RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1460481 - SELinux avoids writing to tlp-related /run/tlp/lock_tlp (via ethtool and iw)
Summary: SELinux avoids writing to tlp-related /run/tlp/lock_tlp (via ethtool and iw)
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.3
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks: 1477664
TreeView+ depends on / blocked
 
Reported: 2017-06-11 01:14 UTC by Robert Scheck
Modified: 2021-12-10 15:05 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-10-30 10:00:43 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 3355941 0 None None None 2018-02-16 10:12:21 UTC
Red Hat Product Errata RHBA-2018:3111 0 None None None 2018-10-30 10:02:09 UTC

Description Robert Scheck 2017-06-11 01:14:30 UTC 
Description of problem:
type=AVC msg=audit(1495147151.891:174): avc:  denied  { write } for  pid=2741 comm="iw" path="/run/tlp/lock_tlp" dev="tmpfs" ino=26857 scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1495147151.891:174): arch=c000003e syscall=59 success=yes exit=0 a0=1f1d5a0 a1=1e541f0 a2=1e58720 a3=7fffd80779e0 items=0 ppid=2687 pid=2741 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iw" exe="/usr/sbin/iw" subj=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1495147151.902:175): avc:  denied  { write } for  pid=2744 comm="ethtool" path="/run/tlp/lock_tlp" dev="tmpfs" ino=26857 scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1495147151.902:175): arch=c000003e syscall=59 success=yes exit=0 a0=1f153f0 a1=1e541f0 a2=1e58720 a3=7fffd8077f70 items=0 ppid=2687 pid=2744 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ethtool" exe="/usr/sbin/ethtool" subj=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 key=(null)
type=USER_START msg=audit(1495147152.470:176): pid=2776 uid=1000 auid=1000 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_keyinit,pam_limits,pam_systemd,pam_unix acct="root" exe="/usr/bin/pkexec" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1495147181.027:177): avc:  denied  { write } for  pid=2924 comm="iw" path="/run/tlp/lock_tlp" dev="tmpfs" ino=26857 scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1495147181.027:177): arch=c000003e syscall=59 success=yes exit=0 a0=17b3650 a1=16ee200 a2=16f2740 a3=7ffd66bf8680 items=0 ppid=2888 pid=2924 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iw" exe="/usr/sbin/iw" subj=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1495147181.034:178): avc:  denied  { write } for  pid=2927 comm="ethtool" path="/run/tlp/lock_tlp" dev="tmpfs" ino=26857 scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1495147181.034:178): arch=c000003e syscall=59 success=yes exit=0 a0=17b55c0 a1=16ee200 a2=16f2740 a3=7ffd66bf8c10 items=0 ppid=2888 pid=2927 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ethtool" exe="/usr/sbin/ethtool" subj=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 key=(null)

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.13.1-102.el7_3.16.noarch

How reproducible:
Everytime, see above and below. Basically a system with GUI and tlp.

Actual results:
SELinux avoids writing to tlp-related /run/tlp/lock_tlp (via ethtool and iw).

Expected results:
No AVC denied.
Comment 4 Lukas Vrabec 2017-10-12 12:18:11 UTC 
We're going to close this bug as WONTFIX because

 * of limited capacity of selinux-policy developers
 * the bug is related to EPEL component or 3rd party SW only
 * the bug appears in unsupported configuration 

We believe this bug can be fixed via a local policy module.
For more information please see: 

 * https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-security-enhanced_linux-troubleshooting-fixing_problems#sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow

If you disagree, please re-open the bug.
Comment 5 Lukas Vrabec 2017-10-12 12:21:20 UTC 
We're going to close this bug as WONTFIX because

 * of limited capacity of selinux-policy developers
 * the bug is related to EPEL component or 3rd party SW only
 * the bug appears in unsupported configuration 

We believe this bug can be fixed via a local policy module.
For more information please see: 

 * https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-security-enhanced_linux-troubleshooting-fixing_problems#sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow

If you disagree, please re-open the bug.
Comment 6 Robert Scheck 2017-10-12 12:27:57 UTC 
(In reply to Lukas Vrabec from comment #4)
> We're going to close this bug as WONTFIX because
> 
>  * of limited capacity of selinux-policy developers
>  * the bug is related to EPEL component or 3rd party SW only
>  * the bug appears in unsupported configuration 
> 
> We believe this bug can be fixed via a local policy module.
> For more information please see: 
> 
>  *
> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/
> html/selinux_users_and_administrators_guide/sect-security-enhanced_linux-
> troubleshooting-fixing_problems#sect-Security-Enhanced_Linux-Fixing_Problems-
> Allowing_Access_audit2allow
> 
> If you disagree, please re-open the bug.

I am sorry, but this is not acceptable at all! RHEL ships the SELinux policy
and covers with it 3rd party software. This is the old discussion, I already
had with Dan Walsh years ago. From my point of view, Red Hat either needs to
fix the SELinux policy when shipping policy modules affecting any 3rd party
software, or ship a reduced set of the SELinux policy to only cover exactly
the software shipped in RHEL. But as of writing, RHEL ships a SELinux policy
covering both, but with the point that you, Red Hat, are now obviously even 
reluctant to fix issues in packages that are shipped with your product, RHEL.
Comment 7 Robert Scheck 2017-10-12 12:31:37 UTC 
Cross-filed ticket 01951073 on the Red Hat customer portal.
Comment 8 Miroslav Grepl 2017-10-17 15:21:29 UTC 
Robert,
let's discuss how we can help you with this bugzilla.

The point is that we are not able to support all 3rd party SW or EPEL pkgs from SELinux point of view even if there is a connection to the RHEL distribution policy. If we ship a policy for a service we are not able to predict that it affects or will affect 3rd party SW or EPEL in all cases. 

What can we do?

We can help you with writing a local policy using our documentation, tools or discussions. Or we can cooperate on writing a new policy for tlp (if it makes sense) via pull requests on https://github.com/fedora-selinux.
Comment 9 Robert Scheck 2017-10-29 21:54:01 UTC 
Often the point is the transition between confined and unconfined, right? I
would like to see a better more general approach in such cases, rather writing
yet another SELinux module/policy for yet another third party software. A
confined domain leads to negative impact to an unconfined domain in this case.
I personally even do not care that tlp is running unconfined, but SELinux does
once it uses ethtool etc. And this is what I treat as issue.
Comment 12 Robert Scheck 2018-04-27 15:38:26 UTC 
Not solved as per selinux-policy-3.13.1-192.el7_5.3 :-(
Comment 14 seb 2018-07-01 12:32:03 UTC 
Not solved in selinux-policy-3.14.1-32.fc28.noarch
Comment 17 errata-xmlrpc 2018-10-30 10:00:43 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3111
Note You need to log in before you can comment on or make changes to this bug.