Bug 2082404
| Summary: | SELinux policy prevents systemd_sleep_t from actually suspending | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | James Ralston <ralston> |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 9.0 | CC: | lvrabec, mmalik, redhat, ssekidde, zpytela |
| Target Milestone: | rc | Keywords: | Triaged |
| Target Release: | 9.1 | Flags: | pm-rhel:
mirror+
|
| Hardware: | Unspecified | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-34.1.32-1.el9 | Doc Type: | No Doc Update |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-11-15 11:13:50 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Forgot to add: I preceded the above testing with: $ restorecon -FRv / …so I know that the issue isn’t that the SELinux file contexts are incorrect. systemd-sleep policy has been updated a lot since creating RHEL 9 branches off Fedora: d777042ed Allow systemd-sleep get removable devices attributes 6a15f8a70 Allow systemd-sleep tlp_filetrans_named_content() 0a86d22a1 Allow systemd-sleep execute generic programs ee1015919 Allow systemd-sleep execute shell c10b82dec Allow systemd-sleep transition to sysstat_t e51919ac9 Allow systemd-sleep transition to tlp_t 127687278 Allow systemd-sleep transition to unconfined_service_t on bin_t executables e497209ca allow systemd-sleep to set timer for suspend-then-hibernate When will the fix be released? It still seems to be a problem 5 months on.
========================================================================================================
If you believe that systemd-sleep should be allowed execute access on the sysstat.sleep file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Source RPM Packages systemd-udev-250-6.el9_0.1.x86_64
Target RPM Packages sysstat-12.5.4-3.el9.x86_64
SELinux Policy RPM selinux-policy-targeted-34.1.29-1.el9_0.2.noarch
Local Policy RPM selinux-policy-targeted-34.1.29-1.el9_0.2.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Platform Linux 5.14.0-70.26.1.el9_0.x86_64 #1
SMP PREEMPT Fri Sep 2 16:07:40 EDT 2022 x86_64
x86_64
Alert Count 2
First Seen 2022-10-23 12:47:47 BST
Last Seen 2022-10-23 13:22:58 BST
Local ID 35d59f0b-4daf-48b3-ae1e-a4ade128ab45
========================================================================================================
$ sudo dmidecode --string system-family
ThinkPad P14s Gen 1
The fix is a part of selinux-policy-34.1.32-1.el9 which is available in centos stream since May. For RHEL, it will be released with RHEL 9.1 GA later this year. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:8283 |
Description of problem: I have RHEL9 beta installed on a Dell Latitude 7420. SELinux is preventing the laptop from suspending when the lid is closed: May 05 19:55:40 laptop.example.org [7232]: Failed to execute /usr/lib/systemd/system-sleep/sysstat.sleep: Permission denied May 05 19:55:40 laptop.example.org [7231]: /usr/lib/systemd/system-sleep/sysstat.sleep failed with exit status 1. May 05 19:55:41 laptop.example.org setroubleshoot[7233]: SELinux is preventing /usr/lib/systemd/systemd-sleep from execute access on the file /usr/lib/systemd/system-sleep/sysstat.sleep. May 05 19:55:42 laptop.example.org setroubleshoot[7233]: SELinux is preventing /usr/lib/systemd/systemd-sleep from execute access on the file /usr/lib/systemd/system-sleep/sysstat.sleep. If I place systemd_sleep_t in permissive mode, then suspending works, but a bevvy of SELinux (permissive) denies are logged: May 05 23:13:21 laptop.example.org setroubleshoot[10630]: SELinux is preventing /usr/bin/bash from execute access on the file /lib64/ld-linux-x86-64.so.2. May 05 23:13:21 laptop.example.org setroubleshoot[10630]: SELinux is preventing /usr/bin/bash from execute access on the file /lib64/ld-linux-x86-64.so.2. May 05 23:13:21 laptop.example.org setroubleshoot[10630]: SELinux is preventing /usr/bin/bash from getattr access on the file /usr/lib64/sa/sa1. May 05 23:13:21 laptop.example.org setroubleshoot[10630]: SELinux is preventing /usr/bin/bash from ioctl access on the file /usr/lib64/sa/sa1. May 05 23:13:21 laptop.example.org setroubleshoot[10630]: SELinux is preventing /usr/bin/bash from getattr access on the directory /var/log/sa. May 05 23:13:21 laptop.example.org setroubleshoot[10630]: SELinux is preventing /usr/lib64/sa/sadc from map access on the file /usr/lib64/sa/sadc. May 05 23:13:21 laptop.example.org setroubleshoot[10630]: SELinux is preventing /usr/lib64/sa/sadc from read access on the file dev. May 05 23:13:21 laptop.example.org setroubleshoot[10630]: SELinux is preventing /usr/lib64/sa/sadc from getattr access on the file /proc/<pid>/net/dev. May 05 23:13:22 laptop.example.org setroubleshoot[10630]: SELinux is preventing /usr/lib64/sa/sadc from search access on the directory /var/log/sa/sa05. May 05 23:13:22 laptop.example.org setroubleshoot[10630]: SELinux is preventing /usr/bin/bash from execute access on the file /lib64/ld-linux-x86-64.so.2. May 05 23:13:22 laptop.example.org setroubleshoot[10630]: SELinux is preventing /usr/bin/bash from getattr access on the file /usr/lib64/sa/sa1. May 05 23:13:22 laptop.example.org setroubleshoot[10630]: SELinux is preventing /usr/bin/bash from ioctl access on the file /usr/lib64/sa/sa1. May 05 23:13:22 laptop.example.org setroubleshoot[10630]: SELinux is preventing /usr/lib64/sa/sadc from map access on the file /usr/lib64/sa/sadc. May 05 23:13:22 laptop.example.org setroubleshoot[10630]: SELinux is preventing /usr/lib64/sa/sadc from read access on the file /var/log/sa/sa05. And: $ ausearch -m avc -ts today | audit2allow #============= systemd_sleep_t ============== allow systemd_sleep_t bin_t:file { execute execute_no_trans }; allow systemd_sleep_t proc_net_t:file { getattr open read }; #!!!! This avc can be allowed using the boolean 'domain_can_mmap_files' allow systemd_sleep_t shell_exec_t:file map; allow systemd_sleep_t shell_exec_t:file execute; allow systemd_sleep_t sysstat_exec_t:file { execute execute_no_trans getattr ioctl open read }; #!!!! This avc can be allowed using the boolean 'domain_can_mmap_files' allow systemd_sleep_t sysstat_exec_t:file map; allow systemd_sleep_t sysstat_log_t:dir { getattr search }; allow systemd_sleep_t sysstat_log_t:file { open read }; This doesn’t look like a rule or two is missing; it looks like either there is a transition rule that is missing (meaning, systemd_sleep_t is being denied all over the place because all of this should be executing in a different SELinux context), or systemd_sleep_t is the correct context, but most of the policy it should have is simply missing. Version-Release number of selected component (if applicable): selinux-policy-targeted-34.1.28-1.el9_0.noarch How reproducible: Install RHEL9 beta on a laptop and close the lid. Alternatively, using a tool like pm-suspend to manually force a suspend will likely demonstrate the issue on any modern hardware that supports the ACPI S3 suspend state.