Bug 1705246

Summary: SELinux is preventing cat from 'read' accesses on the file last_pwr.
Product: [Fedora] Fedora Reporter: Michael <michael.scheiffler>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 30CC: antoniopassarelli, artur.tanistra, blackdout, Claude.Frantz, dwalsh, goodmirek, jonha87, luca.botti, lvrabec, marinodiego.96+redhat, me, mgrepl, mmalik, plautrba, zpytela
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:8a36d62055c24f0cfe80ca2d71e0484d0b5d861d81b1b30eed10f36df8fcf448;VARIANT_ID=workstation;
Fixed In Version: selinux-policy-3.14.3-37.fc30 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-05-21 01:09:37 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Michael 2019-05-01 19:44:14 UTC
Description of problem:
Happened after reboot
SELinux is preventing cat from 'read' accesses on the file last_pwr.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that cat should be allowed read access on the last_pwr file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'cat' --raw | audit2allow -M my-cat
# semodule -X 300 -i my-cat.pp

Additional Information:
Source Context                system_u:system_r:tlp_t:s0
Target Context                system_u:object_r:var_run_t:s0
Target Objects                last_pwr [ file ]
Source                        cat
Source Path                   cat
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    <Unknown>
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 5.0.9-301.fc30.x86_64 #1 SMP Tue
                              Apr 23 23:57:35 UTC 2019 x86_64 x86_64
Alert Count                   2
First Seen                    2019-05-01 17:49:43 CEST
Last Seen                     2019-05-01 21:39:40 CEST
Local ID                      d5fef40c-b905-430c-8b82-b1f8935a5a80

Raw Audit Messages
type=AVC msg=audit(1556739580.95:304): avc:  denied  { read } for  pid=2336 comm="cat" name="last_pwr" dev="tmpfs" ino=20309 scontext=system_u:system_r:tlp_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=0


Hash: cat,tlp_t,var_run_t,file,read


Additional info:
component:      selinux-policy
reporter:       libreport-2.10.0
hashmarkername: setroubleshoot
kernel:         5.0.9-301.fc30.x86_64
type:           libreport

Potential duplicate: bug 1614546

Comment 3 Zdenek Pytela 2019-05-02 08:31:20 UTC
Hi,

The context for the file can be restored to the default one with

restorecon -Rv /run

However, the last_pwr file is expected to be created with correct context without any user ineraction. Do you know what happened on your system? Is it reproducible?

Comment 4 Michael 2019-05-02 08:41:57 UTC
This happens (almost?) all the time after a boot of the system and after a wake up from sleep.
Restoring the context is only a temporary fix. It's getting bad again.

Actually, there are multiple problems in conjunction with TLP and SELinux:
https://bugzilla.redhat.com/show_bug.cgi?id=1645313
https://bugzilla.redhat.com/show_bug.cgi?id=1705246
https://bugzilla.redhat.com/show_bug.cgi?id=1705247

Usually 3 SELinux notification are shown after boot.

Comment 5 Michael 2019-05-02 08:54:59 UTC
This one seems to be directly related as well:
https://bugzilla.redhat.com/show_bug.cgi?id=1689186

Comment 6 Milos Malik 2019-05-02 11:59:12 UTC
I'm not sure how systemd-udev works exactly, but here is an idea:

# rpm -qf /usr/lib/udev/rules.d/85-tlp.rules
tlp-1.2.1-1.fc29.noarch
# grep RUN /usr/lib/udev/rules.d/85-tlp.rules
ACTION=="change", SUBSYSTEM=="power_supply", RUN+="/usr/sbin/tlp auto"
ACTION=="add", SUBSYSTEM=="usb", DRIVER=="usb", ENV{DEVTYPE}=="usb_device", RUN+="/lib/udev/tlp-usb-udev %p"
#

If power_supply change event happens then the systemd-udevd process executes /usr/sbin/tlp:

# matchpathcon /usr/sbin/tlp
/usr/sbin/tlp	system_u:object_r:tlp_exec_t:s0
# sesearch -s udev_t -t tlp_exec_t -T
#

but there is no transition from udev_t to tlp_t. Therefore the tlp process runs as udev_t and the newly created /var/run/tlp is created with a wrong label:

# sesearch -s udev_t -t var_run_t -c dir -T

Found 1 named file transition filename_trans:
type_transition udev_t var_run_t : dir udev_var_run_t "udev"; 

#

That would explain why the /var/run/tlp directory is labeled incorrectly and why all files inside are also labeled incorrectly, because they inherit the label from the directory.

Comment 7 Zdenek Pytela 2019-05-07 13:20:20 UTC
Created a PR to address the issue:

https://github.com/fedora-selinux/selinux-policy/pull/263

Comment 8 Zdenek Pytela 2019-05-07 13:20:35 UTC
*** Bug 1689186 has been marked as a duplicate of this bug. ***

Comment 9 Zdenek Pytela 2019-05-07 13:21:15 UTC
*** Bug 1705247 has been marked as a duplicate of this bug. ***

Comment 10 Zdenek Pytela 2019-05-07 13:22:43 UTC
*** Bug 1645313 has been marked as a duplicate of this bug. ***

Comment 11 Michael 2019-05-09 16:49:05 UTC
How can I test that submitted patch locally?

Comment 12 Zdenek Pytela 2019-05-13 12:29:21 UTC
Hi,

You need to build the selinux-policy package with a patch made off the PR. I will attach the build once I have it ready if you are interested. However, a local policy module should add almost the same set of rules:

echo '(allow udev_t tlp_exec_t (file ( getattr open map read execute ioctl execute_no_trans )))
(allow udev_t tlp_t (process (transition )))' > tlp_domtrans.cil
semodule -i tlp_domtrans.cil

Comment 13 Mirek Svoboda 2019-05-14 06:29:52 UTC
Description of problem:
TLP and kernel 5.1.1-300 present. Performed dnf update and issue happened after reboot.

Version-Release number of selected component:
selinux-policy-3.14.3-35.fc30.noarch

Additional info:
reporter:       libreport-2.10.0
hashmarkername: setroubleshoot
kernel:         5.1.1-300.fc30.x86_64
type:           libreport

Comment 14 Milos Malik 2019-05-14 06:39:34 UTC
# cat tlp_domtrans.cil
( allow udev_t tlp_exec_t ( file ( getattr open map read execute ioctl )))
( allow udev_t tlp_t (process (transition )))
( typetransition udev_t tlp_exec_t process tlp_t )
# semodule -i tlp_domtrans.cil
#

Comment 15 Michael 2019-05-14 17:24:23 UTC
So what's the (more) correct one of the two suggested solutions?

a:
(allow udev_t tlp_exec_t (file ( getattr open map read execute ioctl execute_no_trans )))
(allow udev_t tlp_t (process (transition )))

b:
( allow udev_t tlp_exec_t ( file ( getattr open map read execute ioctl )))
( allow udev_t tlp_t (process (transition )))
( typetransition udev_t tlp_exec_t process tlp_t )

Or are those equivalent?

Comment 16 Michael 2019-05-14 17:48:12 UTC
I tested both proposed solutions. Here are my results...


a)
(allow udev_t tlp_exec_t (file ( getattr open map read execute ioctl execute_no_trans )))
(allow udev_t tlp_t (process (transition )))

I rebooted the machine two times plugged AC in/out two times and for me it seems to fix the problem(s).
However I cannot give it any kind of rating from a security point of view.


b)
( allow udev_t tlp_exec_t ( file ( getattr open map read execute ioctl )))
( allow udev_t tlp_t (process (transition )))
( typetransition udev_t tlp_exec_t process tlp_t )

After plugging out AC, the SELinux Troubleshooter goes wild and reports multiple times this:
================================================================================================

SELinux is preventing tlp from 'write' accesses on the fifo_file fifo_file.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that tlp should be allowed write access on the fifo_file fifo_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'tlp' --raw | audit2allow -M my-tlp
# semodule -X 300 -i my-tlp.pp

Additional Information:
Source Context                system_u:system_r:tlp_t:s0-s0:c0.c1023
Target Context                system_u:system_r:udev_t:s0-s0:c0.c1023
Target Objects                fifo_file [ fifo_file ]
Source                        tlp
Source Path                   tlp
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.14.3-35.fc30.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 5.0.14-300.fc30.x86_64 #1 SMP Thu
                              May 9 10:43:38 UTC 2019 x86_64 x86_64
Alert Count                   18
First Seen                    2019-05-14 19:37:57 CEST
Last Seen                     2019-05-14 19:38:05 CEST
Local ID                      74862ee9-b494-47e1-bde9-3d21070768fc

Raw Audit Messages
type=AVC msg=audit(1557855485.502:350): avc:  denied  { write } for  pid=4105 comm="tlp" path="pipe:[69148]" dev="pipefs" ino=69148 scontext=system_u:system_r:tlp_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=fifo_file permissive=0


Hash: tlp,tlp_t,udev_t,fifo_file,write
================================================================================================


In between testing, I disabled and removed the other tlp_domtrans module.

Comment 17 Youssef 2019-05-14 19:50:50 UTC
Description of problem:
I installed TLP from the repos. I get these SELinux denials when I switch from AC to battery.

Version-Release number of selected component:
selinux-policy-3.14.3-35.fc30.noarch

Additional info:
reporter:       libreport-2.10.0
hashmarkername: setroubleshoot
kernel:         5.0.13-300.fc30.x86_64
type:           libreport

Comment 18 Lukas Vrabec 2019-05-15 06:31:39 UTC
commit e1f5a83aba2f96b2cd2bc583ebc093d74d3e1067 (HEAD -> rawhide, origin/rawhide)
Author: Zdenek Pytela <zpytela>
Date:   Tue May 7 15:16:24 2019 +0200

    Allow transition from udev_t to tlp_t BZ(1705246)

Comment 19 Zdenek Pytela 2019-05-15 06:58:09 UTC
Youssef,

Thank you for testing, actually this permission is also missing in the proposed cil module which rather should read:

( allow udev_t tlp_exec_t ( file ( getattr open map read execute ioctl )))
( allow udev_t tlp_t ( process (transition )))
( typetransition udev_t tlp_exec_t process tlp_t )
( allow tlp_t udev_t ( fifo_file ( append getattr ioctl lock read write )))

but is present in the new policy build so it should be fixed with the very next selinux-policy package update.

Comment 20 Artur T. 2019-05-17 05:04:43 UTC
Description of problem:
Thinkpad t480.
When TLP starting.

Version-Release number of selected component:
selinux-policy-3.14.3-35.fc30.noarch

Additional info:
reporter:       libreport-2.10.0
hashmarkername: setroubleshoot
kernel:         5.0.16-300.fc30.x86_64
type:           libreport

Comment 21 Zdenek Pytela 2019-05-17 07:26:36 UTC
Artur,

the updated selinux-policy package with the fix has not been released yet, but should be available soon.

Comment 22 Lukas Vrabec 2019-05-17 08:29:28 UTC
We have fedora selinux-policy nightly builds where is this issue fixed: 

https://copr-be.cloud.fedoraproject.org/results/lvrabec/selinux-policy-nightly/fedora-30-x86_64/00910085-selinux-policy/

You can use this build before new release of selinux-policy in fedora.

Comment 23 Fedora Update System 2019-05-18 11:03:33 UTC
selinux-policy-3.14.3-37.fc30 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-40c077f70d

Comment 24 Fedora Update System 2019-05-19 00:51:05 UTC
selinux-policy-3.14.3-37.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-40c077f70d

Comment 25 Fedora Update System 2019-05-21 01:09:37 UTC
selinux-policy-3.14.3-37.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.

Comment 26 Claude Frantz 2019-05-22 04:56:00 UTC
Description of problem:
While booting

Version-Release number of selected component:
selinux-policy-3.14.1-54.fc28.noarch

Additional info:
reporter:       libreport-2.10.0
hashmarkername: setroubleshoot
kernel:         5.0.16-300.fc30.i686
type:           libreport

Comment 27 Diego Marino 2019-07-13 10:10:22 UTC
Description of problem:
Installed tlp;
Connected the laptop to power;

Version-Release number of selected component:
selinux-policy-3.14.3-40.fc30.noarch

Additional info:
reporter:       libreport-2.10.1
hashmarkername: setroubleshoot
kernel:         5.1.16-300.fc30.x86_64
type:           libreport

Comment 28 antoniopassarelli 2020-02-22 07:18:19 UTC
Similar problem has been detected:

warning appears after installation of tlp

hashmarkername: setroubleshoot
kernel:         5.4.17-100.fc30.x86_64
package:        selinux-policy-3.14.3-55.fc30.noarch
reason:         SELinux is preventing tlp from 'write' accesses on the file last_pwr.
type:           libreport