Bug 732770 - new gpsd functionality causes selinux errors
Summary: new gpsd functionality causes selinux errors
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-08-23 14:31 UTC by Miroslav Lichvar
Modified: 2012-04-25 04:58 UTC (History)
2 users (show)

Fixed In Version: selinux-policy-3.10.0-118.fc17
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-04-25 04:58:31 UTC


Attachments (Terms of Use)

Description Miroslav Lichvar 2011-08-23 14:31:10 UTC
Description of problem:
With the latest gpsd in rawhide I'm getting new selinux errors.

It can now work with PPS devices (/dev/pps*) and it can communicate with chrony over socket /var/run/chrony*sock. The socket probably should be labelled as chronyd_var_run_t.

#============= chronyd_t ==============
allow chronyd_t var_run_t:sock_file { create unlink };

#============= gpsd_t ==============
allow gpsd_t clock_device_t:chr_file ioctl;
#!!!! The source type 'gpsd_t' can write to a 'chr_file' of the following types:
# devtty_t, initrc_devpts_t, null_device_t, tty_device_t, zero_device_t

allow gpsd_t device_t:chr_file { read write ioctl open };
allow gpsd_t self:capability sys_time;
allow gpsd_t self:process signal;
allow gpsd_t var_run_t:sock_file write;


Then I get a ton of errors like this when gpsd lists /proc to avoid opening a device which is already opened by another process. Is it possible to cover this behavior in selinux or do we need to disable it in gpsd?

allow gpsd_t dhcpc_t:dir { read search open };
allow gpsd_t dhcpc_t:file read;
allow gpsd_t dhcpc_t:lnk_file read;


Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.9.16-35.fc15.noarch

Comment 1 Daniel Walsh 2011-08-23 21:09:35 UTC
Can we create a /var/run/cronyd/ and move stuff there?

What device_t device what it trying to use?

I just added policy to handle most of the AVC's you are showing.

domain_dontaudit_read_all_domains_state(gpsd_t)


Tells SELinux to ignore gpsd_t reading /proc

Comment 2 Daniel Walsh 2011-08-23 21:10:20 UTC
Should show up in selinux-policy-3.10.0-21

Comment 3 Miroslav Lichvar 2011-08-24 09:23:49 UTC
The path to the chrony socket is hardcoded in gpsd. I can ask upstream to move it to /var/run/chrony if you think it's necessary.

The device_t device is /dev/pps0, it's created by the gpsd process. At some point after the denied ioctl or sys_time the context changes to clock_device_t.

type=AVC msg=audit(1314176990.280:2215): avc:  denied  { ioctl } for  pid=11819 comm="gpsd" path="/dev/pps0" dev=devtmpfs ino=28470009 scontext=system_u:system_r:gpsd_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
type=AVC msg=audit(1314176990.280:2216): avc:  denied  { sys_time } for  pid=11819 comm="gpsd" capability=25  scontext=system_u:system_r:gpsd_t:s0 tcontext=system_u:system_r:gpsd_t:s0 tclass=capability
type=AVC msg=audit(1314176991.001:2217): avc:  denied  { ioctl } for  pid=11819 comm="gpsd" path="/dev/pps0" dev=devtmpfs ino=28470009 scontext=system_u:system_r:gpsd_t:s0 tcontext=system_u:object_r:clock_device_t:s0 tclass=chr_file

Comment 4 Daniel Walsh 2011-08-24 14:42:58 UTC
gpsd actually does a mknod?

selinux-policy-3.10.0-21.fc16

Just became available could you try this version out.

Comment 5 Miroslav Lichvar 2011-08-24 17:55:16 UTC
I think udev creates the device, but gpsd calls the TIOCSETD ioctl to attach the line discipline.

With selinux-policy-targeted-3.10.0-21.fc16.noarch now I get only these errors:

type=AVC msg=audit(1314208140.636:2705): avc:  denied  { sendto } for  pid=17970 comm="gpsd" path="/var/run/chrony.ttyS0.sock" scontext=system_u:system_r:gpsd_t:s0 tcontext=system_u:system_r:chronyd_t:s0 tclass=unix_dgram_socket
type=AVC msg=audit(1314208140.636:2706): avc:  denied  { read } for  pid=17969 comm="gpsd" name="/" dev=proc ino=1 scontext=system_u:system_r:gpsd_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=dir
type=AVC msg=audit(1314208140.637:2707): avc:  denied  { read write } for  pid=17970 comm="gpsd" name="pps0" dev=devtmpfs ino=33274239 scontext=system_u:system_r:gpsd_t:s0 tcontext=system_u:object_r:clock_device_t:s0 tclass=chr_file
type=AVC msg=audit(1314208140.637:2707): avc:  denied  { open } for  pid=17970 comm="gpsd" name="pps0" dev=devtmpfs ino=33274239 scontext=system_u:system_r:gpsd_t:s0 tcontext=system_u:object_r:clock_device_t:s0 tclass=chr_file
type=AVC msg=audit(1314208140.638:2708): avc:  denied  { sys_ptrace } for  pid=17969 comm="gpsd" capability=19  scontext=system_u:system_r:gpsd_t:s0 tcontext=system_u:system_r:gpsd_t:s0 tclass=capability
type=AVC msg=audit(1314208140.641:2709): avc:  denied  { ioctl } for  pid=17970 comm="gpsd" path="/dev/pps0" dev=devtmpfs ino=33274239 scontext=system_u:system_r:gpsd_t:s0 tcontext=system_u:object_r:clock_device_t:s0 tclass=chr_file
type=AVC msg=audit(1314208140.641:2710): avc:  denied  { dac_override } for  pid=17969 comm="gpsd" capability=1  scontext=system_u:system_r:gpsd_t:s0 tcontext=system_u:system_r:gpsd_t:s0 tclass=capability

Comment 6 Daniel Walsh 2011-08-26 21:45:18 UTC
Ok I have added fixes to selinux-policy-3.10.0-22.fc16

For everything except the dac_override and the sys_ptrace.   I would like to know if they are really needed or not.

# echo "-w /etc/shadow -p w" >> /etc/audit/audit.rules
# service auditd restart

Then run your test.

This should give us path information within the AVC that is complaining about dac_override and may sys_ptrace


ausearch -m avc -ts recent 

Should give you the full avc data.

Comment 7 Miroslav Lichvar 2011-08-29 16:16:39 UTC
The PID 809 is the system dbus-daemon and 1351 is user's xsession script. Thanks.

----
time->Mon Aug 29 18:12:03 2011
type=PATH msg=audit(1314634323.699:5040): item=0 name="/proc/809/fd/0" inode=106597294 dev=00:03 mode=0120500 ouid=0 ogid=0 rdev=00:00 obj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
type=CWD msg=audit(1314634323.699:5040):  cwd="/"
type=SYSCALL msg=audit(1314634323.699:5040): arch=c000003e syscall=89 success=yes exit=9 a0=7fffd1f0ef30 a1=7fffd1f0ef70 a2=40 a3=200 items=1 ppid=1 pid=29123 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="gpsd" exe="/usr/sbin/gpsd" subj=system_u:system_r:gpsd_t:s0 key=(null)
type=AVC msg=audit(1314634323.699:5040): avc:  denied  { sys_ptrace } for  pid=29123 comm="gpsd" capability=19  scontext=system_u:system_r:gpsd_t:s0 tcontext=system_u:system_r:gpsd_t:s0 tclass=capability
----
time->Mon Aug 29 18:12:03 2011
type=PATH msg=audit(1314634323.701:5041): item=0 name="/proc/1351/fd/" inode=106142021 dev=00:03 mode=040500 ouid=500 ogid=500 rdev=00:00 obj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
type=CWD msg=audit(1314634323.701:5041):  cwd="/"
type=SYSCALL msg=audit(1314634323.701:5041): arch=c000003e syscall=2 success=yes exit=9 a0=7fffd1f0efb0 a1=90800 a2=7fffd1f0efbe a3=200 items=1 ppid=1 pid=29123 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="gpsd" exe="/usr/sbin/gpsd" subj=system_u:system_r:gpsd_t:s0 key=(null)
type=AVC msg=audit(1314634323.701:5041): avc:  denied  { dac_override } for  pid=29123 comm="gpsd" capability=1  scontext=system_u:system_r:gpsd_t:s0 tcontext=system_u:system_r:gpsd_t:s0 tclass=capability

Comment 8 Daniel Walsh 2011-08-30 01:18:11 UTC
Why would gpsd be looking at these processes?

Comment 9 Miroslav Lichvar 2011-08-30 07:28:40 UTC
It looks for other processes which have opened the GPS device and abort if there are any to avoid stealing it.

Comment 10 Daniel Walsh 2011-08-30 09:07:27 UTC
So it is walking the entire process tree looking at open file descriptors seeing if anyone has an open file descriptor to it and then exiting?

Comment 11 Miroslav Lichvar 2011-08-30 09:35:50 UTC
Yes. I thought that's what you meant in the comment #1.

Comment 12 Daniel Walsh 2011-08-30 09:47:41 UTC
One would think there would be an easier way to check this. But I guess I need to add the access.

This check would also be racy,  in that while you are checking for others having an open fd another process could open it.

Comment 13 Miroslav Lichvar 2011-08-30 10:00:56 UTC
We can disable the code if you think it's that bad, I'm not sure how useful it actually is.

Upstream commit message:

Under Linux, use /proc to avoid opening serial devices already open.
    
This will help prevent gpsd from consuming data from devices such as USB modems that happen to look like GPSes because they use a USB-to-serial adapter thar we have whitelisted.  Relies on there being a /proc filesystem with Linux-like semantics.

Comment 14 Daniel Walsh 2011-08-30 10:49:10 UTC
Is there anything in the logs about failure to find devices?  I can just dontaudit the access, and therefore run more secure with SELinux enabled.

sys_ptrace and dac_ovverride are very powerful access.  

sys_ptrace means gpsd can read any other processes memory.  dac_override means it can ignore OWNERSHIP/Permissions.

Comment 15 Miroslav Lichvar 2011-08-30 11:59:06 UTC
There are no errors reported in the scanning code. In enforcing mode I don't see any AVCs.

Comment 16 Daniel Walsh 2011-08-30 15:47:11 UTC
Added dontaudits in selinux-policy-3.10.0-24.fc16

Comment 17 Fedora Update System 2012-04-24 01:02:56 UTC
selinux-policy-3.10.0-118.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-118.fc17

Comment 18 Fedora Update System 2012-04-24 03:14:32 UTC
Package selinux-policy-3.10.0-118.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-118.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-6452/selinux-policy-3.10.0-118.fc17
then log in and leave karma (feedback).

Comment 19 Fedora Update System 2012-04-25 04:58:31 UTC
selinux-policy-3.10.0-118.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.