Bug 493506 - SELinux is preventing gpsd (gpsd_t) "read write" unconfined_t
SELinux is preventing gpsd (gpsd_t) "read write" unconfined_t
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
10
x86_64 Linux
low Severity medium
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-04-01 21:22 EDT by collura
Modified: 2009-11-18 20:33 EST (History)
11 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-11-18 08:00:45 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
gpsd audit log (829 bytes, text/plain)
2009-08-17 21:39 EDT, joeTSUNAMI
no flags Details

  None (edit)
Description collura 2009-04-01 21:22:04 EDT
Description of problem:

When using GpsDrive program v2.09 in fedora core 10, the selinux seems to block the interaction of gpsd when it attempts to connect to the gps by usb.  

The gps shows up in the filesystem but the gpsdrive program doesnt seem to be able to talk to it because of the selinux blockage.

This selinux blockage bug seems to be noted as a part of an existing bug (bug#491018) however that previously filed bug seems mostly concerned with the release of an updated version of gpsd more than of the selinux interaction shown in the alert report far below.  



I opened this new bug (for the selinux issue) since that previous bug#491018 seems to be suspended until fc11 as i read the most recent excerpt from bug#491018:

>Comment #14 From  Rex Dieter  2009-03-30 15:54:13 EDT  -------
>
>OK, too much pain, I'd recommend sticking with rawhide only here for now... and
>once everything builds and sufficiently tested in rawhide/f11, a re-evaluation
>can be made.  
>



The actual alert i receive from selinux is as follows:

>Summary:
>
>SELinux is preventing gpsd (gpsd_t) "read write" unconfined_t.
>
>Detailed Description:
>
>SELinux denied access requested by gpsd. It is not expected that this access is
>required by gpsd and this access may signal an intrusion attempt. It is also
>possible that the specific version or configuration of the application is
>causing it to require additional access.
>
>Allowing Access:
>
>You can generate a local policy module to allow this access - see FAQ
>(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
>SELinux protection altogether. Disabling SELinux protection is not recommended.
>Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
>against this package.
>
>Additional Information:
>
>Source Context                unconfined_u:unconfined_r:gpsd_t:s0
>Target Context                unconfined_u:unconfined_r:unconfined_t:s0
>Target Objects                socket [ tcp_socket ]
>Source                        gpsd
>Source Path                   /usr/sbin/gpsd
>Port                          <Unknown>
>Host                          localhost.localdomain
>Source RPM Packages           gpsd-2.37-2.fc9
>Target RPM Packages           
>Policy RPM                    selinux-policy-3.5.13-53.fc10
>Selinux Enabled               True
>Policy Type                   targeted
>MLS Enabled                   True
>Enforcing Mode                Enforcing
>Plugin Name                   catchall
>Host Name                     localhost.localdomain
>Platform                      Linux localhost.localdomain >2.6.27.19-170.2.35.fc10.x86_64
>                              #1 SMP Mon Feb 23 13:00:23 EST 2009 x86_64 x86_64
>Alert Count                   2
>First Seen                    Wed 01 Apr 2009 07:22:23 PM EDT
>Last Seen                     Wed 01 Apr 2009 07:34:32 PM EDT
>Local ID                      cc534812-e532-4c05-b0fb-590607ec4f65
>Line Numbers                  
>
>Raw Audit Messages            
>
>node=localhost.localdomain type=AVC msg=audit(1238628872.609:671): avc:  denied  { >read write } for  pid=13950 comm="gpsd" path="socket:[291951]" dev=sockfs >ino=291951 scontext=unconfined_u:unconfined_r:gpsd_t:s0 >tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=tcp_socket
>
>node=localhost.localdomain type=AVC msg=audit(1238628872.609:671): avc:  >denied  { read write } for  pid=13950 comm="gpsd" path="socket:[293269]" >dev=sockfs ino=293269 scontext=unconfined_u:unconfined_r:gpsd_t:s0 >tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=tcp_socket
>
>node=localhost.localdomain type=SYSCALL msg=audit(1238628872.609:671): >arch=c000003e syscall=59 success=yes exit=0 a0=20b2430 a1=20b2390 a2=20b0f60 >a3=32e536da70 items=0 ppid=13804 pid=13950 auid=500 uid=500 gid=500 euid=500 >suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="gpsd" >exe="/usr/sbin/gpsd" subj=unconfined_u:unconfined_r:gpsd_t:s0 key=(null)
>
>

  
Actual results:

gpsdrive program doenst seem to communicate with the gps 
(even though the gps seems to mount to the filesystem ok)

when start the gpsd in garmin mode from inside gpsdrive program get the selinux alert and get message in gpsdrive saying 'Timeout getting data from GPS-Receiver!' 

Expected results:

_assuming_ that i was set up correctly to talk to the usb gps, i expected gpsdrive would communicate with the gps and display things in the program accordingly.  never used the program before so maybe i am setup wrong but the selinux alert makes me think its just getting blocked.



Additional info:
Comment 1 disposable567 2009-04-10 08:53:28 EDT
my selinux report:

Source Context:  unconfined_u:unconfined_r:gpsd_t:s0-s0:c0.c1023Target Context:  system_u:object_r:gpmctl_t:s0Target Objects:  /dev/gpmctl [ sock_file ]Source:  gpsdSource Path:  /usr/sbin/gpsdPort:  <Unknown>Host:  hp4Source RPM Packages:  gpsd-2.37-2.fc9Target RPM Packages:  Policy RPM:  selinux-policy-3.5.13-54.fc10Selinux Enabled:  TruePolicy Type:  targetedMLS Enabled:  TrueEnforcing Mode:  EnforcingPlugin Name:  catchall_fileHost Name:  hp4Platform:  Linux hp4 2.6.27.21-170.2.56.fc10.x86_64 #1 SMP Mon Mar 23 23:08:10 EDT 2009 x86_64 x86_64Alert Count:  9First Seen:  Thu 09 Apr 2009 09:40:59 PM PDTLast Seen:  Fri 10 Apr 2009 05:45:41 AM PDTLocal ID:  37f40af4-ae7b-4cab-a8ed-23daec4c9c3fLine Numbers:  Raw Audit Messages :node=hp4 type=AVC msg=audit(1239367541.409:21): avc: denied { getattr } for pid=3226 comm="gpsd" path="/dev/gpmctl" dev=tmpfs ino=8737 scontext=unconfined_u:unconfined_r:gpsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:gpmctl_t:s0 tclass=sock_file node=hp4 type=SYSCALL msg=audit(1239367541.409:21): arch=c000003e syscall=4 success=no exit=-13 a0=610ba0 a1=7fff0bb15240 a2=7fff0bb15240 a3=4000 items=0 ppid=1 pid=3226 auid=500 uid=0 gid=14 euid=99 suid=0 fsuid=99 egid=14 sgid=14 fsgid=14 tty=(none) ses=1 comm="gpsd" exe="/usr/sbin/gpsd" subj=unconfined_u:unconfined_r:gpsd_t:s0-s0:c0.c1023 key=(null)
Comment 2 Yul Rottmann 2009-06-25 09:56:50 EDT
I confirm this bug, exactly the same problem.
Comment 3 Yul Rottmann 2009-06-25 09:58:18 EDT
I am on Fedora 11 by the way, sorry for forgetting to mention it in the last comment.
Comment 4 James Derrick 2009-07-02 14:31:23 EDT
Same issue found on F11 whilst following instructions fron the Fedora Wiki:
http://fedoraproject.org/wiki/How_to_configure_and_use_GPS_over_bluetooth

Steps to reproduce:
1. Connect an USB Bluetooth dongle to a F11 machine.
2. Follow Fedora Wiki steps to map /dev/rfcomm0 to a Bluetooth GPS
3. Start gpds connecting to the port: "$ sudo gpsd /dev/rfcomm0"
4. First SELinux log: "SElinux prevented gpsd from using the terminal 0"
5. Run SELinux browser "Allowing Access" command of "$ sudo setsebool -P allow_daemons_use_tty=1"
6. Start gpsd connecting to the port: "$ sudo gpsd /dev/rfcomm0"
7. Second SELinux denial "SELinux is preventing gpsd (gpsd_t) "read write" unconfined_t"

As GPSd is a basically a hardware driver, it a key feature for it to connect to a device in /dev so it makes sense (to me at least) to alter the default policy.

A post to a forum suggested that even with SELinux disabled, GPSd may not work on Fedora:
http://www.engardelinux.org/modules/index/list_archives.cgi?list=fedora-selinux&page=0094.html&month=2009-06
Comment 5 Chris Partezana 2009-07-02 18:24:43 EDT
I am having the same problem when using a Sprint PCMCIA Broadband air card (Novatel Wireless Merlin S720) that includes a GPS module in a Dell Latitude D620 laptop.

SELinux is preventing gpsd (gpsd_t) "read write" unconfined_t. Detailed DescriptionSELinux denied access requested by gpsd. It is not expected that this access is required by gpsd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing AccessYou can generate a local policy module to allow this access - see FAQ Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report against this package. Additional InformationSource Context:  unconfined_u:unconfined_r:gpsd_t:s0-s0:c0.c1023Target Context:  unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023Target Objects:  socket [ tcp_socket ]Source:  gpsdSource Path:  /usr/sbin/gpsdPort:  <Unknown>Host:  localhost.localdomainSource RPM Packages:  gpsd-2.39-3.fc11Target RPM Packages:  Policy RPM:  selinux-policy-3.6.12-53.fc11
Selinux Enabled:  TruePolicy Type:  targetedMLS Enabled:  TrueEnforcing Mode:  EnforcingPlugin Name:  catchallHost Name:  localhost.localdomainPlatform:  Linux localhost.localdomain 2.6.29.4-167.fc11.i586 #1 SMP Wed May 27 17:14:37 EDT 2009 i686 i686Alert Count:  4First Seen:  Thu 02 Jul 2009 05:09:18 PM EDTLast Seen:  Thu 02 Jul 2009 05:13:38 PM EDTLocal ID:  46d8b7b0-911b-41c6-8758-6867a0add4c7Line Numbers:  Raw Audit Messages :node=localhost.localdomain type=AVC msg=audit(1246569218.702:23): avc: denied { read write } for pid=3612 comm="gpsd" path="socket:[18873]" dev=sockfs ino=18873 scontext=unconfined_u:unconfined_r:gpsd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=tcp_socket node=localhost.localdomain type=AVC msg=audit(1246569218.702:23): avc: denied { read write } for pid=3612 comm="gpsd" path="socket:[18926]" dev=sockfs ino=18926 scontext=unconfined_u:unconfined_r:gpsd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=tcp_socket node=localhost.localdomain type=SYSCALL msg=audit(1246569218.702:23): arch=40000003 syscall=11 success=yes exit=0 a0=98fba60 a1=98fbae8 a2=98faaf0 a3=98fbae8 items=0 ppid=3508 pid=3612 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid
Comment 6 Marek Mahut 2009-08-12 10:34:16 EDT
Can you please attach your /var/log/audit/audit.log after a denial?
Comment 7 joeTSUNAMI 2009-08-17 21:33:33 EDT
(In reply to comment #6)
> Can you please attach your /var/log/audit/audit.log after a denial?  

type=AVC msg=audit(1250558957.503:128): avc:  denied  { fsetid } for  pid=7994 comm="gpsd" capability=4 scontext=unconfined_u:unconfined_r:gpsd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:gpsd_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1250558957.503:128): avc:  denied  { fsetid } for  pid=7994 comm="gpsd" capability=4 scontext=unconfined_u:unconfined_r:gpsd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:gpsd_t:s0-s0:c0.c1023 tclass=capability
type=SYSCALL msg=audit(1250558957.503:128): arch=c000003e syscall=90 success=no exit=-1219805224 a0=7fff6fa05f7e a1=21b0 a2=7fff6fa02ce0 a3=7fff6fa02a30 items=0 ppid=1 pid=7994 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="gpsd" exe="/usr/sbin/gpsd" subj=unconfined_u:unconfined_r:gpsd_t:s0-s0:c0.c1023 key=(null)
Comment 8 joeTSUNAMI 2009-08-17 21:39:26 EDT
Created attachment 357727 [details]
gpsd audit log
Comment 9 James Derrick 2009-08-18 08:12:08 EDT
Hi,

Tried the test again, and was able to connect gpsd to a BT GPS and run tangoGPS, GPSdrive, etc.

N.B. This is the same machine as my previous post (Comment #4) which has had a little SELinux config away from the stock as-shipped state.

The current versions are:
$ rpm -qa|grep selinux
selinux-policy-targeted-3.6.12-72.fc11.noarch
libselinux-2.0.80-1.fc11.i586
libselinux-utils-2.0.80-1.fc11.i586
selinux-policy-3.6.12-72.fc11.noarch
libselinux-python-2.0.80-1.fc11.i586
$ rpm -q gpsd
gpsd-2.39-3.fc11.i586
$ uname -a
Linux netbook 2.6.29.6-217.2.7.fc11.i686.PAE #1 SMP Fri Aug 14 20:52:46 EDT 2009 i686 i686 i386 GNU/Linux

Best regards,

James
Comment 10 Marek Mahut 2009-08-19 04:38:53 EDT
audit2allow suggest:

#============= gpsd_t ==============
allow gpsd_t self:capability fsetid;

Moving to selinux-policy, so Dan can take a look and decide what's best in this case.
Comment 11 Daniel Walsh 2009-08-20 08:30:55 EDT
Miroslav add this to F10 and F11 policy.

The unconfined_t tcp_socket read write avc is fixed by an update to nss_ldap
Comment 12 Miroslav Grepl 2009-08-21 06:19:53 EDT
Fixed in 

selinux-policy-3.5.13-70.fc10
selinux-policy-3.6.12-79.fc11
Comment 13 Bug Zapper 2009-11-18 06:39:42 EST
This message is a reminder that Fedora 10 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 10.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '10'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 10's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 10 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 14 Daniel Walsh 2009-11-18 08:00:45 EST
Closing as current release
Comment 15 collura 2009-11-18 20:33:23 EST
Well the selinux issue gpsd_t "read write" looks like it cleared.

Thank you.

Ironically, I swear it worked at least once but now i dont really see an error but it wont read from gps again, lol.  I must have changed something or there is another bug, but thats another report.

Thanks for the policy update.

Note You need to log in before you can comment on or make changes to this bug.