Bug 1510249 - SELinux is preventing tlp from 'write' accesses on the file lock_tlp.
Summary: SELinux is preventing tlp from 'write' accesses on the file lock_tlp.
Keywords:
Status: CLOSED DUPLICATE of bug 1586329
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 27
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:0fe6c4e97436995837796a159e9...
: 1564660 1564722 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-11-07 01:51 UTC by Ed Marshall
Modified: 2018-10-18 09:18 UTC (History)
30 users (show)

Fixed In Version: selinux-policy-3.13.1-283.16.fc27
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-06-10 20:57:53 UTC
Type: ---


Attachments (Terms of Use)

Description Ed Marshall 2017-11-07 01:51:28 UTC
Description of problem:
SELinux is preventing tlp from 'write' accesses on the file lock_tlp.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that tlp should be allowed write access on the lock_tlp file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'tlp' --raw | audit2allow -M my-tlp
# semodule -X 300 -i my-tlp.pp

Additional Information:
Source Context                system_u:system_r:tlp_t:s0
Target Context                system_u:object_r:var_run_t:s0
Target Objects                lock_tlp [ file ]
Source                        tlp
Source Path                   tlp
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-283.14.fc27.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.13.11-300.fc27.x86_64 #1 SMP Thu
                              Nov 2 18:20:29 UTC 2017 x86_64 x86_64
Alert Count                   2
First Seen                    2017-11-06 17:50:00 PST
Last Seen                     2017-11-06 17:50:00 PST
Local ID                      fe05ff08-cf0e-4309-abf8-f17f69e55bf4

Raw Audit Messages
type=AVC msg=audit(1510019400.859:252): avc:  denied  { write } for  pid=2663 comm="tlp" name="lock_tlp" dev="tmpfs" ino=31656 scontext=system_u:system_r:tlp_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=0


Hash: tlp,tlp_t,var_run_t,file,write

Version-Release number of selected component:
selinux-policy-3.13.1-283.14.fc27.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.9.3
hashmarkername: setroubleshoot
kernel:         4.13.11-300.fc27.x86_64
type:           libreport

Potential duplicate: bug 1474389

Comment 1 Ed Marshall 2017-11-15 11:57:15 UTC
Description of problem:
Unlocked my screen.

Version-Release number of selected component:
selinux-policy-3.13.1-283.14.fc27.noarch

Additional info:
reporter:       libreport-2.9.3
hashmarkername: setroubleshoot
kernel:         4.13.12-300.fc27.x86_64
type:           libreport

Comment 2 Fedora Update System 2017-11-16 15:13:36 UTC
selinux-policy-3.13.1-283.16.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-5178e6a393

Comment 3 Fedora Update System 2017-11-17 18:57:01 UTC
selinux-policy-3.13.1-283.16.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-5178e6a393

Comment 4 Fedora Update System 2017-11-20 16:57:21 UTC
selinux-policy-3.13.1-283.16.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.

Comment 5 redhat 2017-12-03 00:45:45 UTC
Description of problem:
1. Install run `dnf install tlp`
2. Edit `/etc/defaults/tlp`
3. Change `WIFI_PWD_ON_BAT` to `WIFI_PWD_ON_BAT=off`
4. Run `systemctl restart tlp`

Version-Release number of selected component:
selinux-policy-3.13.1-283.17.fc27.noarch

Additional info:
reporter:       libreport-2.9.3
hashmarkername: setroubleshoot
kernel:         4.13.16-300.fc27.x86_64
type:           libreport

Comment 6 Or Schiro 2018-02-02 10:58:57 UTC
Description of problem:
Installed TLP (dnf install tlp), started it (sudo tlp start) to have enhanced battery saving on my laptop. 

Then I received this SELinux alert if I want to trust TLP. If think TLP can be allowed to have write access, right?

Version-Release number of selected component:
selinux-policy-3.13.1-283.21.fc27.noarch

Additional info:
reporter:       libreport-2.9.3
hashmarkername: setroubleshoot
kernel:         4.14.14-300.fc27.x86_64
type:           libreport

Comment 7 Roberto D'Auria 2018-02-05 13:29:08 UTC
Description of problem:
I was doing nothing specifically related to TLP. Perhaps it was triggered by unlocking the screen?

Version-Release number of selected component:
selinux-policy-3.13.1-283.21.fc27.noarch

Additional info:
reporter:       libreport-2.9.3
hashmarkername: setroubleshoot
kernel:         4.14.14-300.fc27.x86_64
type:           libreport

Comment 8 Sandipan 2018-02-07 01:38:16 UTC
Description of problem:
When I go to AC adapter mode from battery mode or go to battery mode to AC mode then this error shows up in tlp. 

when I run tlp stat in terminal then this  flollowing is shown:

+++ Warnings
* Kernel log shows ata errors (1) possibly caused by the configuration
  SATA_LINKPWR_ON_AC/BAT=min_power or medium_power.
  Consider using medium_power or max_performance instead.
  See the FAQ: http://linrunner.de/en/tlp/docs/tlp-faq.html#warnings
  Details:
[   56.375217] ata2: SError: { PHYRdyChg CommWake }
[   56.375221] ata2.00: failed command: READ FPDMA QUEUED
[   56.375229] ata2.00: cmd 60/20:68:28:14:8e/00:00:0e:00:00/40 tag 13 ncq dma 16384 in
                        res 50/00:03:00:00:00/00:00:00:00:00/a0 Emask 0x10 (ATA bus error)
[   56.375232] ata2.00: status: { DRDY }
[   56.375237] ata2: hard resetting link

Version-Release number of selected component:
selinux-policy-3.13.1-283.21.fc27.noarch

Additional info:
reporter:       libreport-2.9.3
hashmarkername: setroubleshoot
kernel:         4.14.16-300.fc27.x86_64
type:           libreport

Comment 9 Jonathan Haas 2018-02-11 10:16:39 UTC
Description of problem:
after resuming from standby

Version-Release number of selected component:
selinux-policy-3.13.1-259.fc26.noarch

Additional info:
reporter:       libreport-2.9.3
hashmarkername: setroubleshoot
kernel:         4.14.16-300.fc27.x86_64
type:           libreport

Comment 10 Piotr 2018-02-13 00:36:43 UTC
Description of problem:
The error occured after setting laptop to sleep mode.

Version-Release number of selected component:
selinux-policy-3.13.1-283.24.fc27.noarch

Additional info:
reporter:       libreport-2.9.3
hashmarkername: setroubleshoot
kernel:         4.14.16-300.fc27.x86_64
type:           libreport

Comment 11 Martijn Kruiten 2018-02-23 19:54:17 UTC
Description of problem:
I did two things today:

1) I updated my system to the latest updates form the official repositories
2) I installed smartmontools because tlp-stat suggested me to do so

Version-Release number of selected component:
selinux-policy-3.13.1-283.24.fc27.noarch

Additional info:
reporter:       libreport-2.9.3
hashmarkername: setroubleshoot
kernel:         4.15.3-300.fc27.x86_64
type:           libreport

Comment 12 Martijn Kruiten 2018-02-24 10:58:11 UTC
To fix (temporarily at least):

sudo restorecon -R -v /run/tlp

I don't know why the labels get lost on these files.

Comment 13 Kanak Kshetri 2018-03-07 04:25:59 UTC
Description of problem:
Suspended laptop and then woke it up.

Version-Release number of selected component:
selinux-policy-3.13.1-283.26.fc27.noarch

Additional info:
reporter:       libreport-2.9.3
hashmarkername: setroubleshoot
kernel:         4.15.6-300.fc27.x86_64
type:           libreport

Comment 14 bjorn 2018-03-08 23:52:22 UTC
Description of problem:
Fedora 27 (SELinux installed by default)

Installed TLP using dnf.
> dnf install tlp

Version-Release number of selected component:
selinux-policy-3.13.1-283.26.fc27.noarch

Additional info:
reporter:       libreport-2.9.3
hashmarkername: setroubleshoot
kernel:         4.15.6-300.fc27.x86_64
type:           libreport

Comment 15 Jay Turner 2018-03-19 11:52:22 UTC
Description of problem:
Popping up on first-boot.

Version-Release number of selected component:
selinux-policy-3.13.1-283.26.fc27.noarch

Additional info:
reporter:       libreport-2.9.3
hashmarkername: setroubleshoot
kernel:         4.15.9-300.fc27.x86_64
type:           libreport

Comment 16 Ivan Kupalov 2018-03-26 09:16:29 UTC
Description of problem:
Steps:
- Install Fedora
- Install TLP
- Put laptop to sleep
- Wake laptop up
- SELinux notification with alert appers

Laptop: HP Probook G4

Version-Release number of selected component:
selinux-policy-3.13.1-283.28.fc27.noarch

Additional info:
reporter:       libreport-2.9.3
hashmarkername: setroubleshoot
kernel:         4.15.10-300.fc27.x86_64
type:           libreport

Comment 17 Michael 2018-04-06 20:09:33 UTC
*** Bug 1564660 has been marked as a duplicate of this bug. ***

Comment 18 zethan191 2018-04-07 03:54:36 UTC
*** Bug 1564722 has been marked as a duplicate of this bug. ***

Comment 19 zach.jorgey7 2018-04-13 16:52:39 UTC
Description of problem:
I installed tlp, then started getting selinux alerts. I did not change any configurations after install. I am using a thinkpad t450s.

Version-Release number of selected component:
selinux-policy-3.13.1-283.30.fc27.noarch

Additional info:
reporter:       libreport-2.9.3
hashmarkername: setroubleshoot
kernel:         4.15.12-301.fc27.x86_64
type:           libreport

Comment 20 tgvita 2018-04-18 02:04:41 UTC
(In reply to zach.jorgey7 from comment #19)
> Description of problem:
> I installed tlp, then started getting selinux alerts. I did not change any
> configurations after install. I am using a thinkpad t450s.
> 
> Version-Release number of selected component:
> selinux-policy-3.13.1-283.30.fc27.noarch
> 
> Additional info:
> reporter:       libreport-2.9.3
> hashmarkername: setroubleshoot
> kernel:         4.15.12-301.fc27.x86_64
> type:           libreport

problem still persist, same symptom and environment (selinux-policy-3.13.1-283.30.fc27)

Comment 21 sebix+redhat.com 2018-04-21 12:38:39 UTC
Description of problem:
After booting I got the denial shown.

When applying the proposed solution, I get another denial for the process flock which also tries to lock this file

Version-Release number of selected component:
selinux-policy-3.13.1-283.30.fc27.noarch

Additional info:
reporter:       libreport-2.9.3
hashmarkername: setroubleshoot
kernel:         4.15.17-300.fc27.x86_64
type:           libreport

Comment 22 Pilar Bravo 2018-05-08 10:34:19 UTC
Description of problem:
I installed TLP and got this warning from SETroubleshoot.

Version-Release number of selected component:
selinux-policy-3.13.1-283.34.fc27.noarch

Additional info:
reporter:       libreport-2.9.3
hashmarkername: setroubleshoot
kernel:         4.15.17-300.fc27.x86_64
type:           libreport

Comment 23 Alex. H. F. 2018-05-12 10:31:57 UTC
Description of problem:
On wake-up error message  came up. 


Additional info:
reporter:       libreport-2.9.3
hashmarkername: setroubleshoot
kernel:         4.16.5-200.fc27.x86_64
type:           libreport

Comment 24 Frank Büttner 2018-05-26 18:58:09 UTC
With selinux-policy-3.13.1-283.34.fc27.noarch the problem still exists.
So I reopen the bug.

Comment 25 Lukas Vrabec 2018-06-10 20:57:53 UTC

*** This bug has been marked as a duplicate of bug 1586329 ***

Comment 26 Arsalan Rezazadeh 2018-10-18 09:18:26 UTC
this bug already state on F28 and always tlp service faild in bootup.


Note You need to log in before you can comment on or make changes to this bug.