Bug 1519824 - SELinux is preventing cat from 'read' accesses on the file last_pwr.
Summary: SELinux is preventing cat from 'read' accesses on the file last_pwr.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 27
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:8a36d62055c24f0cfe80ca2d71e...
: 1474390 1564739 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-12-01 14:02 UTC by patlei99
Modified: 2018-04-07 09:41 UTC (History)
8 users (show)

Fixed In Version: selinux-policy-3.13.1-283.19.fc27
Clone Of:
Environment:
Last Closed: 2018-01-02 16:49:00 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description patlei99 2017-12-01 14:02:42 UTC 
Description of problem:
SELinux is preventing cat from 'read' accesses on the file last_pwr.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that cat should be allowed read access on the last_pwr file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'cat' --raw | audit2allow -M my-cat
# semodule -X 300 -i my-cat.pp

Additional Information:
Source Context                system_u:system_r:tlp_t:s0
Target Context                system_u:object_r:var_run_t:s0
Target Objects                last_pwr [ file ]
Source                        cat
Source Path                   cat
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-283.17.fc27.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.13.15-300.fc27.x86_64 #1 SMP Tue
                              Nov 21 21:10:22 UTC 2017 x86_64 x86_64
Alert Count                   1
First Seen                    2017-12-01 08:57:54 EST
Last Seen                     2017-12-01 08:57:54 EST
Local ID                      e599179d-9bf6-45b9-9924-d1cd0ab0a219

Raw Audit Messages
type=AVC msg=audit(1512136674.814:595): avc:  denied  { read } for  pid=11379 comm="cat" name="last_pwr" dev="tmpfs" ino=18991 scontext=system_u:system_r:tlp_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=0


Hash: cat,tlp_t,var_run_t,file,read

Version-Release number of selected component:
selinux-policy-3.13.1-283.17.fc27.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.9.3
hashmarkername: setroubleshoot
kernel:         4.13.15-300.fc27.x86_64
type:           libreport

Potential duplicate: bug 1474390
Comment 1 Lukas Vrabec 2017-12-12 11:18:19 UTC 
*** Bug 1474390 has been marked as a duplicate of this bug. ***
Comment 2 Fedora Update System 2017-12-13 08:28:29 UTC 
selinux-policy-3.13.1-283.18.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-8225c4e502
Comment 3 Fedora Update System 2017-12-14 11:13:07 UTC 
selinux-policy-3.13.1-283.18.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-8225c4e502
Comment 4 Fedora Update System 2017-12-20 11:26:19 UTC 
selinux-policy-3.13.1-283.19.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-8225c4e502
Comment 5 Fedora Update System 2017-12-21 20:22:11 UTC 
selinux-policy-3.13.1-283.19.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-8225c4e502
Comment 6 Fedora Update System 2018-01-02 16:49:00 UTC 
selinux-policy-3.13.1-283.19.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.
Comment 7 krinkodot22 2018-03-31 05:48:53 UTC 
Description of problem:
On a laptop:
-Install TLP
-Enable it with 'sudo tlp start'
-Suspend/sleep laptop, then wake it up

Waking up from suspend/sleep causes this AVC alert.

This is the same issue as Bug 1405768 (and this report will likely added as a comment to that bug). It looks like Lukas Vrabec's recommendation of running 'restorecon -R /run/' does fix this. The case is marked NOTABUG, but from a user standpoint, the bug is that file labels aren't set to TLP-friendly values by default when TLP is installed. If possible, the labels in /run/ should be set to the correct values when TLP gets installed to avoid having to set them manually with restorecon. But, maybe that's a TLP issue instead of a Fedora issue.

Version-Release number of selected component:
selinux-policy-3.13.1-283.29.fc27.noarch

Additional info:
reporter:       libreport-2.9.3
hashmarkername: setroubleshoot
kernel:         4.15.13-300.fc27.x86_64
type:           libreport
Comment 8 Michael 2018-04-07 09:41:08 UTC 
*** Bug 1564739 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.