1013082 – SELinux breaks suspend/resume

Bug 1013082 - SELinux breaks suspend/resume

Summary: SELinux breaks suspend/resume

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	19
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	urgent
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-09-27 19:31 UTC by Brendan Long
Modified:	2013-10-04 15:38 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-09-30 18:01:14 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Brendan Long 2013-09-27 19:31:54 UTC

Description of problem:

GNOME 3 auto-suspends after some period of time. Since a recent upgrade (in the last couple weeks), my computer never resumes (keyboard, mouse, and power button all don't do anything). A google search suggested that SELinux is to blame, so I tried disabling it. Now suspend/resume works perfectly.

Version-Release number of selected component (if applicable):

Name        : selinux-policy
Arch        : noarch
Version     : 3.12.1
Release     : 74.4.fc19

Name        : kernel
Arch        : x86_64
Version     : 3.11.1
Release     : 200.fc19

Name        : xorg-x11-drv-intel
Arch        : x86_64
Version     : 2.21.12
Release     : 2.fc19

How reproducible:

Always.

Steps to Reproduce:

1. Click name in top left corner of the screen.
2. Hold alt.
3. Click suspend.
4. Hit any key, mouse button, or the power button.
5. Watch as nothing happens.
6. Reboot.
7. Disable SELinux.
8. Follow steps 1-4 again.
9. System resumes properly.

Actual results:

System fails to resume.

Expected results:

System resumes.

Additional info:

Processor (+graphics): Intel Core i7 4770 (Haswell)
Motherboard: ASRock H87 Pro4

Comment 1 Daniel Walsh 2013-09-28 10:44:56 UTC

Did you gather any AVC messages?

ausearch -m avc

Comment 2 Brendan Long 2013-09-30 17:27:46 UTC

It's possible it was just a coincidence that disabling SELinux fixed this, since I've had it happen again (but I can't reproduce it by forcing a suspend anymore..).

Here's the output though. We can close this if you think it's not SELinux related, and I'll try to track it down more.

----
time->Wed Aug 14 16:50:13 2013
type=SYSCALL msg=audit(1376520613.539:409): arch=c000003e syscall=47 success=yes exit=16 a0=a a1=7f92cd012bb0 a2=40000000 a3=0 items=0 ppid=1 pid=1118 auid=4294967295 uid=998 gid=997 euid=998 suid=998 fsuid=998 egid=997 sgid=997 fsgid=997 ses=4294967295 tty=(none) comm="gdbus" exe="/usr/libexec/colord" subj=system_u:system_r:colord_t:s0 key=(null)
type=AVC msg=audit(1376520613.539:409): avc:  denied  { read } for  pid=1118 comm="gdbus" path="/home/blong/.local/share/icc/edid-0c18664c677093fe5ca7ef46eb0850ce.icc" dev="dm-0" ino=4456559 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file
----
time->Wed Aug 14 16:50:13 2013
type=SYSCALL msg=audit(1376520613.548:410): arch=c000003e syscall=2 success=no exit=-13 a0=7f92d803b100 a1=0 a2=0 a3=aaaaaaaaaaaaaaab items=0 ppid=1 pid=1103 auid=4294967295 uid=998 gid=997 euid=998 suid=998 fsuid=998 egid=997 sgid=997 fsgid=997 ses=4294967295 tty=(none) comm="colord" exe="/usr/libexec/colord" subj=system_u:system_r:colord_t:s0 key=(null)
type=AVC msg=audit(1376520613.548:410): avc:  denied  { search } for  pid=1103 comm="colord" name="blong" dev="dm-0" ino=4456449 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
----
time->Wed Aug 14 17:41:48 2013
type=SYSCALL msg=audit(1376523708.666:1289): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=10b4d90 a2=90800 a3=0 items=0 ppid=16251 pid=16805 auid=4294967295 uid=990 gid=987 euid=990 suid=990 fsuid=990 egid=987 sgid=987 fsgid=987 ses=4294967295 tty=(none) comm="ldconfig" exe="/usr/sbin/ldconfig" subj=system_u:system_r:ldconfig_t:s0 key=(null)
type=AVC msg=audit(1376523708.666:1289): avc:  denied  { read } for  pid=16805 comm="ldconfig" name="lib64" dev="tmpfs" ino=392211 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir
----
time->Wed Aug 14 17:41:48 2013
type=SYSCALL msg=audit(1376523708.666:1290): arch=c000003e syscall=2 success=no exit=-13 a0=10a3d20 a1=20241 a2=180 a3=23 items=0 ppid=16251 pid=16805 auid=4294967295 uid=990 gid=987 euid=990 suid=990 fsuid=990 egid=987 sgid=987 fsgid=987 ses=4294967295 tty=(none) comm="ldconfig" exe="/usr/sbin/ldconfig" subj=system_u:system_r:ldconfig_t:s0 key=(null)
type=AVC msg=audit(1376523708.666:1290): avc:  denied  { write } for  pid=16805 comm="ldconfig" name="etc" dev="tmpfs" ino=391067 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir
----
time->Mon Sep  9 15:18:00 2013
type=SYSCALL msg=audit(1378761480.298:1320): arch=c000003e syscall=41 success=no exit=-13 a0=2 a1=80002 a2=1 a3=3 items=0 ppid=1 pid=31613 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 ses=1 tty=(none) comm="qemu-system-x86" exe="/usr/bin/qemu-system-x86_64" subj=unconfined_u:system_r:svirt_t:s0:c26,c599 key=(null)
type=AVC msg=audit(1378761480.298:1320): avc:  denied  { create } for  pid=31613 comm="qemu-system-x86" scontext=unconfined_u:system_r:svirt_t:s0:c26,c599 tcontext=unconfined_u:system_r:svirt_t:s0:c26,c599 tclass=rawip_socket
----
time->Mon Sep  9 15:18:01 2013
type=SYSCALL msg=audit(1378761481.298:1321): arch=c000003e syscall=41 success=no exit=-13 a0=2 a1=80002 a2=1 a3=0 items=0 ppid=1 pid=31613 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 ses=1 tty=(none) comm="qemu-system-x86" exe="/usr/bin/qemu-system-x86_64" subj=unconfined_u:system_r:svirt_t:s0:c26,c599 key=(null)
type=AVC msg=audit(1378761481.298:1321): avc:  denied  { create } for  pid=31613 comm="qemu-system-x86" scontext=unconfined_u:system_r:svirt_t:s0:c26,c599 tcontext=unconfined_u:system_r:svirt_t:s0:c26,c599 tclass=rawip_socket
----
time->Mon Sep  9 15:18:02 2013
type=SYSCALL msg=audit(1378761482.298:1322): arch=c000003e syscall=41 success=no exit=-13 a0=2 a1=80002 a2=1 a3=1 items=0 ppid=1 pid=31613 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 ses=1 tty=(none) comm="qemu-system-x86" exe="/usr/bin/qemu-system-x86_64" subj=unconfined_u:system_r:svirt_t:s0:c26,c599 key=(null)
type=AVC msg=audit(1378761482.298:1322): avc:  denied  { create } for  pid=31613 comm="qemu-system-x86" scontext=unconfined_u:system_r:svirt_t:s0:c26,c599 tcontext=unconfined_u:system_r:svirt_t:s0:c26,c599 tclass=rawip_socket
----
time->Mon Sep  9 15:18:03 2013
type=SYSCALL msg=audit(1378761483.298:1323): arch=c000003e syscall=41 success=no exit=-13 a0=2 a1=80002 a2=1 a3=0 items=0 ppid=1 pid=31613 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 ses=1 tty=(none) comm="qemu-system-x86" exe="/usr/bin/qemu-system-x86_64" subj=unconfined_u:system_r:svirt_t:s0:c26,c599 key=(null)
type=AVC msg=audit(1378761483.298:1323): avc:  denied  { create } for  pid=31613 comm="qemu-system-x86" scontext=unconfined_u:system_r:svirt_t:s0:c26,c599 tcontext=unconfined_u:system_r:svirt_t:s0:c26,c599 tclass=rawip_socket
----
time->Mon Sep  9 15:18:09 2013
type=SYSCALL msg=audit(1378761489.942:1324): arch=c000003e syscall=41 success=no exit=-13 a0=2 a1=80002 a2=1 a3=1 items=0 ppid=1 pid=31618 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 ses=1 tty=(none) comm="qemu-system-x86" exe="/usr/bin/qemu-system-x86_64" subj=unconfined_u:system_r:svirt_t:s0:c26,c599 key=(null)
type=AVC msg=audit(1378761489.942:1324): avc:  denied  { create } for  pid=31618 comm="qemu-system-x86" scontext=unconfined_u:system_r:svirt_t:s0:c26,c599 tcontext=unconfined_u:system_r:svirt_t:s0:c26,c599 tclass=rawip_socket
----
time->Mon Sep  9 15:18:10 2013
type=SYSCALL msg=audit(1378761490.942:1325): arch=c000003e syscall=41 success=no exit=-13 a0=2 a1=80002 a2=1 a3=1 items=0 ppid=1 pid=31617 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 ses=1 tty=(none) comm="qemu-system-x86" exe="/usr/bin/qemu-system-x86_64" subj=unconfined_u:system_r:svirt_t:s0:c26,c599 key=(null)
type=AVC msg=audit(1378761490.942:1325): avc:  denied  { create } for  pid=31617 comm="qemu-system-x86" scontext=unconfined_u:system_r:svirt_t:s0:c26,c599 tcontext=unconfined_u:system_r:svirt_t:s0:c26,c599 tclass=rawip_socket
----
time->Mon Sep  9 15:18:13 2013
type=SYSCALL msg=audit(1378761493.940:1328): arch=c000003e syscall=41 success=no exit=-13 a0=2 a1=80002 a2=1 a3=0 items=0 ppid=1 pid=31618 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 ses=1 tty=(none) comm="qemu-system-x86" exe="/usr/bin/qemu-system-x86_64" subj=unconfined_u:system_r:svirt_t:s0:c26,c599 key=(null)
type=AVC msg=audit(1378761493.940:1328): avc:  denied  { create } for  pid=31618 comm="qemu-system-x86" scontext=unconfined_u:system_r:svirt_t:s0:c26,c599 tcontext=unconfined_u:system_r:svirt_t:s0:c26,c599 tclass=rawip_socket
----
time->Mon Sep  9 15:18:11 2013
type=SYSCALL msg=audit(1378761491.940:1326): arch=c000003e syscall=41 success=no exit=-13 a0=2 a1=80002 a2=1 a3=1 items=0 ppid=1 pid=31617 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 ses=1 tty=(none) comm="qemu-system-x86" exe="/usr/bin/qemu-system-x86_64" subj=unconfined_u:system_r:svirt_t:s0:c26,c599 key=(null)
type=AVC msg=audit(1378761491.940:1326): avc:  denied  { create } for  pid=31617 comm="qemu-system-x86" scontext=unconfined_u:system_r:svirt_t:s0:c26,c599 tcontext=unconfined_u:system_r:svirt_t:s0:c26,c599 tclass=rawip_socket
----
time->Mon Sep  9 15:18:12 2013
type=SYSCALL msg=audit(1378761492.940:1327): arch=c000003e syscall=41 success=no exit=-13 a0=2 a1=80002 a2=1 a3=1 items=0 ppid=1 pid=31618 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 ses=1 tty=(none) comm="qemu-system-x86" exe="/usr/bin/qemu-system-x86_64" subj=unconfined_u:system_r:svirt_t:s0:c26,c599 key=(null)
type=AVC msg=audit(1378761492.940:1327): avc:  denied  { create } for  pid=31618 comm="qemu-system-x86" scontext=unconfined_u:system_r:svirt_t:s0:c26,c599 tcontext=unconfined_u:system_r:svirt_t:s0:c26,c599 tclass=rawip_socket
----
time->Mon Sep  9 15:18:17 2013
type=SYSCALL msg=audit(1378761497.013:1329): arch=c000003e syscall=41 success=no exit=-13 a0=2 a1=80002 a2=1 a3=1 items=0 ppid=1 pid=31618 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 ses=1 tty=(none) comm="qemu-system-x86" exe="/usr/bin/qemu-system-x86_64" subj=unconfined_u:system_r:svirt_t:s0:c26,c599 key=(null)
type=AVC msg=audit(1378761497.013:1329): avc:  denied  { create } for  pid=31618 comm="qemu-system-x86" scontext=unconfined_u:system_r:svirt_t:s0:c26,c599 tcontext=unconfined_u:system_r:svirt_t:s0:c26,c599 tclass=rawip_socket
----
time->Mon Sep  9 15:18:18 2013
type=SYSCALL msg=audit(1378761498.012:1330): arch=c000003e syscall=41 success=no exit=-13 a0=2 a1=80002 a2=1 a3=1 items=0 ppid=1 pid=31618 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 ses=1 tty=(none) comm="qemu-system-x86" exe="/usr/bin/qemu-system-x86_64" subj=unconfined_u:system_r:svirt_t:s0:c26,c599 key=(null)
type=AVC msg=audit(1378761498.012:1330): avc:  denied  { create } for  pid=31618 comm="qemu-system-x86" scontext=unconfined_u:system_r:svirt_t:s0:c26,c599 tcontext=unconfined_u:system_r:svirt_t:s0:c26,c599 tclass=rawip_socket
----
time->Mon Sep  9 15:18:19 2013
type=SYSCALL msg=audit(1378761499.012:1331): arch=c000003e syscall=41 success=no exit=-13 a0=2 a1=80002 a2=1 a3=1 items=0 ppid=1 pid=31618 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 ses=1 tty=(none) comm="qemu-system-x86" exe="/usr/bin/qemu-system-x86_64" subj=unconfined_u:system_r:svirt_t:s0:c26,c599 key=(null)
type=AVC msg=audit(1378761499.012:1331): avc:  denied  { create } for  pid=31618 comm="qemu-system-x86" scontext=unconfined_u:system_r:svirt_t:s0:c26,c599 tcontext=unconfined_u:system_r:svirt_t:s0:c26,c599 tclass=rawip_socket
----
time->Mon Sep  9 15:18:20 2013
type=SYSCALL msg=audit(1378761500.012:1332): arch=c000003e syscall=41 success=no exit=-13 a0=2 a1=80002 a2=1 a3=1 items=0 ppid=1 pid=31617 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 ses=1 tty=(none) comm="qemu-system-x86" exe="/usr/bin/qemu-system-x86_64" subj=unconfined_u:system_r:svirt_t:s0:c26,c599 key=(null)
type=AVC msg=audit(1378761500.012:1332): avc:  denied  { create } for  pid=31617 comm="qemu-system-x86" scontext=unconfined_u:system_r:svirt_t:s0:c26,c599 tcontext=unconfined_u:system_r:svirt_t:s0:c26,c599 tclass=rawip_socket

Comment 3 Daniel Walsh 2013-09-30 18:01:14 UTC

Well it looks like you have labelling issues in your homedir and under /usr

restorecon -R -v /home /usr

Will fix those.

You also seem to be launching VMs that require rawip.

# setsebool -P virt_use_rawip 1

Should fix those.

Comment 4 Brendan Long 2013-09-30 18:04:58 UTC

Could it be because I have a swap file in my home directory?

Comment 5 Daniel Walsh 2013-10-04 14:23:57 UTC

I doubt it, did the restorecon above fix you problems?

Comment 6 Brendan Long 2013-10-04 15:38:20 UTC

I don't think that was the problem. I'll create a new bug if I can track this down better. Thanks for your help!

Note You need to log in before you can comment on or make changes to this bug.