Bug 663995

Summary: SELinux is preventing /sbin/consoletype from 'ioctl' accesses on the file /var/log/pm-suspend.log.
Product: [Fedora] Fedora Reporter: Matěj Cepl <mcepl>
Component: pm-utilsAssignee: Jaroslav Škarvada <jskarvad>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 15CC: dwalsh, jskala, jskarvad, mcepl, mgrepl, michel, opensource, pknirsch, rhughes, richard
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:7b9ea96c4801ede462d742a08394945b47f82cd9441b52364fefdaf60c6da8ed
Fixed In Version: pm-utils-1.4.1-6.fc15 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-04-15 21:49:00 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Description Flags
SETroubleshoot log after resume none

Description Matěj Cepl 2010-12-17 17:01:49 UTC
SELinux is preventing /sbin/consoletype from 'ioctl' accesses on the file /var/log/pm-suspend.log.

*****  Plugin restorecon (99.5 confidence) suggests  *************************

If you want to fix the label. 
/var/log/pm-suspend.log default label should be devicekit_var_log_t.
Then you can run restorecon.
# /sbin/restorecon -v /var/log/pm-suspend.log

*****  Plugin catchall (1.49 confidence) suggests  ***************************

If you believe that consoletype should be allowed ioctl access on the pm-suspend.log file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
allow this access for now by executing:
# grep /sbin/consoletype /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:system_r:consoletype_t:s0
Target Context                unconfined_u:object_r:var_log_t:s0
Target Objects                /var/log/pm-suspend.log [ file ]
Source                        consoletype
Source Path                   /sbin/consoletype
Port                          <Neznámé>
Host                          (removed)
Source RPM Packages           initscripts-9.23-2.fc15
Target RPM Packages           pm-utils-1.4.1-3.fc15
Policy RPM                    selinux-policy-3.9.10-12.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 2.6.37-0.rc5.git2.1.fc15.x86_64 #1
                              SMP Thu Dec 9 19:08:58 UTC 2010 x86_64 x86_64
Alert Count                   1
First Seen                    Čt 16. prosinec 2010, 07:46:00 CET
Last Seen                     Čt 16. prosinec 2010, 07:46:00 CET
Local ID                      3e35b573-97b8-47b9-a19c-526f0112b71e

Raw Audit Messages
type=AVC msg=audit(1292481960.607:1319): avc:  denied  { ioctl } for  pid=30635 comm="consoletype" path="/var/log/pm-suspend.log" dev=dm-1 ino=8036 scontext=unconfined_u:system_r:consoletype_t:s0 tcontext=unconfined_u:object_r:var_log_t:s0 tclass=file

type=SYSCALL msg=audit(1292481960.607:1319): arch=x86_64 syscall=ioctl success=no exit=ENOTTY a0=0 a1=541c a2=7fff85f867df a3=d items=0 ppid=30634 pid=30635 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=8 comm=consoletype exe=/sbin/consoletype subj=unconfined_u:system_r:consoletype_t:s0 key=(null)

#============= consoletype_t ==============
allow consoletype_t var_log_t:file ioctl;

Comment 1 Daniel Walsh 2010-12-17 20:43:04 UTC
restorecon /var/log/pm-suspend.log 

For some reason this file got created with the wrong label.

Did you run pm-suspend manually?

Comment 2 Daniel Walsh 2010-12-17 20:43:40 UTC
*** Bug 663993 has been marked as a duplicate of this bug. ***

Comment 3 Matěj Cepl 2010-12-20 08:58:48 UTC
(In reply to comment #1)
> restorecon /var/log/pm-suspend.log 
> For some reason this file got created with the wrong label.
> Did you run pm-suspend manually?

Yes, I did (with constantly crashing gnome-power-manager, it was the only way how to suspend). Why just plain

sudo pm-suspend

is not allowed?

Comment 4 Daniel Walsh 2010-12-20 14:26:16 UTC
I think I already have a bug report to switch pm-utils to append output to its log files rather then write to them.

Comment 5 Jaroslav Škarvada 2010-12-20 15:02:27 UTC
Bug 660329 description was already committed and present in pm-utils-1.4.1-3.fc15, probably it doesn't resolve this problem.

Comment 6 Daniel Walsh 2010-12-20 20:37:31 UTC
I believe that will fix this bug.

*** This bug has been marked as a duplicate of bug 660329 ***

Comment 7 Jaroslav Škarvada 2010-12-21 09:40:50 UTC
Sorry, it still does not work. The boot sequence seems clean, but the pm-suspend still emits AVC, thus reopening this one.

The problem: the init_logfile is called before every suspend, thus the /var/log/pm-suspend.log is recreated with wrong label, the code:

rm -f "$1"
exec >> "$1" 2>&1

This is the feature of pm-utils to store only the last suspend log.

Comment 8 Daniel Walsh 2010-12-21 14:04:31 UTC
What AVC?

Comment 9 Jaroslav Škarvada 2010-12-21 14:34:55 UTC
From comment 0 (description) of this bug.

Comment 10 Daniel Walsh 2010-12-21 14:50:56 UTC
Fixed in selinux-policy-3.9.12-2.fc15

Comment 11 Michel Alexandre Salim 2011-02-18 11:55:18 UTC
This exact bug just happened to me after running pm-hibernate, with:


Comment 12 Daniel Walsh 2011-02-18 14:17:35 UTC
ls -lZ /var/log/pm-utils.log
restorecon /var/log/pm-utils.log

The question is how did it get mislabelled.

What is the exact AVC that you got?

Comment 13 Jaroslav Škarvada 2011-03-14 15:12:58 UTC
Created attachment 484216 [details]
SETroubleshoot log after resume

Still problem on F15.

Currently the pm-utils rm the /var/log/pm-suspend.log file before suspend and the newly created log file is labelled var_log_t. It can be relabelled to devicekit_var_log_t by:

# /sbin/restorecon -v /var/log/pm-suspend.log
/sbin/restorecon reset /var/log/pm-suspend.log context unconfined_u:object_r:var_log_t:s0->system_u:object_r:devicekit_var_log_t:s0

# ls -Z /var/log/pm-suspend.log
-rw-r--r--. root root system_u:object_r:devicekit_var_log_t:s0 /var/log/pm-suspend.log

but after the next suspend:
# pm-suspend
# ls -Z /var/log/pm-suspend.log
-rw-r--r--. root root unconfined_u:object_r:var_log_t:s0 /var/log/pm-suspend.log

Comment 14 Jaroslav Škarvada 2011-03-16 16:53:20 UTC
Current code in /usr/lib[64]/pm-utils/pm-functions:

# Try to reinitalize the logfile. Fail unless certian criteria are met.
        rm -f "$1"
        exec >> "$1" 2>&1

Comment 15 Daniel Walsh 2011-03-16 19:23:26 UTC
        rm -f "$1"
        touch "$1"
        restorecon "$1"
        exec >> "$1" 2>&1

Will make SELinux stop complaining.

        > "$1"
        restorecon "$1"
        exec >> "$1" 2>&1

Comment 16 Jaroslav Škarvada 2011-03-17 11:19:01 UTC
Dan, thanks, but I am now getting another AVC before each suspend:

type=AVC msg=audit(1300360173.707:606): avc:  denied  { read } for  pid=6185 comm="restorecon" path="/var/run/pm-utils/locks/pm-powersave.lock" dev=tmpfs ino=174719 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:devicekit_var_run_t:s0 tclass=file

the code in ./pm-utils/functions:
	# $1 = file to use as lockfile
	local lock="${LOCKDIR}/${1##*/}"

	# make sure the directory where the lockfile should be exists
	mkdir -p "${LOCKDIR}"
	touch "${lock}"
	exec 3<"${lock}"
	flock -x -n 3 || return 1
	return 0

Comment 17 Daniel Walsh 2011-03-17 14:09:45 UTC
Ok that one we will need to fix.

Fixed in selinux-policy-3.9.16-5.fc15

Comment 18 Jaroslav Škarvada 2011-03-17 16:41:07 UTC
Thanks, now it is OK.

Comment 19 Fedora Update System 2011-03-17 17:11:39 UTC
pm-utils-1.4.1-6.fc15 has been submitted as an update for Fedora 15.

Comment 20 Fedora Update System 2011-04-15 21:48:54 UTC
pm-utils-1.4.1-6.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.