Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-16676

SELinux prevents the gpsd process from accessing /dev/gnss0

XMLWordPrintable

    • selinux-policy-38.1.29-1.el9
    • Normal
    • sst_security_selinux
    • ssg_security
    • 16
    • QE ack
    • False
    • Hide

      None

      Show
      None
    • No
    • Hide

      The default label for /dev/gnss* devices is more specific than device_t.

      Show
      The default label for /dev/gnss* devices is more specific than device_t.
    • Pass
    • Yes
    • Release Note Not Required

      What were you trying to do that didn't work?

      #rpm -qa selinux*
      selinux-policy-38.1.26-1.el9.noarch
      selinux-policy-targeted-38.1.26-1.el9.noarch

      1. matchpathcon /dev/gnss0
        /dev/gnss0    system_u:object_r:gnss_device_t:s0
      2. semanage fcontext -l | grep gnss_device_t
        /dev/gnss[0-9]+                                    character device   system_u:object_r:gnss_device_t:s0

      #gpsd -nNp /dev/gnss0 -D3 
      gpsd:INFO: launching (Version 3.25, revision 3.25)
      gpsd:INFO: starting uid 0, gid 0
      gpsd:INFO: Command line: gpsd -nNp -D3 /dev/gnss0 
      gpsd:INFO: listening on port gpsd
      gpsd:INFO: stashing device /dev/gnss0 at slot 0
      gpsd:ERROR: SER: stat(/dev/gnss0) failed: Permission denied(13)
      gpsd:ERROR: initial GPS device /dev/gnss0 open failed
      gpsd:ERROR: can't run with neither control socket nor devices open

      cat /var/log/audit/audit.log | grep gpsd
      type=SOFTWARE_UPDATE msg=audit(1700052600.159:110): pid=7070 uid=0 auid=0 ses=2 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=install sw="gpsd-minimal-1:3.25-4.el9.x86_64" sw_type=rpm key_enforce=0 gpg_res=0 root_dir="/" comm="yum" exe="/usr/bin/python3.9" hostname=dell-per740-29.rhts.eng.pek2.redhat.com addr=? terminal=pts/0 res=success'UID="root" AUID="root"
      type=SOFTWARE_UPDATE msg=audit(1700052630.015:116): pid=7310 uid=0 auid=0 ses=2 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=install sw="gpsd-minimal-clients-1:3.25-4.el9.x86_64" sw_type=rpm key_enforce=0 gpg_res=0 root_dir="/" comm="yum" exe="/usr/bin/python3.9" hostname=dell-per740-29.rhts.eng.pek2.redhat.com addr=? terminal=pts/0 res=success'UID="root" AUID="root"
      type=AVC msg=audit(1700052658.661:120): avc:  denied  { getattr } for  pid=7502 comm="gpsd" path="/dev/gnss0" dev="devtmpfs" ino=439 scontext=unconfined_u:unconfined_r:gpsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:gnss_device_t:s0 tclass=chr_file permissive=0
      type=SYSCALL msg=audit(1700052658.661:120): arch=c000003e syscall=262 success=no exit=-13 a0=ffffff9c a1=4a4308 a2=7ffec68770e0 a3=0 items=0 ppid=1987 pid=7502 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="gpsd" exe="/usr/sbin/gpsd" subj=unconfined_u:unconfined_r:gpsd_t:s0-s0:c0.c1023 key=(null)ARCH=x86_64 SYSCALL=newfstatat AUID="root" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"

      Please provide the package NVR for which bug is seen:

      #rpm -qa selinux*
      selinux-policy-38.1.26-1.el9.noarch
      selinux-policy-targeted-38.1.26-1.el9.noarch

      How reproducible:

      always

      Steps to reproduce

      1.  
      2.  
      3.  

      Expected results

      gpsd shouldn't be block by selinux

      Actual results

      gpsd is blocked by selinux

            rhn-support-zpytela Zdenek Pytela
            yalli 亚霖 李
            Nikola Kňažeková Nikola Kňažeková (Inactive)
            Milos Malik Milos Malik
            Votes:
            0 Vote for this issue
            Watchers:
            10 Start watching this issue

              Created:
              Updated:
              Resolved: