Résumé: SELinux empêche l'accès en « unix_read unix_write » à /usr/sbin/gpsd Description détaillée: SELinux a refusé l'accès demandé par gpsd. Il n'est pas prévu que cet accès soit requis par gpsd et cet accès peut signaler une tentative d'intrusion. Il est également possible que cette version ou cette configuration spécifique de l'application provoque cette demande d'accès supplémenta Autoriser l'accès: Vous pouvez créer un module de stratégie locale pour autoriser cet accès - lisez la FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Merci de remplir un rapport de bogue. Informations complémentaires: Contexte source unconfined_u:unconfined_r:gpsd_t:s0-s0:c0.c1023 Contexte cible system_u:system_r:udev_t:s0-s0:c0.c1023 Objets du contexte None [ shm ] source gpsd Chemin de la source /usr/sbin/gpsd Port <Inconnu> Hôte (supprimé) Paquetages RPM source gpsd-2.95-2.fc14 Paquetages RPM cible Politique RPM selinux-policy-3.9.7-3.fc14 Selinux activé True Type de politique targeted Mode strict Enforcing Nom du plugin catchall Nom de l'hôte (supprimé) Plateforme Linux (supprimé) 2.6.35.6-43.fc14.i686.PAE #1 SMP Wed Oct 13 21:29:27 UTC 2010 i686 i686 Compteur d'alertes 16 Première alerte jeu. 28 oct. 2010 21:20:55 CEST Dernière alerte jeu. 28 oct. 2010 21:23:55 CEST ID local 310bcbaa-4db2-4aa9-8eb9-7ea2b7316659 Numéros des lignes Messages d'audit bruts node=(supprimé) type=AVC msg=audit(1288293835.454:1692): avc: denied { unix_read unix_write } for pid=4121 comm="gpsd" key=1314148403 scontext=unconfined_u:unconfined_r:gpsd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=shm node=(supprimé) type=SYSCALL msg=audit(1288293835.454:1692): arch=40000003 syscall=117 success=no exit=-13 a0=17 a1=4e545033 a2=50 a3=3b6 items=0 ppid=1 pid=4121 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=171 comm="gpsd" exe="/usr/sbin/gpsd" subj=unconfined_u:unconfined_r:gpsd_t:s0-s0:c0.c1023 key=(null) Hash String generated from catchall,gpsd,gpsd_t,udev_t,shm,unix_read,unix_write audit2allow suggests: #============= gpsd_t ============== allow gpsd_t udev_t:shm { unix_read unix_write };
This happen just by running gpsd as root. The unix_read and write is needed as gpsd can be controled by a socket in /var/
This show gpsd trying to communicate with an application running as udev_t? ps -eZ | grep udev_t
~ $ ps -eZ | grep udev_t system_u:system_r:udev_t:s0-s0:c0.c1023 516 ? 00:00:04 udevd system_u:system_r:udev_t:s0-s0:c0.c1023 823 ? 00:00:00 udevd system_u:system_r:udev_t:s0-s0:c0.c1023 824 ? 00:00:00 udevd ~ $ ps -eZ | grep gps unconfined_u:unconfined_r:gpsd_t:s0-s0:c0.c1023 4121 ? 00:00:02 gpsd It may communicate with udevd, since it will read the gps device in /dev/, but I am not sure about the exact interaction. The bug likely requires a real GPS to be plugged, unfortunatly, and I do not have it now, but if you give me some test to do, I will give any needed information.
Harald, do you have any ideas? I guess we can allow this.
(In reply to comment #4) > Harald, do you have any ideas? I guess we can allow this. No, I have no ideas. What is the problem? Is it denied to use /dev/shm?
No it looks like gpsd is trying to communicate though shared memory owned by udev. gpsd communicates with GPS devices using shared memory, ordinarily.
sesearch -A -s gpsd_t -c shm Found 3 semantic av rules: allow gpsd_t gpsd_t : shm { create destroy getattr setattr read write associate unix_read unix_write lock } ; allow gpsd_t ntpd_t : shm { getattr read write associate unix_read unix_write lock } ; allow gpsd_t chronyd_t : shm { getattr read write associate unix_read unix_write lock } ;
This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component.
This message is a notice that Fedora 14 is now at end of life. Fedora has stopped maintaining and issuing updates for Fedora 14. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At this time, all open bugs with a Fedora 'version' of '14' have been closed as WONTFIX. (Please note: Our normal process is to give advanced warning of this occurring, but we forgot to do that. A thousand apologies.) Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, feel free to reopen this bug and simply change the 'version' to a later Fedora version. Bug Reporter: Thank you for reporting this issue and we are sorry that we were unable to fix it before Fedora 14 reached end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged to click on "Clone This Bug" (top right of this page) and open it against that version of Fedora. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping