Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1808527

Summary: SELinux prevents usbguard from logging via Linux audit subsystem
Product: [Fedora] Fedora Reporter: Milos Malik <mmalik>
Component: usbguardAssignee: Daniel Kopeček <dkopecek>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 32CC: dkopecek, rsroka
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: usbguard-0.7.8-1.fc32 usbguard-0.7.8-1.fc31 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-07-03 01:18:25 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Milos Malik 2020-02-28 18:07:55 UTC 
Description of problem:

Version-Release number of selected component (if applicable):
selinux-policy-3.14.5-28.fc32.noarch
selinux-policy-targeted-3.14.5-28.fc32.noarch
usbguard-0.7.6-8.fc32.x86_64
usbguard-selinux-0.7.6-8.fc32.noarch

How reproducible:
 * always

Steps to Reproduce:
1. get a Fedora 32 machine (targeted policy is active)
2. set 'AuditBackend=LinuxAudit' in /etc/usbguard/usbguard-daemon.conf
3. restart the usbguard service
4. search for SELinux denials

Actual results (enforcing mode):
----
type=PROCTITLE msg=audit(02/28/2020 13:04:25.622:475) : proctitle=/usr/sbin/usbguard-daemon -k -c /etc/usbguard/usbguard-daemon.conf 
type=SYSCALL msg=audit(02/28/2020 13:04:25.622:475) : arch=x86_64 syscall=socket success=no exit=EACCES(Permission denied) a0=netlink a1=SOCK_RAW a2=igp a3=0x20 items=0 ppid=1 pid=2181 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=usbguard-daemon exe=/usr/sbin/usbguard-daemon subj=system_u:system_r:usbguard_t:s0 key=(null) 
type=AVC msg=audit(02/28/2020 13:04:25.622:475) : avc:  denied  { create } for  pid=2181 comm=usbguard-daemon scontext=system_u:system_r:usbguard_t:s0 tcontext=system_u:system_r:usbguard_t:s0 tclass=netlink_audit_socket permissive=0 
----

Expected results:
 * no SELinux denials
Comment 1 Milos Malik 2020-02-28 18:09:43 UTC 
----
type=PROCTITLE msg=audit(02/28/2020 13:08:18.364:499) : proctitle=/usr/sbin/usbguard-daemon -k -c /etc/usbguard/usbguard-daemon.conf 
type=SYSCALL msg=audit(02/28/2020 13:08:18.364:499) : arch=x86_64 syscall=socket success=yes exit=9 a0=netlink a1=SOCK_RAW a2=igp a3=0x20 items=0 ppid=1 pid=2217 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=usbguard-daemon exe=/usr/sbin/usbguard-daemon subj=system_u:system_r:usbguard_t:s0 key=(null) 
type=AVC msg=audit(02/28/2020 13:08:18.364:499) : avc:  denied  { create } for  pid=2217 comm=usbguard-daemon scontext=system_u:system_r:usbguard_t:s0 tcontext=system_u:system_r:usbguard_t:s0 tclass=netlink_audit_socket permissive=1 
----
type=PROCTITLE msg=audit(02/28/2020 13:08:18.366:500) : proctitle=/usr/sbin/usbguard-daemon -k -c /etc/usbguard/usbguard-daemon.conf 
type=SOCKADDR msg=audit(02/28/2020 13:08:18.366:500) : saddr={ saddr_fam=netlink nlnk-fam=16 nlnk-pid=0 } 
type=SYSCALL msg=audit(02/28/2020 13:08:18.366:500) : arch=x86_64 syscall=sendto success=yes exit=652 a0=0x9 a1=0x7fff6cca1a80 a2=0x28c a3=0x0 items=0 ppid=1 pid=2217 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=usbguard-daemon exe=/usr/sbin/usbguard-daemon subj=system_u:system_r:usbguard_t:s0 key=(null) 
type=AVC msg=audit(02/28/2020 13:08:18.366:500) : avc:  denied  { nlmsg_relay } for  pid=2217 comm=usbguard-daemon scontext=system_u:system_r:usbguard_t:s0 tcontext=system_u:system_r:usbguard_t:s0 tclass=netlink_audit_socket permissive=1 
----
Comment 2 Fedora Update System 2020-06-24 17:46:11 UTC 
FEDORA-2020-f502be60a4 has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-f502be60a4
Comment 3 Fedora Update System 2020-06-24 17:46:30 UTC 
FEDORA-2020-c30d6afc1c has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2020-c30d6afc1c
Comment 4 Fedora Update System 2020-06-25 00:58:35 UTC 
FEDORA-2020-c30d6afc1c has been pushed to the Fedora 31 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-c30d6afc1c`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-c30d6afc1c

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 5 Fedora Update System 2020-06-25 01:04:02 UTC 
FEDORA-2020-f502be60a4 has been pushed to the Fedora 32 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-f502be60a4`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-f502be60a4

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 6 Fedora Update System 2020-07-03 01:18:25 UTC 
FEDORA-2020-f502be60a4 has been pushed to the Fedora 32 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 7 Fedora Update System 2020-07-03 01:37:37 UTC 
FEDORA-2020-c30d6afc1c has been pushed to the Fedora 31 stable repository.
If problem still persists, please make note of it in this bug report.