Bug 1460481
| Summary: | SELinux avoids writing to tlp-related /run/tlp/lock_tlp (via ethtool and iw) | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Robert Scheck <redhat-bugzilla> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 7.3 | CC: | cww, dapospis, lvrabec, mgrepl, mmalik, plautrba, pvrabec, redhat-bugzilla, seb, ssekidde, zpytela |
| Target Milestone: | rc | Keywords: | Reopened |
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-10-30 10:00:43 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1477664 | ||
We're going to close this bug as WONTFIX because * of limited capacity of selinux-policy developers * the bug is related to EPEL component or 3rd party SW only * the bug appears in unsupported configuration We believe this bug can be fixed via a local policy module. For more information please see: * https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-security-enhanced_linux-troubleshooting-fixing_problems#sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow If you disagree, please re-open the bug. We're going to close this bug as WONTFIX because * of limited capacity of selinux-policy developers * the bug is related to EPEL component or 3rd party SW only * the bug appears in unsupported configuration We believe this bug can be fixed via a local policy module. For more information please see: * https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-security-enhanced_linux-troubleshooting-fixing_problems#sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow If you disagree, please re-open the bug. (In reply to Lukas Vrabec from comment #4) > We're going to close this bug as WONTFIX because > > * of limited capacity of selinux-policy developers > * the bug is related to EPEL component or 3rd party SW only > * the bug appears in unsupported configuration > > We believe this bug can be fixed via a local policy module. > For more information please see: > > * > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/ > html/selinux_users_and_administrators_guide/sect-security-enhanced_linux- > troubleshooting-fixing_problems#sect-Security-Enhanced_Linux-Fixing_Problems- > Allowing_Access_audit2allow > > If you disagree, please re-open the bug. I am sorry, but this is not acceptable at all! RHEL ships the SELinux policy and covers with it 3rd party software. This is the old discussion, I already had with Dan Walsh years ago. From my point of view, Red Hat either needs to fix the SELinux policy when shipping policy modules affecting any 3rd party software, or ship a reduced set of the SELinux policy to only cover exactly the software shipped in RHEL. But as of writing, RHEL ships a SELinux policy covering both, but with the point that you, Red Hat, are now obviously even reluctant to fix issues in packages that are shipped with your product, RHEL. Cross-filed ticket 01951073 on the Red Hat customer portal. Robert, let's discuss how we can help you with this bugzilla. The point is that we are not able to support all 3rd party SW or EPEL pkgs from SELinux point of view even if there is a connection to the RHEL distribution policy. If we ship a policy for a service we are not able to predict that it affects or will affect 3rd party SW or EPEL in all cases. What can we do? We can help you with writing a local policy using our documentation, tools or discussions. Or we can cooperate on writing a new policy for tlp (if it makes sense) via pull requests on https://github.com/fedora-selinux. Often the point is the transition between confined and unconfined, right? I would like to see a better more general approach in such cases, rather writing yet another SELinux module/policy for yet another third party software. A confined domain leads to negative impact to an unconfined domain in this case. I personally even do not care that tlp is running unconfined, but SELinux does once it uses ethtool etc. And this is what I treat as issue. Not solved as per selinux-policy-3.13.1-192.el7_5.3 :-( Not solved in selinux-policy-3.14.1-32.fc28.noarch Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:3111 |
Description of problem: type=AVC msg=audit(1495147151.891:174): avc: denied { write } for pid=2741 comm="iw" path="/run/tlp/lock_tlp" dev="tmpfs" ino=26857 scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=file type=SYSCALL msg=audit(1495147151.891:174): arch=c000003e syscall=59 success=yes exit=0 a0=1f1d5a0 a1=1e541f0 a2=1e58720 a3=7fffd80779e0 items=0 ppid=2687 pid=2741 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iw" exe="/usr/sbin/iw" subj=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1495147151.902:175): avc: denied { write } for pid=2744 comm="ethtool" path="/run/tlp/lock_tlp" dev="tmpfs" ino=26857 scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=file type=SYSCALL msg=audit(1495147151.902:175): arch=c000003e syscall=59 success=yes exit=0 a0=1f153f0 a1=1e541f0 a2=1e58720 a3=7fffd8077f70 items=0 ppid=2687 pid=2744 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ethtool" exe="/usr/sbin/ethtool" subj=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 key=(null) type=USER_START msg=audit(1495147152.470:176): pid=2776 uid=1000 auid=1000 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_keyinit,pam_limits,pam_systemd,pam_unix acct="root" exe="/usr/bin/pkexec" hostname=? addr=? terminal=? res=success' type=AVC msg=audit(1495147181.027:177): avc: denied { write } for pid=2924 comm="iw" path="/run/tlp/lock_tlp" dev="tmpfs" ino=26857 scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=file type=SYSCALL msg=audit(1495147181.027:177): arch=c000003e syscall=59 success=yes exit=0 a0=17b3650 a1=16ee200 a2=16f2740 a3=7ffd66bf8680 items=0 ppid=2888 pid=2924 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iw" exe="/usr/sbin/iw" subj=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1495147181.034:178): avc: denied { write } for pid=2927 comm="ethtool" path="/run/tlp/lock_tlp" dev="tmpfs" ino=26857 scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=file type=SYSCALL msg=audit(1495147181.034:178): arch=c000003e syscall=59 success=yes exit=0 a0=17b55c0 a1=16ee200 a2=16f2740 a3=7ffd66bf8c10 items=0 ppid=2888 pid=2927 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ethtool" exe="/usr/sbin/ethtool" subj=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 key=(null) Version-Release number of selected component (if applicable): selinux-policy-targeted-3.13.1-102.el7_3.16.noarch How reproducible: Everytime, see above and below. Basically a system with GUI and tlp. Actual results: SELinux avoids writing to tlp-related /run/tlp/lock_tlp (via ethtool and iw). Expected results: No AVC denied.