Bug 1403782 - Several binaries from packages tlp and tlp-rdw are blocked by SELinux
Summary: Several binaries from packages tlp and tlp-rdw are blocked by SELinux
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 26
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-12-12 11:20 UTC by Alexander Korsunsky
Modified: 2017-11-15 20:10 UTC (History)
14 users (show)

Fixed In Version: selinux-policy-3.13.1-260.14.fc26
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-11-15 20:10:59 UTC
Type: Bug

Attachments (Terms of Use)
Denials for the tlp and tlp-rdw packages (17.17 KB, text/plain)
2016-12-12 11:20 UTC, Alexander Korsunsky 		no flags Details
System start AVCs (3.24 KB, text/plain)
2017-04-10 19:32 UTC, Thomas Koch 		no flags Details
System shutdown AVCs (2.60 KB, text/plain)
2017-04-10 19:33 UTC, Thomas Koch 		no flags Details
System suspend AVCs (2.15 KB, text/plain)
2017-04-10 19:34 UTC, Thomas Koch 		no flags Details
System resume AVCs (945 bytes, text/plain)
2017-04-10 19:34 UTC, Thomas Koch 		no flags Details
3.13.1-280: System start AVCs (1.90 KB, text/plain)
2017-09-12 16:32 UTC, Thomas Koch 		no flags Details
3.13.1-280: System stop AVCs (1.62 KB, text/plain)
2017-09-12 16:32 UTC, Thomas Koch 		no flags Details
3.13.1-280: System suspend AVCs (1.62 KB, text/plain)
2017-09-12 16:33 UTC, Thomas Koch 		no flags Details
3.13.1-280: System resume AVCs (2.81 KB, text/plain)
2017-09-12 16:33 UTC, Thomas Koch 		no flags Details
3.13.1-290: System start AVCs (8.29 KB, text/plain)
2017-10-05 19:35 UTC, Thomas Koch 		no flags Details
3.13.1-290: System stop AVCs (1.78 KB, text/plain)
2017-10-05 19:36 UTC, Thomas Koch 		no flags Details
3.13.1-290: System suepnd/resume AVCs (3.55 KB, text/plain)
2017-10-05 19:37 UTC, Thomas Koch 		no flags Details
3.13.1-295 (723 bytes, text/plain)
2017-10-15 16:51 UTC, Thomas Koch 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Description Alexander Korsunsky 2016-12-12 11:20:25 UTC 
Created attachment 1230761 [details]
Denials for the tlp and tlp-rdw packages

Description of problem:
After installation

Version-Release number of selected component (if applicable):
tlp-0.9-1.fc25.noarch
tlp-rdw-0.9-1.fc25.noarch
selinux-policy-3.13.1-225.1.fc25.noarch

How reproducible:
Every time


Steps to Reproduce:
1. Install packages 'tlp' and 'tlp-rdw'
2. Reboot System
3. Observe audit log


Actual results:
Several denials for binaries `tlp`, `iw`, `x86_energy_perf` and `tpacpi-bat`, `rm` and `mkdir`  from source context tlp_t, see attachment.

Expected results:
Binaries in the package function without denials. 


Additional info:
The package contains functionality specific to Lenovo/IBM Thinkpad laptops. I'm not sure if the denials can be reproduced without the hardware.

The denials for `tpacpi-bat` are only reproducible when the kernel module "acpi_call" from here: https://github.com/teleshoes/acpi_call is compiled and loaded.
Comment 1 Alexander Korsunsky 2017-03-03 16:23:05 UTC 
Judging by the silence of the maintainers, do I understand correctly that the right course of action for me is to spam individual bug reports for every single binary?

Somehow I thought that a comprehensive summary of related denials coming from two very specific packages would be more useful, because maintainers could analyze how it is supposed to work, and then fix the SELinux policy in a sensible manner instead of just running audit2allow 6 times in a row.
But I seem to be mistaken.

I'll reassign the component to the tlp package, maybe their maintainers have a little bit more interest in a functioning package.
If that doesn't work, I will just spam the individual Plugin catchall messages as separate issues.
Comment 2 Jeremy Newton 2017-03-03 18:04:55 UTC 
Hi,

First, I would suggest using TLP's akmod binaries rather than building your own:
http://linrunner.de/en/tlp/docs/tlp-linux-advanced-power-management.html#installation

This is because Fedora does not support this kernel module, but upstream does support them. So if you can reproduce the issues against their binaries, they maybe able to provide better feedback on the denials specific to that module.

I cc-ed the upstream developer, but feel free to make a ticket upstream and provide the URL in this bug report.

https://github.com/linrunner/TLP/issues

I'll see what I can do from my side, but unfortunately I do not have a Thinkpad available to me if this is a HW specific issue. Upstream maybe able to help here as well.
Comment 3 Thomas Koch 2017-03-03 18:39:29 UTC 
Hi, 

this interesting. For my plain vanilla F25 installation i can confirm this one:

> type=AVC msg=audit(1481382358.188:206): avc:  denied  { add_name } for  pid=1485 comm="tpacpi-bat" name="call" scontext=system_u:system_r:tlp_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=dir permissive=1

Stems from tpacpi-bat writing to /proc/acpi/call. I'll add a policy for it upstream for version 1.0 as soon as i learn how to write them.

I don't observe AVCs here when writing to /var/lib/tlp or /run/tlp, but i think it's reasonable to add policies for TLP's "binaries" (scripts).

Also no AVCs here for binaries outside tlp, tlp-rdw like x86_energy_perf, iw, ethtool doing their normal duties on preset paths like:
 
> type=AVC msg=audit(1481382332.490:377): avc:  denied  { open } for  pid=21665 comm="x86_energy_perf" path="/dev/cpu/0/msr" dev="devtmpfs" ino=1107 scontext=system_u:system_r:tlp_t:s0 tcontext=system_u:object_r:cpu_device_t:s0 tclass=chr_file permissive=1

> type=AVC msg=audit(1481382332.519:383): avc:  denied  { open } for  pid=21683 comm="iw" path="/proc/21683/net/psched" dev="proc" ino=4026531994 scontext=system_u:system_r:tlp_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=1

I see no point in adding policies to tlp, tlp-rdw packages for this.
Comment 4 Alexander Korsunsky 2017-03-08 15:34:44 UTC 
So I removed my custom SELinux policy modules, and the denial situation has changed slightly.


(In reply to Jeremy Newton from comment #2)
> Hi,
> 
> First, I would suggest using TLP's akmod binaries rather than building your
> own:
> http://linrunner.de/en/tlp/docs/tlp-linux-advanced-power-management.
> html#installation

Thanks, I did that now. That simplyifies things.

I now have a new denial, apparently the akmods module has the wrong context:

> type=AVC msg=audit(1488985100.967:143): avc:  denied  { module_load } for  pid=1499 comm="modprobe" path="/usr/lib/modules/4.9.13-200.fc25.x86_64/extra/acpi_call/acpi_call.ko" dev="dm-0" ino=1985736 scontext=system_u:system_r:tlp_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=system permissive=1




(In reply to Thomas Koch from comment #3)
> Hi, 
> 
> this interesting. For my plain vanilla F25 installation i can confirm this
> one:
> 
> > type=AVC msg=audit(1481382358.188:206): avc:  denied  { add_name } for  pid=1485 comm="tpacpi-bat" name="call" scontext=system_u:system_r:tlp_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=dir permissive=1


I have that too, and in addition to that:

> type=AVC msg=audit(1488985100.998:144): avc:  denied  { dac_override } for  pid=1505 comm="tpacpi-bat" capability=1  scontext=system_u:system_r:tlp_t:s0 tcontext=system_u:system_r:tlp_t:s0 tclass=capability permissive=1
> type=AVC msg=audit(1488985100.998:147): avc:  denied  { create } for  pid=1505 comm="tpacpi-bat" name="call" scontext=system_u:system_r:tlp_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=1
> type=AVC msg=audit(1488985100.998:145): avc:  denied  { write } for  pid=1505 comm="tpacpi-bat" name="acpi" dev="proc" ino=4026531977 scontext=system_u:system_r:tlp_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=dir permissive=1



> I don't observe AVCs here when writing to /var/lib/tlp or /run/tlp, but i
> think it's reasonable to add policies for TLP's "binaries" (scripts).


> Also no AVCs here for binaries outside tlp, tlp-rdw like x86_energy_perf,
> iw, ethtool doing their normal duties on preset paths like:

I still get these, though:

> type=AVC msg=audit(1488985573.902:176): avc:  denied  { write } for  pid=3295 comm="iw" path="/run/tlp/lock_tlp" dev="tmpfs" ino=28798 scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tlp_var_run_t:s0 tclass=file permissive=0
> type=AVC msg=audit(1488985573.906:177): avc:  denied  { write } for  pid=3296 comm="iwconfig" path="/run/tlp/lock_tlp" dev="tmpfs" ino=28798 scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tlp_var_run_t:s0 tclass=file permissive=0
> type=AVC msg=audit(1488985573.913:178): avc:  denied  { write } for  pid=3299 comm="ethtool" path="/run/tlp/lock_tlp" dev="tmpfs" ino=28798 scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tlp_var_run_t:s0 tclass=file permissive=0

Which is subject of Fedora bug #1399848 that was "fixed", presumably by running audit2allow.

Not all of the denials come up at boot, so be sure to unplug and re-plug from the power source to trigger denials for testing. Also, I'm not completely sure that this is the extent of all denials - or if more will surface if I leave my device running and more power saving actions will have taken place.


> I see no point in adding policies to tlp, tlp-rdw packages for this.

You don't? To me it seems that either the tlp/tlp-rdw scripts are running in the wrong context, or the /run/tlp/lock_tlp directory has the wrong labels. 
If you look at the above denials, it seems that somehow ifconfig is trying to modify tlp files, so you should at least allow this in a policy.

ps.: Would you rather continue this discussion here, or do you prefer to discuss this on GitHub in a new Issue?
Comment 5 Jeremy Newton 2017-03-30 21:21:31 UTC 
Moving this back to selinux-policy, as I believe this needs to be solved there, but I'm not sure.

Lukas, are you able to help clarify on the process of dealing with selinux policy issues? I see that a few have already been dealt with in the past with the "targeted" sub package (such as rhbz#1409977).

Please let me know if there is anything that the upstream developer or I can help with getting this resolved.
Comment 6 Thomas Koch 2017-04-10 19:30:22 UTC 
I did some research and found the following.

AVCs are thrown when TLP is called in systemd context:

1. System boot
runs: systemctl start tlp (tlp.service)
scontext = system_u:system_r:tlp_t:s0 
results: systemctl_start_tlp.avc (see attachment)

2. System shutdown
runs: systemctl stop tlp (tlp.service)
scontext = system_u:system_r:tlp_t:s0 
results: systemctl_stop_tlp.avc (see attachment)

3. System suspend
runs: tlp-sleep.service
scontext = system_u:system_r:tlp_t:s0
results: system_resume.avc (see attachment)

4. System resume
run: tlp-sleep.service
scontext = system_u:system_r:tlp_t:s0
results: system_resume.avc (see attachment)

The remaining invocation modes for TLP's scripts work fine:

5. Change of power source AC <-> battery
runs: /usr/sbin/tlp auto (via udevd)
scontext = system_u:system_r:udev_t:s0-s0:c0.c1023
results: no AVCs

6. USB device hotplug
runs: /usr/lib/udev/tlp-usb-udev (via udevd)
scontext = system_u:system_r:udev_t:s0-s0:c0.c1023
results: no AVCs

7. Dock/undock laptop
runs: /usr/lib/udev/tlp-rdw-udev (via udevd)
scontext = system_u:system_r:udev_t:s0-s0:c0.c1023
results: no AVCs

8. Connect/disconnect LAN cable
runs: /etc/NetworkManager/dispatcher.d/99tlp-rdw-nm (via NetworkManager)
scontext = system_u:system_r:initrc_t:s0 4782 ? S 0:00 /bin/sh 
results: no AVCs

My conclusion: the targeted policy module in Fedora's selinux-policy-targeted package [1,2] is incomplete and doesn't cover 
scontext = system_u:system_r:tlp_t:s0

A related bug report is #1408434 [3].

[1]
https://src.fedoraproject.org/cgit/rpms/selinux-policy.git/commit/?id=42206f3502a16444082bf61d41c7c008af29bee9
[2]
https://src.fedoraproject.org/cgit/rpms/selinux-policy.git/tree/policy-rawhide-contrib.patch#n109520
[3] https://bugzilla.redhat.com/show_bug.cgi?id=1408434
Comment 7 Thomas Koch 2017-04-10 19:32:29 UTC 
Created attachment 1270568 [details]
System start AVCs
Comment 8 Thomas Koch 2017-04-10 19:33:09 UTC 
Created attachment 1270569 [details]
System shutdown AVCs
Comment 9 Thomas Koch 2017-04-10 19:34:16 UTC 
Created attachment 1270570 [details]
System suspend AVCs
Comment 10 Thomas Koch 2017-04-10 19:34:51 UTC 
Created attachment 1270571 [details]
System resume AVCs
Comment 11 Thomas Koch 2017-04-10 19:49:59 UTC 
Some more remarks: AVCs occur when a TLP in script with scontext = system_u:system_r:tlp_t:s0 calls

1. /usr/bin/logger to write trace output [1] to the journal 
2. /usr/sbin/rfkill which reads/writes /dev/rfkill
3. /usr/share/tlp/tpacpi-bat which reads/writes /proc/acpi/call
4. /usr/sbin/modprobe to load a kernel module
5. /usr/bin/nmcli to communicate with NetworkManager dbus daemon
Comment 12 Thomas Koch 2017-04-12 20:45:55 UTC 
I forgot to mention the trivial case: 

9. Manual invocation 
runs: /usr/sbin/tlp (from the shell)
scontext = unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
results: no AVCs
Comment 13 Thomas Koch 2017-06-08 18:07:39 UTC 
selinux 3.13.1-225.16.fc25 doesn't solve this bug. What can I do to push the solution forward?
Comment 14 Lukas Vrabec 2017-09-06 10:10:58 UTC 
Hi Thomas, 

I added fixes for tlp info F25+. It will be part of new selinux-policy package build. 

THanks,
Lukas.
Comment 15 Thomas Koch 2017-09-12 16:30:49 UTC 
Thanks for the fixes. 

I've re-tested with 3.13.1-280. Above AVCs are gone now but new ones have appeared for:

* tcontext=system_u:object_r:sssd_public_t 
* tcontext=system_u:object_r:sssd_var_lib_t:s0

See attachments.
Comment 16 Thomas Koch 2017-09-12 16:32:05 UTC 
Created attachment 1324967 [details]
3.13.1-280: System start AVCs
Comment 17 Thomas Koch 2017-09-12 16:32:40 UTC 
Created attachment 1324969 [details]
3.13.1-280: System stop AVCs
Comment 18 Thomas Koch 2017-09-12 16:33:07 UTC 
Created attachment 1324970 [details]
3.13.1-280: System suspend AVCs
Comment 19 Thomas Koch 2017-09-12 16:33:38 UTC 
Created attachment 1324972 [details]
3.13.1-280: System resume AVCs
Comment 20 Thomas Koch 2017-10-05 19:33:44 UTC 
Hi Lukas,

re-tested with 3.13.1-280, not solved yet. 

Something must have gone wrong with your latest changes --> see attached AVCs.

Regards, Thomas
Comment 21 Thomas Koch 2017-10-05 19:34:15 UTC 
Correction: retest was with 3.13.1-290 of course.
Comment 22 Thomas Koch 2017-10-05 19:35:41 UTC 
Created attachment 1334986 [details]
3.13.1-290: System start AVCs
Comment 23 Thomas Koch 2017-10-05 19:36:28 UTC 
Created attachment 1334987 [details]
3.13.1-290: System stop AVCs
Comment 24 Thomas Koch 2017-10-05 19:37:03 UTC 
Created attachment 1334988 [details]
3.13.1-290: System suepnd/resume AVCs
Comment 25 Thomas Koch 2017-10-15 16:50:05 UTC 
Hi Lukas,

we're not yet there, but very close now. Remaining AVCs see attachment.

Tested with 3.13.1-295.

Regards, Thomas
Comment 26 Thomas Koch 2017-10-15 16:51:04 UTC 
Created attachment 1338929 [details]
3.13.1-295
Comment 27 Fedora Update System 2017-10-26 12:31:42 UTC 
selinux-policy-3.13.1-260.14.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-d312739a4e
Comment 28 Thomas Koch 2017-11-02 18:02:50 UTC 
Tested once again with 3.13.1-300. Above AVCs from 3.13.1-295 persist.
Comment 29 Lukas Vrabec 2017-11-03 16:23:02 UTC 
Thomas, 

I added fixes based on the latest attachment.
Comment 30 Thomas Koch 2017-11-10 18:40:05 UTC 
Tested with with 3.13.1-302. No AVCs. Great :-)
Comment 31 Fedora Update System 2017-11-15 20:10:59 UTC 
selinux-policy-3.13.1-260.14.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.