from inside gpsdrive program get the selinux alert and get message in gpsdrive saying 'Timeout getting data from GPS-Receiver!' Expected results: _assuming_ that i was set up correctly to talk to the usb gps, i expected gpsdrive would communicate with the gps and display things in the program accordingly. never used the program before so maybe i am setup wrong but the selinux alert makes me think its just getting blocked. Additional info:
my selinux report: Source Context: unconfined_u:unconfined_r:gpsd_t:s0-s0:c0.c1023Target Context: system_u:object_r:gpmctl_t:s0Target Objects: /dev/gpmctl [ sock_file ]Source: gpsdSource Path: /usr/sbin/gpsdPort: <Unknown>Host: hp4Source RPM Packages: gpsd-2.37-2.fc9Target RPM Packages: Policy RPM: selinux-policy-3.5.13-54.fc10Selinux Enabled: TruePolicy Type: targetedMLS Enabled: TrueEnforcing Mode: EnforcingPlugin Name: catchall_fileHost Name: hp4Platform: Linux hp4 2.6.27.21-170.2.56.fc10.x86_64 #1 SMP Mon Mar 23 23:08:10 EDT 2009 x86_64 x86_64Alert Count: 9First Seen: Thu 09 Apr 2009 09:40:59 PM PDTLast Seen: Fri 10 Apr 2009 05:45:41 AM PDTLocal ID: 37f40af4-ae7b-4cab-a8ed-23daec4c9c3fLine Numbers: Raw Audit Messages :node=hp4 type=AVC msg=audit(1239367541.409:21): avc: denied { getattr } for pid=3226 comm="gpsd" path="/dev/gpmctl" dev=tmpfs ino=8737 scontext=unconfined_u:unconfined_r:gpsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:gpmctl_t:s0 tclass=sock_file node=hp4 type=SYSCALL msg=audit(1239367541.409:21): arch=c000003e syscall=4 success=no exit=-13 a0=610ba0 a1=7fff0bb15240 a2=7fff0bb15240 a3=4000 items=0 ppid=1 pid=3226 auid=500 uid=0 gid=14 euid=99 suid=0 fsuid=99 egid=14 sgid=14 fsgid=14 tty=(none) ses=1 comm="gpsd" exe="/usr/sbin/gpsd" subj=unconfined_u:unconfined_r:gpsd_t:s0-s0:c0.c1023 key=(null)
I confirm this bug, exactly the same problem.
I am on Fedora 11 by the way, sorry for forgetting to mention it in the last comment.
Same issue found on F11 whilst following instructions fron the Fedora Wiki: http://fedoraproject.org/wiki/How_to_configure_and_use_GPS_over_bluetooth Steps to reproduce: 1. Connect an USB Bluetooth dongle to a F11 machine. 2. Follow Fedora Wiki steps to map /dev/rfcomm0 to a Bluetooth GPS 3. Start gpds connecting to the port: "$ sudo gpsd /dev/rfcomm0" 4. First SELinux log: "SElinux prevented gpsd from using the terminal 0" 5. Run SELinux browser "Allowing Access" command of "$ sudo setsebool -P allow_daemons_use_tty=1" 6. Start gpsd connecting to the port: "$ sudo gpsd /dev/rfcomm0" 7. Second SELinux denial "SELinux is preventing gpsd (gpsd_t) "read write" unconfined_t" As GPSd is a basically a hardware driver, it a key feature for it to connect to a device in /dev so it makes sense (to me at least) to alter the default policy. A post to a forum suggested that even with SELinux disabled, GPSd may not work on Fedora: http://www.engardelinux.org/modules/index/list_archives.cgi?list=fedora-selinux&page=0094.html&month=2009-06
I am having the same problem when using a Sprint PCMCIA Broadband air card (Novatel Wireless Merlin S720) that includes a GPS module in a Dell Latitude D620 laptop. SELinux is preventing gpsd (gpsd_t) "read write" unconfined_t. Detailed DescriptionSELinux denied access requested by gpsd. It is not expected that this access is required by gpsd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing AccessYou can generate a local policy module to allow this access - see FAQ Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report against this package. Additional InformationSource Context: unconfined_u:unconfined_r:gpsd_t:s0-s0:c0.c1023Target Context: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023Target Objects: socket [ tcp_socket ]Source: gpsdSource Path: /usr/sbin/gpsdPort: <Unknown>Host: localhost.localdomainSource RPM Packages: gpsd-2.39-3.fc11Target RPM Packages: Policy RPM: selinux-policy-3.6.12-53.fc11 Selinux Enabled: TruePolicy Type: targetedMLS Enabled: TrueEnforcing Mode: EnforcingPlugin Name: catchallHost Name: localhost.localdomainPlatform: Linux localhost.localdomain 2.6.29.4-167.fc11.i586 #1 SMP Wed May 27 17:14:37 EDT 2009 i686 i686Alert Count: 4First Seen: Thu 02 Jul 2009 05:09:18 PM EDTLast Seen: Thu 02 Jul 2009 05:13:38 PM EDTLocal ID: 46d8b7b0-911b-41c6-8758-6867a0add4c7Line Numbers: Raw Audit Messages :node=localhost.localdomain type=AVC msg=audit(1246569218.702:23): avc: denied { read write } for pid=3612 comm="gpsd" path="socket:[18873]" dev=sockfs ino=18873 scontext=unconfined_u:unconfined_r:gpsd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=tcp_socket node=localhost.localdomain type=AVC msg=audit(1246569218.702:23): avc: denied { read write } for pid=3612 comm="gpsd" path="socket:[18926]" dev=sockfs ino=18926 scontext=unconfined_u:unconfined_r:gpsd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=tcp_socket node=localhost.localdomain type=SYSCALL msg=audit(1246569218.702:23): arch=40000003 syscall=11 success=yes exit=0 a0=98fba60 a1=98fbae8 a2=98faaf0 a3=98fbae8 items=0 ppid=3508 pid=3612 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid
Can you please attach your /var/log/audit/audit.log after a denial?
(In reply to comment #6) > Can you please attach your /var/log/audit/audit.log after a denial? type=AVC msg=audit(1250558957.503:128): avc: denied { fsetid } for pid=7994 comm="gpsd" capability=4 scontext=unconfined_u:unconfined_r:gpsd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:gpsd_t:s0-s0:c0.c1023 tclass=capability type=AVC msg=audit(1250558957.503:128): avc: denied { fsetid } for pid=7994 comm="gpsd" capability=4 scontext=unconfined_u:unconfined_r:gpsd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:gpsd_t:s0-s0:c0.c1023 tclass=capability type=SYSCALL msg=audit(1250558957.503:128): arch=c000003e syscall=90 success=no exit=-1219805224 a0=7fff6fa05f7e a1=21b0 a2=7fff6fa02ce0 a3=7fff6fa02a30 items=0 ppid=1 pid=7994 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="gpsd" exe="/usr/sbin/gpsd" subj=unconfined_u:unconfined_r:gpsd_t:s0-s0:c0.c1023 key=(null)
Created attachment 357727 [details] gpsd audit log
Hi, Tried the test again, and was able to connect gpsd to a BT GPS and run tangoGPS, GPSdrive, etc. N.B. This is the same machine as my previous post (Comment #4) which has had a little SELinux config away from the stock as-shipped state. The current versions are: $ rpm -qa|grep selinux selinux-policy-targeted-3.6.12-72.fc11.noarch libselinux-2.0.80-1.fc11.i586 libselinux-utils-2.0.80-1.fc11.i586 selinux-policy-3.6.12-72.fc11.noarch libselinux-python-2.0.80-1.fc11.i586 $ rpm -q gpsd gpsd-2.39-3.fc11.i586 $ uname -a Linux netbook 2.6.29.6-217.2.7.fc11.i686.PAE #1 SMP Fri Aug 14 20:52:46 EDT 2009 i686 i686 i386 GNU/Linux Best regards, James
audit2allow suggest: #============= gpsd_t ============== allow gpsd_t self:capability fsetid; Moving to selinux-policy, so Dan can take a look and decide what's best in this case.
Miroslav add this to F10 and F11 policy. The unconfined_t tcp_socket read write avc is fixed by an update to nss_ldap
Fixed in selinux-policy-3.5.13-70.fc10 selinux-policy-3.6.12-79.fc11
This message is a reminder that Fedora 10 is nearing its end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 10. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '10'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 10's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 10 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug to the applicable version. If you are unable to change the version, please add a comment here and someone will do it for you. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Closing as current release
Well the selinux issue gpsd_t "read write" looks like it cleared. Thank you. Ironically, I swear it worked at least once but now i dont really see an error but it wont read from gps again, lol. I must have changed something or there is another bug, but thats another report. Thanks for the policy update.