Bug 1460481 - SELinux avoids writing to tlp-related /run/tlp/lock_tlp (via ethtool and iw)
SELinux avoids writing to tlp-related /run/tlp/lock_tlp (via ethtool and iw)
Status: NEW
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy (Show other bugs)
7.3
x86_64 Linux
unspecified Severity medium
: rc
: ---
Assigned To: Lukas Vrabec
Milos Malik
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-06-10 21:14 EDT by Robert Scheck
Modified: 2017-11-06 10:02 EST (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-10-12 08:18:11 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Robert Scheck 2017-06-10 21:14:30 EDT
Description of problem:
type=AVC msg=audit(1495147151.891:174): avc:  denied  { write } for  pid=2741 comm="iw" path="/run/tlp/lock_tlp" dev="tmpfs" ino=26857 scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1495147151.891:174): arch=c000003e syscall=59 success=yes exit=0 a0=1f1d5a0 a1=1e541f0 a2=1e58720 a3=7fffd80779e0 items=0 ppid=2687 pid=2741 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iw" exe="/usr/sbin/iw" subj=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1495147151.902:175): avc:  denied  { write } for  pid=2744 comm="ethtool" path="/run/tlp/lock_tlp" dev="tmpfs" ino=26857 scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1495147151.902:175): arch=c000003e syscall=59 success=yes exit=0 a0=1f153f0 a1=1e541f0 a2=1e58720 a3=7fffd8077f70 items=0 ppid=2687 pid=2744 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ethtool" exe="/usr/sbin/ethtool" subj=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 key=(null)
type=USER_START msg=audit(1495147152.470:176): pid=2776 uid=1000 auid=1000 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_keyinit,pam_limits,pam_systemd,pam_unix acct="root" exe="/usr/bin/pkexec" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1495147181.027:177): avc:  denied  { write } for  pid=2924 comm="iw" path="/run/tlp/lock_tlp" dev="tmpfs" ino=26857 scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1495147181.027:177): arch=c000003e syscall=59 success=yes exit=0 a0=17b3650 a1=16ee200 a2=16f2740 a3=7ffd66bf8680 items=0 ppid=2888 pid=2924 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iw" exe="/usr/sbin/iw" subj=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1495147181.034:178): avc:  denied  { write } for  pid=2927 comm="ethtool" path="/run/tlp/lock_tlp" dev="tmpfs" ino=26857 scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1495147181.034:178): arch=c000003e syscall=59 success=yes exit=0 a0=17b55c0 a1=16ee200 a2=16f2740 a3=7ffd66bf8c10 items=0 ppid=2888 pid=2927 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ethtool" exe="/usr/sbin/ethtool" subj=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 key=(null)

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.13.1-102.el7_3.16.noarch

How reproducible:
Everytime, see above and below. Basically a system with GUI and tlp.

Actual results:
SELinux avoids writing to tlp-related /run/tlp/lock_tlp (via ethtool and iw).

Expected results:
No AVC denied.
Comment 4 Lukas Vrabec 2017-10-12 08:18:11 EDT
We're going to close this bug as WONTFIX because

 * of limited capacity of selinux-policy developers
 * the bug is related to EPEL component or 3rd party SW only
 * the bug appears in unsupported configuration 

We believe this bug can be fixed via a local policy module.
For more information please see: 

 * https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-security-enhanced_linux-troubleshooting-fixing_problems#sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow

If you disagree, please re-open the bug.
Comment 5 Lukas Vrabec 2017-10-12 08:21:20 EDT
We're going to close this bug as WONTFIX because

 * of limited capacity of selinux-policy developers
 * the bug is related to EPEL component or 3rd party SW only
 * the bug appears in unsupported configuration 

We believe this bug can be fixed via a local policy module.
For more information please see: 

 * https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-security-enhanced_linux-troubleshooting-fixing_problems#sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow

If you disagree, please re-open the bug.
Comment 6 Robert Scheck 2017-10-12 08:27:57 EDT
(In reply to Lukas Vrabec from comment #4)
> We're going to close this bug as WONTFIX because
> 
>  * of limited capacity of selinux-policy developers
>  * the bug is related to EPEL component or 3rd party SW only
>  * the bug appears in unsupported configuration 
> 
> We believe this bug can be fixed via a local policy module.
> For more information please see: 
> 
>  *
> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/
> html/selinux_users_and_administrators_guide/sect-security-enhanced_linux-
> troubleshooting-fixing_problems#sect-Security-Enhanced_Linux-Fixing_Problems-
> Allowing_Access_audit2allow
> 
> If you disagree, please re-open the bug.

I am sorry, but this is not acceptable at all! RHEL ships the SELinux policy
and covers with it 3rd party software. This is the old discussion, I already
had with Dan Walsh years ago. From my point of view, Red Hat either needs to
fix the SELinux policy when shipping policy modules affecting any 3rd party
software, or ship a reduced set of the SELinux policy to only cover exactly
the software shipped in RHEL. But as of writing, RHEL ships a SELinux policy
covering both, but with the point that you, Red Hat, are now obviously even 
reluctant to fix issues in packages that are shipped with your product, RHEL.
Comment 7 Robert Scheck 2017-10-12 08:31:37 EDT
Cross-filed ticket 01951073 on the Red Hat customer portal.
Comment 8 Miroslav Grepl 2017-10-17 11:21:29 EDT
Robert,
let's discuss how we can help you with this bugzilla.

The point is that we are not able to support all 3rd party SW or EPEL pkgs from SELinux point of view even if there is a connection to the RHEL distribution policy. If we ship a policy for a service we are not able to predict that it affects or will affect 3rd party SW or EPEL in all cases. 

What can we do?

We can help you with writing a local policy using our documentation, tools or discussions. Or we can cooperate on writing a new policy for tlp (if it makes sense) via pull requests on https://github.com/fedora-selinux.
Comment 9 Robert Scheck 2017-10-29 17:54:01 EDT
Often the point is the transition between confined and unconfined, right? I
would like to see a better more general approach in such cases, rather writing
yet another SELinux module/policy for yet another third party software. A
confined domain leads to negative impact to an unconfined domain in this case.
I personally even do not care that tlp is running unconfined, but SELinux does
once it uses ethtool etc. And this is what I treat as issue.

Note You need to log in before you can comment on or make changes to this bug.