Bug 1510249

Summary: SELinux is preventing tlp from 'write' accesses on the file lock_tlp.
Product: [Fedora] Fedora Reporter: Ed Marshall <esm>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 27CC: alex.go4more, arcblatt, arsalanrezazadeh4, boolacesandy, bugzilla.redhat.com, bugzilla, davidprush, dwalsh, evfirerob, fis4u96, ivan.kupalov, jonha87, jturner, luca.botti, lvrabec, mgrepl, michael.scheiffler, mikesh07mail, patlei99, pbravo, plautrba, pmoore, redhat, sebix+fedoraproject.org, speedoctor, stephenfin, tgvita, zach.jorgey7, zethan191, zhopkins0
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:0fe6c4e97436995837796a159e94e5bf41eeff550034b3d27b5762ed6d084fbd;VARIANT_ID=workstation;
Fixed In Version: selinux-policy-3.13.1-283.16.fc27 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-06-10 20:57:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ed Marshall 2017-11-07 01:51:28 UTC 
Description of problem:
SELinux is preventing tlp from 'write' accesses on the file lock_tlp.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that tlp should be allowed write access on the lock_tlp file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'tlp' --raw | audit2allow -M my-tlp
# semodule -X 300 -i my-tlp.pp

Additional Information:
Source Context                system_u:system_r:tlp_t:s0
Target Context                system_u:object_r:var_run_t:s0
Target Objects                lock_tlp [ file ]
Source                        tlp
Source Path                   tlp
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-283.14.fc27.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.13.11-300.fc27.x86_64 #1 SMP Thu
                              Nov 2 18:20:29 UTC 2017 x86_64 x86_64
Alert Count                   2
First Seen                    2017-11-06 17:50:00 PST
Last Seen                     2017-11-06 17:50:00 PST
Local ID                      fe05ff08-cf0e-4309-abf8-f17f69e55bf4

Raw Audit Messages
type=AVC msg=audit(1510019400.859:252): avc:  denied  { write } for  pid=2663 comm="tlp" name="lock_tlp" dev="tmpfs" ino=31656 scontext=system_u:system_r:tlp_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=0


Hash: tlp,tlp_t,var_run_t,file,write

Version-Release number of selected component:
selinux-policy-3.13.1-283.14.fc27.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.9.3
hashmarkername: setroubleshoot
kernel:         4.13.11-300.fc27.x86_64
type:           libreport

Potential duplicate: bug 1474389
Comment 1 Ed Marshall 2017-11-15 11:57:15 UTC 
Description of problem:
Unlocked my screen.

Version-Release number of selected component:
selinux-policy-3.13.1-283.14.fc27.noarch

Additional info:
reporter:       libreport-2.9.3
hashmarkername: setroubleshoot
kernel:         4.13.12-300.fc27.x86_64
type:           libreport
Comment 2 Fedora Update System 2017-11-16 15:13:36 UTC 
selinux-policy-3.13.1-283.16.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-5178e6a393
Comment 3 Fedora Update System 2017-11-17 18:57:01 UTC 
selinux-policy-3.13.1-283.16.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-5178e6a393
Comment 4 Fedora Update System 2017-11-20 16:57:21 UTC 
selinux-policy-3.13.1-283.16.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.
Comment 5 redhat 2017-12-03 00:45:45 UTC 
Description of problem:
1. Install run `dnf install tlp`
2. Edit `/etc/defaults/tlp`
3. Change `WIFI_PWD_ON_BAT` to `WIFI_PWD_ON_BAT=off`
4. Run `systemctl restart tlp`

Version-Release number of selected component:
selinux-policy-3.13.1-283.17.fc27.noarch

Additional info:
reporter:       libreport-2.9.3
hashmarkername: setroubleshoot
kernel:         4.13.16-300.fc27.x86_64
type:           libreport
Comment 6 Or Schiro 2018-02-02 10:58:57 UTC 
Description of problem:
Installed TLP (dnf install tlp), started it (sudo tlp start) to have enhanced battery saving on my laptop. 

Then I received this SELinux alert if I want to trust TLP. If think TLP can be allowed to have write access, right?

Version-Release number of selected component:
selinux-policy-3.13.1-283.21.fc27.noarch

Additional info:
reporter:       libreport-2.9.3
hashmarkername: setroubleshoot
kernel:         4.14.14-300.fc27.x86_64
type:           libreport
Comment 7 Roberto D'Auria 2018-02-05 13:29:08 UTC 
Description of problem:
I was doing nothing specifically related to TLP. Perhaps it was triggered by unlocking the screen?

Version-Release number of selected component:
selinux-policy-3.13.1-283.21.fc27.noarch

Additional info:
reporter:       libreport-2.9.3
hashmarkername: setroubleshoot
kernel:         4.14.14-300.fc27.x86_64
type:           libreport
Comment 8 Sandipan 2018-02-07 01:38:16 UTC 
Description of problem:
When I go to AC adapter mode from battery mode or go to battery mode to AC mode then this error shows up in tlp. 

when I run tlp stat in terminal then this  flollowing is shown:

+++ Warnings
* Kernel log shows ata errors (1) possibly caused by the configuration
  SATA_LINKPWR_ON_AC/BAT=min_power or medium_power.
  Consider using medium_power or max_performance instead.
  See the FAQ: http://linrunner.de/en/tlp/docs/tlp-faq.html#warnings
  Details:
[   56.375217] ata2: SError: { PHYRdyChg CommWake }
[   56.375221] ata2.00: failed command: READ FPDMA QUEUED
[   56.375229] ata2.00: cmd 60/20:68:28:14:8e/00:00:0e:00:00/40 tag 13 ncq dma 16384 in
                        res 50/00:03:00:00:00/00:00:00:00:00/a0 Emask 0x10 (ATA bus error)
[   56.375232] ata2.00: status: { DRDY }
[   56.375237] ata2: hard resetting link

Version-Release number of selected component:
selinux-policy-3.13.1-283.21.fc27.noarch

Additional info:
reporter:       libreport-2.9.3
hashmarkername: setroubleshoot
kernel:         4.14.16-300.fc27.x86_64
type:           libreport
Comment 9 Jonathan Haas 2018-02-11 10:16:39 UTC 
Description of problem:
after resuming from standby

Version-Release number of selected component:
selinux-policy-3.13.1-259.fc26.noarch

Additional info:
reporter:       libreport-2.9.3
hashmarkername: setroubleshoot
kernel:         4.14.16-300.fc27.x86_64
type:           libreport
Comment 10 Piotr 2018-02-13 00:36:43 UTC 
Description of problem:
The error occured after setting laptop to sleep mode.

Version-Release number of selected component:
selinux-policy-3.13.1-283.24.fc27.noarch

Additional info:
reporter:       libreport-2.9.3
hashmarkername: setroubleshoot
kernel:         4.14.16-300.fc27.x86_64
type:           libreport
Comment 11 makruiten 2018-02-23 19:54:17 UTC 
Description of problem:
I did two things today:

1) I updated my system to the latest updates form the official repositories
2) I installed smartmontools because tlp-stat suggested me to do so

Version-Release number of selected component:
selinux-policy-3.13.1-283.24.fc27.noarch

Additional info:
reporter:       libreport-2.9.3
hashmarkername: setroubleshoot
kernel:         4.15.3-300.fc27.x86_64
type:           libreport
Comment 12 makruiten 2018-02-24 10:58:11 UTC 
To fix (temporarily at least):

sudo restorecon -R -v /run/tlp

I don't know why the labels get lost on these files.
Comment 13 Kanak Kshetri 2018-03-07 04:25:59 UTC 
Description of problem:
Suspended laptop and then woke it up.

Version-Release number of selected component:
selinux-policy-3.13.1-283.26.fc27.noarch

Additional info:
reporter:       libreport-2.9.3
hashmarkername: setroubleshoot
kernel:         4.15.6-300.fc27.x86_64
type:           libreport
Comment 14 bjorn 2018-03-08 23:52:22 UTC 
Description of problem:
Fedora 27 (SELinux installed by default)

Installed TLP using dnf.
> dnf install tlp

Version-Release number of selected component:
selinux-policy-3.13.1-283.26.fc27.noarch

Additional info:
reporter:       libreport-2.9.3
hashmarkername: setroubleshoot
kernel:         4.15.6-300.fc27.x86_64
type:           libreport
Comment 15 Jay Turner 2018-03-19 11:52:22 UTC 
Description of problem:
Popping up on first-boot.

Version-Release number of selected component:
selinux-policy-3.13.1-283.26.fc27.noarch

Additional info:
reporter:       libreport-2.9.3
hashmarkername: setroubleshoot
kernel:         4.15.9-300.fc27.x86_64
type:           libreport
Comment 16 Ivan Kupalov 2018-03-26 09:16:29 UTC 
Description of problem:
Steps:
- Install Fedora
- Install TLP
- Put laptop to sleep
- Wake laptop up
- SELinux notification with alert appers

Laptop: HP Probook G4

Version-Release number of selected component:
selinux-policy-3.13.1-283.28.fc27.noarch

Additional info:
reporter:       libreport-2.9.3
hashmarkername: setroubleshoot
kernel:         4.15.10-300.fc27.x86_64
type:           libreport
Comment 17 Michael 2018-04-06 20:09:33 UTC 
*** Bug 1564660 has been marked as a duplicate of this bug. ***
Comment 18 zethan191 2018-04-07 03:54:36 UTC 
*** Bug 1564722 has been marked as a duplicate of this bug. ***
Comment 19 zach.jorgey7 2018-04-13 16:52:39 UTC 
Description of problem:
I installed tlp, then started getting selinux alerts. I did not change any configurations after install. I am using a thinkpad t450s.

Version-Release number of selected component:
selinux-policy-3.13.1-283.30.fc27.noarch

Additional info:
reporter:       libreport-2.9.3
hashmarkername: setroubleshoot
kernel:         4.15.12-301.fc27.x86_64
type:           libreport
Comment 20 tgvita 2018-04-18 02:04:41 UTC 
(In reply to zach.jorgey7 from comment #19)
> Description of problem:
> I installed tlp, then started getting selinux alerts. I did not change any
> configurations after install. I am using a thinkpad t450s.
> 
> Version-Release number of selected component:
> selinux-policy-3.13.1-283.30.fc27.noarch
> 
> Additional info:
> reporter:       libreport-2.9.3
> hashmarkername: setroubleshoot
> kernel:         4.15.12-301.fc27.x86_64
> type:           libreport

problem still persist, same symptom and environment (selinux-policy-3.13.1-283.30.fc27)
Comment 21 sebix+fedoraproject.org 2018-04-21 12:38:39 UTC 
Description of problem:
After booting I got the denial shown.

When applying the proposed solution, I get another denial for the process flock which also tries to lock this file

Version-Release number of selected component:
selinux-policy-3.13.1-283.30.fc27.noarch

Additional info:
reporter:       libreport-2.9.3
hashmarkername: setroubleshoot
kernel:         4.15.17-300.fc27.x86_64
type:           libreport
Comment 22 Pilar Bravo 2018-05-08 10:34:19 UTC 
Description of problem:
I installed TLP and got this warning from SETroubleshoot.

Version-Release number of selected component:
selinux-policy-3.13.1-283.34.fc27.noarch

Additional info:
reporter:       libreport-2.9.3
hashmarkername: setroubleshoot
kernel:         4.15.17-300.fc27.x86_64
type:           libreport
Comment 23 Alex. H. F. 2018-05-12 10:31:57 UTC 
Description of problem:
On wake-up error message  came up. 


Additional info:
reporter:       libreport-2.9.3
hashmarkername: setroubleshoot
kernel:         4.16.5-200.fc27.x86_64
type:           libreport
Comment 24 Frank Büttner 2018-05-26 18:58:09 UTC 
With selinux-policy-3.13.1-283.34.fc27.noarch the problem still exists.
So I reopen the bug.
Comment 25 Lukas Vrabec 2018-06-10 20:57:53 UTC 

*** This bug has been marked as a duplicate of bug 1586329 ***
Comment 26 Arsalan Rezazadeh 2018-10-18 09:18:26 UTC 
this bug already state on F28 and always tlp service faild in bootup.