Description of problem: SELinux is preventing systemd-sleep from 'create' accesses on the file state. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that systemd-sleep should be allowed create access on the state file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'systemd-sleep' --raw | audit2allow -M my-systemdsleep # semodule -X 300 -i my-systemdsleep.pp Additional Information: Source Context system_u:system_r:init_t:s0 Target Context system_u:object_r:sysfs_t:s0 Target Objects state [ file ] Source systemd-sleep Source Path systemd-sleep Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-218.fc25.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.8.1-1.fc25.x86_64 #1 SMP Fri Oct 7 14:38:22 UTC 2016 x86_64 x86_64 Alert Count 1 First Seen 2016-10-11 19:35:40 PDT Last Seen 2016-10-11 19:35:40 PDT Local ID 8985a20d-d32b-4a39-b5fe-85b717d8366e Raw Audit Messages type=AVC msg=audit(1476239740.449:513): avc: denied { create } for pid=26929 comm="systemd-sleep" name="state" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=0 Hash: systemd-sleep,init_t,sysfs_t,file,create Version-Release number of selected component: selinux-policy-3.13.1-218.fc25.noarch Additional info: reporter: libreport-2.8.0 hashmarkername: setroubleshoot kernel: 4.8.1-1.fc25.x86_64 type: libreport Potential duplicate: bug 1380300
Alex, could you please run # semanage permissive -a init_t re-test it and # ausearch -m avc,user_avc -ts recent After that you can remove permissive domain for init_t using # semanage permissive -d init_t Thank you.
Different Alex here with I think a duplicate from https://bugzilla.redhat.com/show_bug.cgi?id=1380300 I tried the above semanage/ausearch. Putting the laptop to sleep by closing the lid, then re-opening and waking does not give an alert from SELinux with "semanage permissive -a init_t". The results of the ausearch are: ---- time->Wed Oct 19 09:57:11 2016 type=USER_AVC msg=audit(1476867431.491:830): pid=1552 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: received policyload notice (seqno=5) exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' ---- time->Wed Oct 19 09:57:32 2016 type=USER_AVC msg=audit(1476867452.153:845): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received policyload notice (seqno=5) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' Removing the permissive domain using "semanage permissive -d init_t" and performing another suspend/resume cycle, there is still no alert from SELinux.
I don't see this anymore on my system
Description of problem: Close lid on laptop should suspend system. Version-Release number of selected component: selinux-policy-3.13.1-225.11.fc25.noarch Additional info: reporter: libreport-2.8.0 hashmarkername: setroubleshoot kernel: 4.9.13-200.fc25.x86_64 type: libreport
Description of problem: The system automatically went in to sleep mode. On resuming, this error was reported. Additional info: reporter: libreport-2.8.0 hashmarkername: setroubleshoot kernel: 4.11.3-202.fc25.x86_64 type: libreport
Description of problem: I woke the computer up from sleep mode (by opening the lid) and found the selinux fault reported in the Gnome notifications. I don't know what triggered it beyond that. Version-Release number of selected component: selinux-policy-3.13.1-225.18.fc25.noarch Additional info: reporter: libreport-2.8.0 hashmarkername: setroubleshoot kernel: 4.11.8-200.fc25.x86_64 type: libreport
Description of problem: SElinux alert was presented after system had been woken up from suspended state. Version-Release number of selected component: selinux-policy-3.13.1-225.19.fc25.noarch Additional info: reporter: libreport-2.8.0 hashmarkername: setroubleshoot kernel: 4.11.12-200.fc25.x86_64 type: libreport
*** Bug 1485955 has been marked as a duplicate of this bug. ***
Description of problem: This error happens immediately on evrery login Version-Release number of selected component: selinux-policy-3.13.1-225.18.fc25.noarch Additional info: reporter: libreport-2.8.0 hashmarkername: setroubleshoot kernel: 4.12.8-200.fc25.x86_64 type: libreport