Bug 2387572

Summary: SELinux is preventing tuned-ppd from 'getattr' accesses on the filesystem /.
Product: [Fedora] Fedora Reporter: marek77 <marek.schimara>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 42CC: dwalsh, jjanasek, lvrabec, marek.schimara, mmalik, omosnacek, pkoncity, vmojzis, zpytela
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:4b81954faa3c3348700ea532490c1be810286d0c1da87452743b3b56f967317a;VARIANT_ID=;
Fixed In Version: selinux-policy-42.7-1.fc42 Doc Type: ---
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2025-09-01 00:50:41 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
File: os_info
none
File: description none

Description marek77 2025-08-11 09:37:25 UTC 
Description of problem:
SELinux is preventing tuned-ppd from 'getattr' accesses on the filesystem /.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that tuned-ppd should be allowed getattr access on the  filesystem by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'tuned-ppd' --raw | audit2allow -M my-tunedppd
# semodule -X 300 -i my-tunedppd.pp

Additional Information:
Source Context                system_u:system_r:tuned_ppd_t:s0
Target Context                system_u:object_r:fs_t:s0
Target Objects                / [ filesystem ]
Source                        tuned-ppd
Source Path                   tuned-ppd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-42.4-1.fc42.noarch
Local Policy RPM              selinux-policy-targeted-42.4-1.fc42.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 6.15.9-201.fc42.x86_64 #1 SMP
                              PREEMPT_DYNAMIC Sat Aug 2 11:37:34 UTC 2025 x86_64
Alert Count                   8
First Seen                    2025-07-30 15:42:02 CEST
Last Seen                     2025-08-11 11:33:54 CEST
Local ID                      8b2179c0-eaaa-4dba-a668-ea608fa6f69a

Raw Audit Messages
type=AVC msg=audit(1754904834.436:525): avc:  denied  { getattr } for  pid=1778 comm="tuned-ppd" name="/" dev="nvme0n1p3" ino=2 scontext=system_u:system_r:tuned_ppd_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1


Hash: tuned-ppd,tuned_ppd_t,fs_t,filesystem,getattr

Version-Release number of selected component:
selinux-policy-targeted-42.4-1.fc42.noarch

Additional info:
reporter:       libreport-2.17.15
component:      selinux-policy
type:           libreport
hashmarkername: setroubleshoot
package:        selinux-policy-targeted-42.4-1.fc42.noarch
kernel:         6.15.9-201.fc42.x86_64
reason:         SELinux is preventing tuned-ppd from 'getattr' accesses on the filesystem /.
component:      selinux-policy
Comment 1 marek77 2025-08-11 09:37:28 UTC 
Created attachment 2103241 [details]
File: os_info
Comment 2 marek77 2025-08-11 09:37:29 UTC 
Created attachment 2103242 [details]
File: description
Comment 3 jjanasek 2025-08-13 14:16:11 UTC 
Hello,

Is there any configuration change needed to trigger this denial?
Can you set your system to permissive mode (setenforce 0) and try again to collect all denials (ausearch -m avc -i -ts today)?
Can you also provide output of (mount)?
Comment 4 marek77 2025-08-13 14:30:48 UTC 
Hi,

no config change except regular dnf updates, one of which brought new version of selinux-policy-targeted rpm. My system is already in

Enforcing Mode                Permissive

$ mount
/dev/nvme0n1p3 on / type ext4 (rw,relatime,seclabel)
rpc_pipefs on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw,relatime)
devtmpfs on /dev type devtmpfs (rw,nosuid,seclabel,size=15741412k,nr_inodes=3935353,mode=755,inode64)
tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev,seclabel,inode64)
devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,seclabel,gid=5,mode=620,ptmxmode=000)
sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime,seclabel)
securityfs on /sys/kernel/security type securityfs (rw,nosuid,nodev,noexec,relatime)
cgroup2 on /sys/fs/cgroup type cgroup2 (rw,nosuid,nodev,noexec,relatime,seclabel,nsdelegate,memory_recursiveprot)
none on /sys/fs/pstore type pstore (rw,nosuid,nodev,noexec,relatime,seclabel)
efivarfs on /sys/firmware/efi/efivars type efivarfs (rw,nosuid,nodev,noexec,relatime)
bpf on /sys/fs/bpf type bpf (rw,nosuid,nodev,noexec,relatime,mode=700)
configfs on /sys/kernel/config type configfs (rw,nosuid,nodev,noexec,relatime)
proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
tmpfs on /run type tmpfs (rw,nosuid,nodev,seclabel,size=6315788k,nr_inodes=819200,mode=755,inode64)
selinuxfs on /sys/fs/selinux type selinuxfs (rw,nosuid,noexec,relatime)
systemd-1 on /proc/sys/fs/binfmt_misc type autofs (rw,relatime,fd=37,pgrp=1,timeout=0,minproto=5,maxproto=5,direct,pipe_ino=13311)
debugfs on /sys/kernel/debug type debugfs (rw,nosuid,nodev,noexec,relatime,seclabel)
tracefs on /sys/kernel/tracing type tracefs (rw,nosuid,nodev,noexec,relatime,seclabel)
mqueue on /dev/mqueue type mqueue (rw,nosuid,nodev,noexec,relatime,seclabel)
hugetlbfs on /dev/hugepages type hugetlbfs (rw,nosuid,nodev,relatime,seclabel,pagesize=2M)
tmpfs on /run/credentials/systemd-journald.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,seclabel,size=1024k,nr_inodes=1024,mode=700,inode64,noswap)
fusectl on /sys/fs/fuse/connections type fusectl (rw,nosuid,nodev,noexec,relatime)
tmpfs on /tmp type tmpfs (rw,nosuid,nodev,seclabel,size=15789464k,nr_inodes=1048576,inode64)
/dev/nvme0n1p1 on /boot/efi type vfat (rw,relatime,fmask=0077,dmask=0077,codepage=437,iocharset=ascii,shortname=winnt,errors=remount-ro)
binfmt_misc on /proc/sys/fs/binfmt_misc type binfmt_misc (rw,nosuid,nodev,noexec,relatime)
tmpfs on /run/credentials/systemd-resolved.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,seclabel,size=1024k,nr_inodes=1024,mode=700,inode64,noswap)
tmpfs on /run/user/968 type tmpfs (rw,nosuid,nodev,relatime,seclabel,size=3157892k,nr_inodes=789473,mode=700,uid=968,gid=965,inode64)
tmpfs on /run/credentials/getty type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,seclabel,size=1024k,nr_inodes=1024,mode=700,inode64,noswap)
tmpfs on /run/user/1000 type tmpfs (rw,nosuid,nodev,relatime,seclabel,size=3157892k,nr_inodes=789473,mode=700,uid=1000,gid=1000,inode64)
portal on /run/user/1000/doc type fuse.portal (rw,nosuid,nodev,relatime,user_id=1000,group_id=1000)


Since I reported the bug I applied a local selinux policy as suggested by the SElinux Troubleshooter tool, as I got annoyed by the AVC denial messages. So nothing from tuned-ppd today, but I have older AVCs:

$ sudo ausearch -m avc -i | grep tuned
type=AVC msg=audit(30/07/25 17:38:09.440:132036) : avc:  denied  { getattr } for  pid=1487 comm=tuned-ppd name=/ dev="nvme0n1p3" ino=2 scontext=system_u:system_r:tuned_ppd_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1
type=AVC msg=audit(31/07/25 08:13:45.131:7587) : avc:  denied  { getattr } for  pid=1538 comm=tuned-ppd name=/ dev="nvme0n1p3" ino=2 scontext=system_u:system_r:tuned_ppd_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1
type=AVC msg=audit(31/07/25 14:17:59.453:87925) : avc:  denied  { getattr } for  pid=1461 comm=tuned-ppd name=/ dev="nvme0n1p3" ino=2 scontext=system_u:system_r:tuned_ppd_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1
type=AVC msg=audit(31/07/25 17:52:42.492:88063) : avc:  denied  { getattr } for  pid=1461 comm=tuned-ppd name=/ dev="nvme0n1p3" ino=2 scontext=system_u:system_r:tuned_ppd_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1
type=AVC msg=audit(01/08/25 15:08:20.266:1031) : avc:  denied  { getattr } for  pid=1437 comm=tuned-ppd name=/ dev="nvme0n1p3" ino=2 scontext=system_u:system_r:tuned_ppd_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1
type=AVC msg=audit(09/08/25 14:21:26.254:538) : avc:  denied  { getattr } for  pid=1477 comm=tuned-ppd name=/ dev="nvme0n1p3" ino=2 scontext=system_u:system_r:tuned_ppd_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1
type=AVC msg=audit(09/08/25 15:35:43.076:727) : avc:  denied  { getattr } for  pid=1477 comm=tuned-ppd name=/ dev="nvme0n1p3" ino=2 scontext=system_u:system_r:tuned_ppd_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1
type=AVC msg=audit(11/08/25 09:55:11.489:779) : avc:  denied  { getattr } for  pid=1473 comm=tuned-ppd name=/ dev="nvme0n1p3" ino=2 scontext=system_u:system_r:tuned_ppd_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1
type=AVC msg=audit(11/08/25 09:58:16.569:553) : avc:  denied  { getattr } for  pid=1466 comm=tuned-ppd name=/ dev="nvme0n1p3" ino=2 scontext=system_u:system_r:tuned_ppd_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1
type=AVC msg=audit(11/08/25 10:03:12.144:614) : avc:  denied  { getattr } for  pid=1466 comm=tuned-ppd name=/ dev="nvme0n1p3" ino=2 scontext=system_u:system_r:tuned_ppd_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1
type=AVC msg=audit(11/08/25 10:11:18.710:908) : avc:  denied  { getattr } for  pid=1466 comm=tuned-ppd name=/ dev="nvme0n1p3" ino=2 scontext=system_u:system_r:tuned_ppd_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1
type=AVC msg=audit(11/08/25 10:12:08.135:935) : avc:  denied  { getattr } for  pid=1466 comm=tuned-ppd name=/ dev="nvme0n1p3" ino=2 scontext=system_u:system_r:tuned_ppd_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1
type=AVC msg=audit(11/08/25 11:31:48.976:1813) : avc:  denied  { getattr } for  pid=1466 comm=tuned-ppd name=/ dev="nvme0n1p3" ino=2 scontext=system_u:system_r:tuned_ppd_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1
type=AVC msg=audit(11/08/25 11:31:48.981:1814) : avc:  denied  { getattr } for  pid=1466 comm=tuned-ppd name=/ dev="nvme0n1p3" ino=2 scontext=system_u:system_r:tuned_ppd_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1
type=AVC msg=audit(11/08/25 11:33:54.436:525) : avc:  denied  { getattr } for  pid=1778 comm=tuned-ppd name=/ dev="nvme0n1p3" ino=2 scontext=system_u:system_r:tuned_ppd_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1
Comment 5 Fedora Update System 2025-08-29 12:09:22 UTC 
FEDORA-2025-7a468a12c5 (selinux-policy-42.7-1.fc42) has been submitted as an update to Fedora 42.
https://bodhi.fedoraproject.org/updates/FEDORA-2025-7a468a12c5
Comment 6 Fedora Update System 2025-08-30 02:01:26 UTC 
FEDORA-2025-7a468a12c5 has been pushed to the Fedora 42 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-7a468a12c5`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-7a468a12c5

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 7 Fedora Update System 2025-09-01 00:50:41 UTC 
FEDORA-2025-7a468a12c5 (selinux-policy-42.7-1.fc42) has been pushed to the Fedora 42 stable repository.
If problem still persists, please make note of it in this bug report.