Bug 2082404

Summary: SELinux policy prevents systemd_sleep_t from actually suspending
Product: Red Hat Enterprise Linux 9 Reporter: James Ralston <ralston>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 9.0CC: lvrabec, mmalik, redhat, ssekidde, zpytela
Target Milestone: rcKeywords: Triaged
Target Release: 9.1   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-34.1.32-1.el9 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-11-15 11:13:50 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description James Ralston 2022-05-06 03:52:55 UTC 
Description of problem:

I have RHEL9 beta installed on a Dell Latitude 7420.

SELinux is preventing the laptop from suspending when the lid is closed:

May 05 19:55:40 laptop.example.org [7232]: Failed to execute /usr/lib/systemd/system-sleep/sysstat.sleep: Permission denied
May 05 19:55:40 laptop.example.org [7231]: /usr/lib/systemd/system-sleep/sysstat.sleep failed with exit status 1.
May 05 19:55:41 laptop.example.org setroubleshoot[7233]: SELinux is preventing /usr/lib/systemd/systemd-sleep from execute access on the file /usr/lib/systemd/system-sleep/sysstat.sleep.
May 05 19:55:42 laptop.example.org setroubleshoot[7233]: SELinux is preventing /usr/lib/systemd/systemd-sleep from execute access on the file /usr/lib/systemd/system-sleep/sysstat.sleep.

If I place systemd_sleep_t in permissive mode, then suspending works, but a bevvy of SELinux (permissive) denies are logged:

May 05 23:13:21 laptop.example.org setroubleshoot[10630]: SELinux is preventing /usr/bin/bash from execute access on the file /lib64/ld-linux-x86-64.so.2.
May 05 23:13:21 laptop.example.org setroubleshoot[10630]: SELinux is preventing /usr/bin/bash from execute access on the file /lib64/ld-linux-x86-64.so.2.
May 05 23:13:21 laptop.example.org setroubleshoot[10630]: SELinux is preventing /usr/bin/bash from getattr access on the file /usr/lib64/sa/sa1.
May 05 23:13:21 laptop.example.org setroubleshoot[10630]: SELinux is preventing /usr/bin/bash from ioctl access on the file /usr/lib64/sa/sa1.
May 05 23:13:21 laptop.example.org setroubleshoot[10630]: SELinux is preventing /usr/bin/bash from getattr access on the directory /var/log/sa.
May 05 23:13:21 laptop.example.org setroubleshoot[10630]: SELinux is preventing /usr/lib64/sa/sadc from map access on the file /usr/lib64/sa/sadc.
May 05 23:13:21 laptop.example.org setroubleshoot[10630]: SELinux is preventing /usr/lib64/sa/sadc from read access on the file dev.
May 05 23:13:21 laptop.example.org setroubleshoot[10630]: SELinux is preventing /usr/lib64/sa/sadc from getattr access on the file /proc/<pid>/net/dev.
May 05 23:13:22 laptop.example.org setroubleshoot[10630]: SELinux is preventing /usr/lib64/sa/sadc from search access on the directory /var/log/sa/sa05.
May 05 23:13:22 laptop.example.org setroubleshoot[10630]: SELinux is preventing /usr/bin/bash from execute access on the file /lib64/ld-linux-x86-64.so.2.
May 05 23:13:22 laptop.example.org setroubleshoot[10630]: SELinux is preventing /usr/bin/bash from getattr access on the file /usr/lib64/sa/sa1.
May 05 23:13:22 laptop.example.org setroubleshoot[10630]: SELinux is preventing /usr/bin/bash from ioctl access on the file /usr/lib64/sa/sa1.
May 05 23:13:22 laptop.example.org setroubleshoot[10630]: SELinux is preventing /usr/lib64/sa/sadc from map access on the file /usr/lib64/sa/sadc.
May 05 23:13:22 laptop.example.org setroubleshoot[10630]: SELinux is preventing /usr/lib64/sa/sadc from read access on the file /var/log/sa/sa05.

And:

$ ausearch -m avc -ts today | audit2allow

#============= systemd_sleep_t ==============
allow systemd_sleep_t bin_t:file { execute execute_no_trans };
allow systemd_sleep_t proc_net_t:file { getattr open read };

#!!!! This avc can be allowed using the boolean 'domain_can_mmap_files'
allow systemd_sleep_t shell_exec_t:file map;
allow systemd_sleep_t shell_exec_t:file execute;
allow systemd_sleep_t sysstat_exec_t:file { execute execute_no_trans getattr ioctl open read };

#!!!! This avc can be allowed using the boolean 'domain_can_mmap_files'
allow systemd_sleep_t sysstat_exec_t:file map;
allow systemd_sleep_t sysstat_log_t:dir { getattr search };
allow systemd_sleep_t sysstat_log_t:file { open read };

This doesn’t look like a rule or two is missing; it looks like either there is a transition rule that is missing (meaning, systemd_sleep_t is being denied all over the place because all of this should be executing in a different SELinux context), or systemd_sleep_t is the correct context, but most of the policy it should have is simply missing.

Version-Release number of selected component (if applicable):

selinux-policy-targeted-34.1.28-1.el9_0.noarch

How reproducible:

Install RHEL9 beta on a laptop and close the lid.

Alternatively, using a tool like pm-suspend to manually force a suspend will likely demonstrate the issue on any modern hardware that supports the ACPI S3 suspend state.
Comment 1 James Ralston 2022-05-06 03:56:15 UTC 
Forgot to add: I preceded the above testing with:

$ restorecon -FRv /

…so I know that the issue isn’t that the SELinux file contexts are incorrect.
Comment 2 Zdenek Pytela 2022-05-06 07:20:20 UTC 
systemd-sleep policy has been updated a lot since creating RHEL 9 branches off Fedora:

d777042ed Allow systemd-sleep get removable devices attributes
6a15f8a70 Allow systemd-sleep tlp_filetrans_named_content()
0a86d22a1 Allow systemd-sleep execute generic programs
ee1015919 Allow systemd-sleep execute shell
c10b82dec Allow systemd-sleep transition to sysstat_t
e51919ac9 Allow systemd-sleep transition to tlp_t
127687278 Allow systemd-sleep transition to unconfined_service_t on bin_t executables
e497209ca allow systemd-sleep to set timer for suspend-then-hibernate
Comment 10 Ceri Williams 2022-10-23 12:38:56 UTC 
When will the fix be released? It still seems to be a problem 5 months on.

========================================================================================================
If you believe that systemd-sleep should be allowed execute access on the sysstat.sleep file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.

Source RPM Packages           systemd-udev-250-6.el9_0.1.x86_64
Target RPM Packages           sysstat-12.5.4-3.el9.x86_64
SELinux Policy RPM            selinux-policy-targeted-34.1.29-1.el9_0.2.noarch
Local Policy RPM              selinux-policy-targeted-34.1.29-1.el9_0.2.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Platform                      Linux 5.14.0-70.26.1.el9_0.x86_64 #1
                              SMP PREEMPT Fri Sep 2 16:07:40 EDT 2022 x86_64
                              x86_64
Alert Count                   2
First Seen                    2022-10-23 12:47:47 BST
Last Seen                     2022-10-23 13:22:58 BST
Local ID                      35d59f0b-4daf-48b3-ae1e-a4ade128ab45
========================================================================================================

$ sudo dmidecode --string system-family      
ThinkPad P14s Gen 1
Comment 11 Zdenek Pytela 2022-10-24 08:26:21 UTC 
The fix is a part of selinux-policy-34.1.32-1.el9 which is available in centos stream since May.
For RHEL, it will be released with RHEL 9.1 GA later this year.
Comment 13 errata-xmlrpc 2022-11-15 11:13:50 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:8283