SELinux is preventing /usr/libexec/geoclue from search access on the directory 3617: what to do?

Support for security such as Firewalls and securing linux
Post Reply
Josh Guertler
Posts: 4
Joined: 2021/01/01 19:05:48

SELinux is preventing /usr/libexec/geoclue from search access on the directory 3617: what to do?

Post by Josh Guertler » 2022/03/13 18:00:05

I've seen a lot of people report this bug, but no one announce a solution.

I'm using CentOS 7 (kernel 3.10.0-1160.59.1.el7.x86_64).

I'm very new to SE Linux. Can anyone help me get around this error?

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: SELinux is preventing /usr/libexec/geoclue from search access on the directory 3617: what to do?

Post by jlehtone » 2022/03/13 18:23:36

What do you get with sudo cat /var/log/audit/audit.log | audit2why ?

Josh Guertler
Posts: 4
Joined: 2021/01/01 19:05:48

Re: SELinux is preventing /usr/libexec/geoclue from search access on the directory 3617: what to do?

Post by Josh Guertler » 2022/03/13 18:52:21

Here's what I got when i ran the command you recommended:

type=USER_AVC msg=audit(1647101411.530:1318): pid=1486 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.DBus.Properties member=GetAll dest=:1.52 spid=29197 tpid=3204 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:boltd_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

Was caused by:
Missing type enforcement (TE) allow rule.

You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1647101411.681:1319): avc: denied { search } for pid=29359 comm="geoclue" name="29197" dev="proc" ino=182623 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=dir permissive=0

Was caused by:
Unknown - would be allowed by active policy
Possible mismatch between this policy and the one under which the audit message was generated.

Possible mismatch between current in-memory boolean settings vs. permanent ones.

type=AVC msg=audit(1647101431.030:1322): avc: denied { search } for pid=29845 comm="geoclue" name="29197" dev="proc" ino=182623 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=dir permissive=0

Was caused by:
Unknown - would be allowed by active policy
Possible mismatch between this policy and the one under which the audit message was generated.

Possible mismatch between current in-memory boolean settings vs. permanent ones.

type=USER_AVC msg=audit(1647102384.415:1425): pid=1486 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.DBus.Properties member=GetAll dest=:1.52 spid=31516 tpid=3204 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:boltd_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

Was caused by:
Missing type enforcement (TE) allow rule.

You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1647102384.551:1426): avc: denied { search } for pid=31675 comm="geoclue" name="31516" dev="proc" ino=197844 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=dir permissive=0

Was caused by:
Unknown - would be allowed by active policy
Possible mismatch between this policy and the one under which the audit message was generated.

Possible mismatch between current in-memory boolean settings vs. permanent ones.

type=AVC msg=audit(1647102592.486:1443): avc: denied { search } for pid=32547 comm="geoclue" name="31516" dev="proc" ino=197844 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=dir permissive=0

Was caused by:
Unknown - would be allowed by active policy
Possible mismatch between this policy and the one under which the audit message was generated.

Possible mismatch between current in-memory boolean settings vs. permanent ones.

type=AVC msg=audit(1647103442.322:1489): avc: denied { search } for pid=33401 comm="geoclue" name="31516" dev="proc" ino=197844 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=dir permissive=0

Was caused by:
Unknown - would be allowed by active policy
Possible mismatch between this policy and the one under which the audit message was generated.

Possible mismatch between current in-memory boolean settings vs. permanent ones.

type=USER_AVC msg=audit(1647144675.488:192): pid=1477 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.DBus.Properties member=GetAll dest=:1.41 spid=3617 tpid=3026 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:boltd_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

Was caused by:
Missing type enforcement (TE) allow rule.

You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1647144675.630:193): avc: denied { search } for pid=3763 comm="geoclue" name="3617" dev="proc" ino=87064 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=dir permissive=0

Was caused by:
Unknown - would be allowed by active policy
Possible mismatch between this policy and the one under which the audit message was generated.

Possible mismatch between current in-memory boolean settings vs. permanent ones.

type=AVC msg=audit(1647145876.732:228): avc: denied { search } for pid=5084 comm="geoclue" name="3617" dev="proc" ino=87064 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=dir permissive=0

Was caused by:
Unknown - would be allowed by active policy
Possible mismatch between this policy and the one under which the audit message was generated.

Possible mismatch between current in-memory boolean settings vs. permanent ones.

type=AVC msg=audit(1647196876.670:11): avc: denied { unlink } for pid=982 comm="systemd-readahe" name=".readahead" dev="dm-0" ino=433985 scontext=system_u:system_r:readahead_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1

Was caused by:
Missing type enforcement (TE) allow rule.

You can use audit2allow to generate a loadable module to allow this access.

type=USER_AVC msg=audit(1647197388.748:210): pid=1489 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.DBus.Properties member=GetAll dest=:1.40 spid=4528 tpid=3020 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:boltd_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

Was caused by:
Missing type enforcement (TE) allow rule.

You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1647197388.889:211): avc: denied { read } for pid=4687 comm="geoclue" name="cgroup" dev="proc" ino=90473 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=file permissive=0

Was caused by:
Missing type enforcement (TE) allow rule.

You can use audit2allow to generate a loadable module to allow this access.

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: SELinux is preventing /usr/libexec/geoclue from search access on the directory 3617: what to do?

Post by jlehtone » 2022/03/14 21:56:30

Searching web with "geoclue selinux" gives multiple bugzilla.redhat.com (Fedora) entries (like https://bugzilla.redhat.com/show_bug.cgi?id=1358558 ) and even one in bus.centos.org: https://bugs.centos.org/view.php?id=13878


The comment on some earlier entries:
"Possible mismatch between current in-memory boolean settings vs. permanent ones."
means that selinux config has been modified after those entries were generated.

Post Reply