Bug 2070329
Summary: | SELinux is preventing mktemp from 'write' accesses on the directory tlp. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Michael <michael.scheiffler> |
Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 36 | CC: | dwalsh, grepl.miroslav, kpfleming, lvrabec, mmalik, omosnace, pkoncity, vmojzis, zpytela |
Target Milestone: | --- | Keywords: | Triaged |
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Unspecified | ||
Whiteboard: | abrt_hash:af3bf32fe8667adba079017b46249097e81e4ec84343f9ec9bf843d96c058ffc;VARIANT_ID=workstation; | ||
Fixed In Version: | selinux-policy-36.7-1.fc36 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2022-04-26 02:40:11 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Michael
2022-03-30 20:28:23 UTC
Michael, Do you know which script triggered this denial? I have no idea. It's a rather basic installation with TLP enabled, which was upgraded to Fedora 36. Before the upgrade I didn't get any alarms. It is /usr/lib/NetworkManager/dispatcher.d/99tlp-rdw-nm which triggers this (I just tracked it down on my own system). Setting SELinux to permissive mode allows tlp-rdw to manage my WiFi radio as it did in F35, but with SELinux in enforcing mode every time this dispatcher script is invoked by NetworkManager it fails because it cannot write into /run/tlp. This comes from the 'tlp-rdw' package, not the base 'tlp' package. For existing users who have enabled WiFi power switching (rfkill), the result of this problem is that disconnecting their LAN link does *not* enable their WiFi link, so they have no network connectivity. Similar problem has been detected: system startup with tlp enabled hashmarkername: setroubleshoot kernel: 5.17.1-300.fc36.x86_64 package: selinux-policy-targeted-36.6-1.fc36.noarch reason: SELinux is preventing mktemp from 'write' accesses on the directory tlp. type: libreport For what it's worth, I would be happy to test modified versions of the policies on my laptop to see if they address the problem. AVC from the duplicate bz: type=AVC msg=audit(1649195759.77:395): avc: denied { read } for pid=2525 comm="readlink" name="virbr0" dev="sysfs" ino=48505 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file permissive=1 *** Bug 2072273 has been marked as a duplicate of this bug. *** Similar problem has been detected: tlp enable hashmarkername: setroubleshoot kernel: 5.17.2-300.fc36.x86_64 package: selinux-policy-targeted-36.6-1.fc36.noarch reason: SELinux is preventing mktemp from 'write' accesses on the directory tlp. type: libreport *** Bug 2072272 has been marked as a duplicate of this bug. *** AVC from another dup bz: type=AVC msg=audit(1649956553.315:401): avc: denied { write } for pid=2704 comm="tlp-readconfs" name="tlp-run.conf_tmpt6VMXI" dev="tmpfs" ino=1939 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1 *** Bug 2075641 has been marked as a duplicate of this bug. *** FEDORA-2022-76963fee71 has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2022-76963fee71 FEDORA-2022-76963fee71 has been pushed to the Fedora 36 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2022-76963fee71` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-76963fee71 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. The attached build now allows the script to write into the target directory, but then another AVC is generated when 'rfkill' is executed: type=AVC msg=audit(1650567176.426:309): avc: denied { read write } for pid=5826 comm="rfkill" name="rfkill" dev="devtmpfs" ino=209 scontext=system_u:system_r:NetworkManager_dispatcher_tlp_t:s0 tcontext=system_u:object_r:wireless_device_t:s0 tclass=chr_file permissive=0 If that should be reported in a separate BZ please let me know. In reply to Kevin P. Fleming from comment #15) > The attached build now allows the script to write into the target directory, > but then another AVC is generated when 'rfkill' is executed: > > type=AVC msg=audit(1650567176.426:309): avc: denied { read write } for > pid=5826 comm="rfkill" name="rfkill" dev="devtmpfs" ino=209 > scontext=system_u:system_r:NetworkManager_dispatcher_tlp_t:s0 > tcontext=system_u:object_r:wireless_device_t:s0 tclass=chr_file permissive=0 > > If that should be reported in a separate BZ please let me know. It is easy to miss an update, so generally it is better, not this time, you can check if the latest scratch build fixes all problems: https://github.com/fedora-selinux/selinux-policy/pull/1161 Checks -> Details -> Artifacts -> rpms Success! With the scratch build RPMs installed I'm able to switch between wired and WiFi connections using tlp-rdw as expected. Thanks! FEDORA-2022-76963fee71 has been pushed to the Fedora 36 stable repository. If problem still persists, please make note of it in this bug report. |