Bug 1705246
Summary: | SELinux is preventing cat from 'read' accesses on the file last_pwr. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Michael <michael.scheiffler> |
Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 30 | CC: | antoniopassarelli, artur.tanistra, blackdout, Claude.Frantz, dwalsh, goodmirek, jonha87, luca.botti, lvrabec, marinodiego.96+redhat, me, mgrepl, mmalik, plautrba, zpytela |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Unspecified | ||
Whiteboard: | abrt_hash:8a36d62055c24f0cfe80ca2d71e0484d0b5d861d81b1b30eed10f36df8fcf448;VARIANT_ID=workstation; | ||
Fixed In Version: | selinux-policy-3.14.3-37.fc30 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2019-05-21 01:09:37 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Michael
2019-05-01 19:44:14 UTC
Hi, The context for the file can be restored to the default one with restorecon -Rv /run However, the last_pwr file is expected to be created with correct context without any user ineraction. Do you know what happened on your system? Is it reproducible? This happens (almost?) all the time after a boot of the system and after a wake up from sleep. Restoring the context is only a temporary fix. It's getting bad again. Actually, there are multiple problems in conjunction with TLP and SELinux: https://bugzilla.redhat.com/show_bug.cgi?id=1645313 https://bugzilla.redhat.com/show_bug.cgi?id=1705246 https://bugzilla.redhat.com/show_bug.cgi?id=1705247 Usually 3 SELinux notification are shown after boot. This one seems to be directly related as well: https://bugzilla.redhat.com/show_bug.cgi?id=1689186 I'm not sure how systemd-udev works exactly, but here is an idea: # rpm -qf /usr/lib/udev/rules.d/85-tlp.rules tlp-1.2.1-1.fc29.noarch # grep RUN /usr/lib/udev/rules.d/85-tlp.rules ACTION=="change", SUBSYSTEM=="power_supply", RUN+="/usr/sbin/tlp auto" ACTION=="add", SUBSYSTEM=="usb", DRIVER=="usb", ENV{DEVTYPE}=="usb_device", RUN+="/lib/udev/tlp-usb-udev %p" # If power_supply change event happens then the systemd-udevd process executes /usr/sbin/tlp: # matchpathcon /usr/sbin/tlp /usr/sbin/tlp system_u:object_r:tlp_exec_t:s0 # sesearch -s udev_t -t tlp_exec_t -T # but there is no transition from udev_t to tlp_t. Therefore the tlp process runs as udev_t and the newly created /var/run/tlp is created with a wrong label: # sesearch -s udev_t -t var_run_t -c dir -T Found 1 named file transition filename_trans: type_transition udev_t var_run_t : dir udev_var_run_t "udev"; # That would explain why the /var/run/tlp directory is labeled incorrectly and why all files inside are also labeled incorrectly, because they inherit the label from the directory. Created a PR to address the issue: https://github.com/fedora-selinux/selinux-policy/pull/263 *** Bug 1689186 has been marked as a duplicate of this bug. *** *** Bug 1705247 has been marked as a duplicate of this bug. *** *** Bug 1645313 has been marked as a duplicate of this bug. *** How can I test that submitted patch locally? Hi, You need to build the selinux-policy package with a patch made off the PR. I will attach the build once I have it ready if you are interested. However, a local policy module should add almost the same set of rules: echo '(allow udev_t tlp_exec_t (file ( getattr open map read execute ioctl execute_no_trans ))) (allow udev_t tlp_t (process (transition )))' > tlp_domtrans.cil semodule -i tlp_domtrans.cil Description of problem: TLP and kernel 5.1.1-300 present. Performed dnf update and issue happened after reboot. Version-Release number of selected component: selinux-policy-3.14.3-35.fc30.noarch Additional info: reporter: libreport-2.10.0 hashmarkername: setroubleshoot kernel: 5.1.1-300.fc30.x86_64 type: libreport # cat tlp_domtrans.cil ( allow udev_t tlp_exec_t ( file ( getattr open map read execute ioctl ))) ( allow udev_t tlp_t (process (transition ))) ( typetransition udev_t tlp_exec_t process tlp_t ) # semodule -i tlp_domtrans.cil # So what's the (more) correct one of the two suggested solutions? a: (allow udev_t tlp_exec_t (file ( getattr open map read execute ioctl execute_no_trans ))) (allow udev_t tlp_t (process (transition ))) b: ( allow udev_t tlp_exec_t ( file ( getattr open map read execute ioctl ))) ( allow udev_t tlp_t (process (transition ))) ( typetransition udev_t tlp_exec_t process tlp_t ) Or are those equivalent? I tested both proposed solutions. Here are my results... a) (allow udev_t tlp_exec_t (file ( getattr open map read execute ioctl execute_no_trans ))) (allow udev_t tlp_t (process (transition ))) I rebooted the machine two times plugged AC in/out two times and for me it seems to fix the problem(s). However I cannot give it any kind of rating from a security point of view. b) ( allow udev_t tlp_exec_t ( file ( getattr open map read execute ioctl ))) ( allow udev_t tlp_t (process (transition ))) ( typetransition udev_t tlp_exec_t process tlp_t ) After plugging out AC, the SELinux Troubleshooter goes wild and reports multiple times this: ================================================================================================ SELinux is preventing tlp from 'write' accesses on the fifo_file fifo_file. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that tlp should be allowed write access on the fifo_file fifo_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'tlp' --raw | audit2allow -M my-tlp # semodule -X 300 -i my-tlp.pp Additional Information: Source Context system_u:system_r:tlp_t:s0-s0:c0.c1023 Target Context system_u:system_r:udev_t:s0-s0:c0.c1023 Target Objects fifo_file [ fifo_file ] Source tlp Source Path tlp Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.14.3-35.fc30.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 5.0.14-300.fc30.x86_64 #1 SMP Thu May 9 10:43:38 UTC 2019 x86_64 x86_64 Alert Count 18 First Seen 2019-05-14 19:37:57 CEST Last Seen 2019-05-14 19:38:05 CEST Local ID 74862ee9-b494-47e1-bde9-3d21070768fc Raw Audit Messages type=AVC msg=audit(1557855485.502:350): avc: denied { write } for pid=4105 comm="tlp" path="pipe:[69148]" dev="pipefs" ino=69148 scontext=system_u:system_r:tlp_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=fifo_file permissive=0 Hash: tlp,tlp_t,udev_t,fifo_file,write ================================================================================================ In between testing, I disabled and removed the other tlp_domtrans module. Description of problem: I installed TLP from the repos. I get these SELinux denials when I switch from AC to battery. Version-Release number of selected component: selinux-policy-3.14.3-35.fc30.noarch Additional info: reporter: libreport-2.10.0 hashmarkername: setroubleshoot kernel: 5.0.13-300.fc30.x86_64 type: libreport commit e1f5a83aba2f96b2cd2bc583ebc093d74d3e1067 (HEAD -> rawhide, origin/rawhide) Author: Zdenek Pytela <zpytela> Date: Tue May 7 15:16:24 2019 +0200 Allow transition from udev_t to tlp_t BZ(1705246) Youssef, Thank you for testing, actually this permission is also missing in the proposed cil module which rather should read: ( allow udev_t tlp_exec_t ( file ( getattr open map read execute ioctl ))) ( allow udev_t tlp_t ( process (transition ))) ( typetransition udev_t tlp_exec_t process tlp_t ) ( allow tlp_t udev_t ( fifo_file ( append getattr ioctl lock read write ))) but is present in the new policy build so it should be fixed with the very next selinux-policy package update. Description of problem: Thinkpad t480. When TLP starting. Version-Release number of selected component: selinux-policy-3.14.3-35.fc30.noarch Additional info: reporter: libreport-2.10.0 hashmarkername: setroubleshoot kernel: 5.0.16-300.fc30.x86_64 type: libreport Artur, the updated selinux-policy package with the fix has not been released yet, but should be available soon. We have fedora selinux-policy nightly builds where is this issue fixed: https://copr-be.cloud.fedoraproject.org/results/lvrabec/selinux-policy-nightly/fedora-30-x86_64/00910085-selinux-policy/ You can use this build before new release of selinux-policy in fedora. selinux-policy-3.14.3-37.fc30 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-40c077f70d selinux-policy-3.14.3-37.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-40c077f70d selinux-policy-3.14.3-37.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report. Description of problem: While booting Version-Release number of selected component: selinux-policy-3.14.1-54.fc28.noarch Additional info: reporter: libreport-2.10.0 hashmarkername: setroubleshoot kernel: 5.0.16-300.fc30.i686 type: libreport Description of problem: Installed tlp; Connected the laptop to power; Version-Release number of selected component: selinux-policy-3.14.3-40.fc30.noarch Additional info: reporter: libreport-2.10.1 hashmarkername: setroubleshoot kernel: 5.1.16-300.fc30.x86_64 type: libreport Similar problem has been detected: warning appears after installation of tlp hashmarkername: setroubleshoot kernel: 5.4.17-100.fc30.x86_64 package: selinux-policy-3.14.3-55.fc30.noarch reason: SELinux is preventing tlp from 'write' accesses on the file last_pwr. type: libreport |