Hide Forgot
Description of problem: With the latest gpsd in rawhide I'm getting new selinux errors. It can now work with PPS devices (/dev/pps*) and it can communicate with chrony over socket /var/run/chrony*sock. The socket probably should be labelled as chronyd_var_run_t. #============= chronyd_t ============== allow chronyd_t var_run_t:sock_file { create unlink }; #============= gpsd_t ============== allow gpsd_t clock_device_t:chr_file ioctl; #!!!! The source type 'gpsd_t' can write to a 'chr_file' of the following types: # devtty_t, initrc_devpts_t, null_device_t, tty_device_t, zero_device_t allow gpsd_t device_t:chr_file { read write ioctl open }; allow gpsd_t self:capability sys_time; allow gpsd_t self:process signal; allow gpsd_t var_run_t:sock_file write; Then I get a ton of errors like this when gpsd lists /proc to avoid opening a device which is already opened by another process. Is it possible to cover this behavior in selinux or do we need to disable it in gpsd? allow gpsd_t dhcpc_t:dir { read search open }; allow gpsd_t dhcpc_t:file read; allow gpsd_t dhcpc_t:lnk_file read; Version-Release number of selected component (if applicable): selinux-policy-targeted-3.9.16-35.fc15.noarch
Can we create a /var/run/cronyd/ and move stuff there? What device_t device what it trying to use? I just added policy to handle most of the AVC's you are showing. domain_dontaudit_read_all_domains_state(gpsd_t) Tells SELinux to ignore gpsd_t reading /proc
Should show up in selinux-policy-3.10.0-21
The path to the chrony socket is hardcoded in gpsd. I can ask upstream to move it to /var/run/chrony if you think it's necessary. The device_t device is /dev/pps0, it's created by the gpsd process. At some point after the denied ioctl or sys_time the context changes to clock_device_t. type=AVC msg=audit(1314176990.280:2215): avc: denied { ioctl } for pid=11819 comm="gpsd" path="/dev/pps0" dev=devtmpfs ino=28470009 scontext=system_u:system_r:gpsd_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file type=AVC msg=audit(1314176990.280:2216): avc: denied { sys_time } for pid=11819 comm="gpsd" capability=25 scontext=system_u:system_r:gpsd_t:s0 tcontext=system_u:system_r:gpsd_t:s0 tclass=capability type=AVC msg=audit(1314176991.001:2217): avc: denied { ioctl } for pid=11819 comm="gpsd" path="/dev/pps0" dev=devtmpfs ino=28470009 scontext=system_u:system_r:gpsd_t:s0 tcontext=system_u:object_r:clock_device_t:s0 tclass=chr_file
gpsd actually does a mknod? selinux-policy-3.10.0-21.fc16 Just became available could you try this version out.
I think udev creates the device, but gpsd calls the TIOCSETD ioctl to attach the line discipline. With selinux-policy-targeted-3.10.0-21.fc16.noarch now I get only these errors: type=AVC msg=audit(1314208140.636:2705): avc: denied { sendto } for pid=17970 comm="gpsd" path="/var/run/chrony.ttyS0.sock" scontext=system_u:system_r:gpsd_t:s0 tcontext=system_u:system_r:chronyd_t:s0 tclass=unix_dgram_socket type=AVC msg=audit(1314208140.636:2706): avc: denied { read } for pid=17969 comm="gpsd" name="/" dev=proc ino=1 scontext=system_u:system_r:gpsd_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=dir type=AVC msg=audit(1314208140.637:2707): avc: denied { read write } for pid=17970 comm="gpsd" name="pps0" dev=devtmpfs ino=33274239 scontext=system_u:system_r:gpsd_t:s0 tcontext=system_u:object_r:clock_device_t:s0 tclass=chr_file type=AVC msg=audit(1314208140.637:2707): avc: denied { open } for pid=17970 comm="gpsd" name="pps0" dev=devtmpfs ino=33274239 scontext=system_u:system_r:gpsd_t:s0 tcontext=system_u:object_r:clock_device_t:s0 tclass=chr_file type=AVC msg=audit(1314208140.638:2708): avc: denied { sys_ptrace } for pid=17969 comm="gpsd" capability=19 scontext=system_u:system_r:gpsd_t:s0 tcontext=system_u:system_r:gpsd_t:s0 tclass=capability type=AVC msg=audit(1314208140.641:2709): avc: denied { ioctl } for pid=17970 comm="gpsd" path="/dev/pps0" dev=devtmpfs ino=33274239 scontext=system_u:system_r:gpsd_t:s0 tcontext=system_u:object_r:clock_device_t:s0 tclass=chr_file type=AVC msg=audit(1314208140.641:2710): avc: denied { dac_override } for pid=17969 comm="gpsd" capability=1 scontext=system_u:system_r:gpsd_t:s0 tcontext=system_u:system_r:gpsd_t:s0 tclass=capability
Ok I have added fixes to selinux-policy-3.10.0-22.fc16 For everything except the dac_override and the sys_ptrace. I would like to know if they are really needed or not. # echo "-w /etc/shadow -p w" >> /etc/audit/audit.rules # service auditd restart Then run your test. This should give us path information within the AVC that is complaining about dac_override and may sys_ptrace ausearch -m avc -ts recent Should give you the full avc data.
The PID 809 is the system dbus-daemon and 1351 is user's xsession script. Thanks. ---- time->Mon Aug 29 18:12:03 2011 type=PATH msg=audit(1314634323.699:5040): item=0 name="/proc/809/fd/0" inode=106597294 dev=00:03 mode=0120500 ouid=0 ogid=0 rdev=00:00 obj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 type=CWD msg=audit(1314634323.699:5040): cwd="/" type=SYSCALL msg=audit(1314634323.699:5040): arch=c000003e syscall=89 success=yes exit=9 a0=7fffd1f0ef30 a1=7fffd1f0ef70 a2=40 a3=200 items=1 ppid=1 pid=29123 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="gpsd" exe="/usr/sbin/gpsd" subj=system_u:system_r:gpsd_t:s0 key=(null) type=AVC msg=audit(1314634323.699:5040): avc: denied { sys_ptrace } for pid=29123 comm="gpsd" capability=19 scontext=system_u:system_r:gpsd_t:s0 tcontext=system_u:system_r:gpsd_t:s0 tclass=capability ---- time->Mon Aug 29 18:12:03 2011 type=PATH msg=audit(1314634323.701:5041): item=0 name="/proc/1351/fd/" inode=106142021 dev=00:03 mode=040500 ouid=500 ogid=500 rdev=00:00 obj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 type=CWD msg=audit(1314634323.701:5041): cwd="/" type=SYSCALL msg=audit(1314634323.701:5041): arch=c000003e syscall=2 success=yes exit=9 a0=7fffd1f0efb0 a1=90800 a2=7fffd1f0efbe a3=200 items=1 ppid=1 pid=29123 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="gpsd" exe="/usr/sbin/gpsd" subj=system_u:system_r:gpsd_t:s0 key=(null) type=AVC msg=audit(1314634323.701:5041): avc: denied { dac_override } for pid=29123 comm="gpsd" capability=1 scontext=system_u:system_r:gpsd_t:s0 tcontext=system_u:system_r:gpsd_t:s0 tclass=capability
Why would gpsd be looking at these processes?
It looks for other processes which have opened the GPS device and abort if there are any to avoid stealing it.
So it is walking the entire process tree looking at open file descriptors seeing if anyone has an open file descriptor to it and then exiting?
Yes. I thought that's what you meant in the comment #1.
One would think there would be an easier way to check this. But I guess I need to add the access. This check would also be racy, in that while you are checking for others having an open fd another process could open it.
We can disable the code if you think it's that bad, I'm not sure how useful it actually is. Upstream commit message: Under Linux, use /proc to avoid opening serial devices already open. This will help prevent gpsd from consuming data from devices such as USB modems that happen to look like GPSes because they use a USB-to-serial adapter thar we have whitelisted. Relies on there being a /proc filesystem with Linux-like semantics.
Is there anything in the logs about failure to find devices? I can just dontaudit the access, and therefore run more secure with SELinux enabled. sys_ptrace and dac_ovverride are very powerful access. sys_ptrace means gpsd can read any other processes memory. dac_override means it can ignore OWNERSHIP/Permissions.
There are no errors reported in the scanning code. In enforcing mode I don't see any AVCs.
Added dontaudits in selinux-policy-3.10.0-24.fc16
selinux-policy-3.10.0-118.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-118.fc17
Package selinux-policy-3.10.0-118.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-118.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-6452/selinux-policy-3.10.0-118.fc17 then log in and leave karma (feedback).
selinux-policy-3.10.0-118.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.