| Summary: | SELinux is preventing /sbin/consoletype from 'ioctl' accesses on the file /var/log/pm-suspend.log. | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Matěj Cepl <mcepl> | ||||
| Component: | pm-utils | Assignee: | Jaroslav Škarvada <jskarvad> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | 15 | CC: | dwalsh, jskala, jskarvad, mcepl, mgrepl, michel, opensource, pknirsch, rhughes, richard | ||||
| Target Milestone: | --- | Keywords: | Reopened | ||||
| Target Release: | --- | ||||||
| Hardware: | x86_64 | ||||||
| OS: | Linux | ||||||
| Whiteboard: | setroubleshoot_trace_hash:7b9ea96c4801ede462d742a08394945b47f82cd9441b52364fefdaf60c6da8ed | ||||||
| Fixed In Version: | pm-utils-1.4.1-6.fc15 | Doc Type: | Bug Fix | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2011-04-15 21:49:00 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | ||||||
| Attachments: |
|
||||||
restorecon /var/log/pm-suspend.log For some reason this file got created with the wrong label. Did you run pm-suspend manually? *** Bug 663993 has been marked as a duplicate of this bug. *** (In reply to comment #1) > restorecon /var/log/pm-suspend.log > > For some reason this file got created with the wrong label. > > Did you run pm-suspend manually? Yes, I did (with constantly crashing gnome-power-manager, it was the only way how to suspend). Why just plain sudo pm-suspend is not allowed? I think I already have a bug report to switch pm-utils to append output to its log files rather then write to them. Bug 660329 description was already committed and present in pm-utils-1.4.1-3.fc15, probably it doesn't resolve this problem. I believe that will fix this bug. *** This bug has been marked as a duplicate of bug 660329 *** Sorry, it still does not work. The boot sequence seems clean, but the pm-suspend still emits AVC, thus reopening this one. The problem: the init_logfile is called before every suspend, thus the /var/log/pm-suspend.log is recreated with wrong label, the code: rm -f "$1" exec >> "$1" 2>&1 This is the feature of pm-utils to store only the last suspend log. What AVC? Fixed in selinux-policy-3.9.12-2.fc15 This exact bug just happened to me after running pm-hibernate, with: selinux-policy-3.9.14-2.fc15.noarch pm-utils-1.4.1-5.fc15.x86_64 ls -lZ /var/log/pm-utils.log restorecon /var/log/pm-utils.log The question is how did it get mislabelled. What is the exact AVC that you got? Created attachment 484216 [details]
SETroubleshoot log after resume
Still problem on F15.
Currently the pm-utils rm the /var/log/pm-suspend.log file before suspend and the newly created log file is labelled var_log_t. It can be relabelled to devicekit_var_log_t by:
# /sbin/restorecon -v /var/log/pm-suspend.log
/sbin/restorecon reset /var/log/pm-suspend.log context unconfined_u:object_r:var_log_t:s0->system_u:object_r:devicekit_var_log_t:s0
# ls -Z /var/log/pm-suspend.log
-rw-r--r--. root root system_u:object_r:devicekit_var_log_t:s0 /var/log/pm-suspend.log
but after the next suspend:
# pm-suspend
...
[resume]
# ls -Z /var/log/pm-suspend.log
-rw-r--r--. root root unconfined_u:object_r:var_log_t:s0 /var/log/pm-suspend.log
Current code in /usr/lib[64]/pm-utils/pm-functions:
# Try to reinitalize the logfile. Fail unless certian criteria are met.
init_logfile()
{
...
rm -f "$1"
exec >> "$1" 2>&1
}
rm -f "$1"
touch "$1"
restorecon "$1"
exec >> "$1" 2>&1
Will make SELinux stop complaining.
Or
> "$1"
restorecon "$1"
exec >> "$1" 2>&1
Dan, thanks, but I am now getting another AVC before each suspend:
type=AVC msg=audit(1300360173.707:606): avc: denied { read } for pid=6185 comm="restorecon" path="/var/run/pm-utils/locks/pm-powersave.lock" dev=tmpfs ino=174719 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:devicekit_var_run_t:s0 tclass=file
the code in ./pm-utils/functions:
try_lock()
{
# $1 = file to use as lockfile
local lock="${LOCKDIR}/${1##*/}"
# make sure the directory where the lockfile should be exists
mkdir -p "${LOCKDIR}"
touch "${lock}"
exec 3<"${lock}"
flock -x -n 3 || return 1
return 0
}
Ok that one we will need to fix. Fixed in selinux-policy-3.9.16-5.fc15 Thanks, now it is OK. pm-utils-1.4.1-6.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/pm-utils-1.4.1-6.fc15 pm-utils-1.4.1-6.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report. |
SELinux is preventing /sbin/consoletype from 'ioctl' accesses on the file /var/log/pm-suspend.log. ***** Plugin restorecon (99.5 confidence) suggests ************************* If you want to fix the label. /var/log/pm-suspend.log default label should be devicekit_var_log_t. Then you can run restorecon. Do # /sbin/restorecon -v /var/log/pm-suspend.log ***** Plugin catchall (1.49 confidence) suggests *************************** If you believe that consoletype should be allowed ioctl access on the pm-suspend.log file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep /sbin/consoletype /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:system_r:consoletype_t:s0 Target Context unconfined_u:object_r:var_log_t:s0 Target Objects /var/log/pm-suspend.log [ file ] Source consoletype Source Path /sbin/consoletype Port <Neznámé> Host (removed) Source RPM Packages initscripts-9.23-2.fc15 Target RPM Packages pm-utils-1.4.1-3.fc15 Policy RPM selinux-policy-3.9.10-12.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 2.6.37-0.rc5.git2.1.fc15.x86_64 #1 SMP Thu Dec 9 19:08:58 UTC 2010 x86_64 x86_64 Alert Count 1 First Seen Čt 16. prosinec 2010, 07:46:00 CET Last Seen Čt 16. prosinec 2010, 07:46:00 CET Local ID 3e35b573-97b8-47b9-a19c-526f0112b71e Raw Audit Messages type=AVC msg=audit(1292481960.607:1319): avc: denied { ioctl } for pid=30635 comm="consoletype" path="/var/log/pm-suspend.log" dev=dm-1 ino=8036 scontext=unconfined_u:system_r:consoletype_t:s0 tcontext=unconfined_u:object_r:var_log_t:s0 tclass=file consoletype,consoletype_t,var_log_t,file,ioctl type=SYSCALL msg=audit(1292481960.607:1319): arch=x86_64 syscall=ioctl success=no exit=ENOTTY a0=0 a1=541c a2=7fff85f867df a3=d items=0 ppid=30634 pid=30635 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=8 comm=consoletype exe=/sbin/consoletype subj=unconfined_u:system_r:consoletype_t:s0 key=(null) consoletype,consoletype_t,var_log_t,file,ioctl #============= consoletype_t ============== allow consoletype_t var_log_t:file ioctl;