Description of problem: Fedora 27 installed on a 2013-ish Macbook Pro. Happens when waking from suspend (i.e. opening the lid). Tried restorecon (/sbin/restorecon -v /run/tlp/lock_tlp), but it did not remove the issue. audit2allow fixes it. Relevant output from ausearch is: type=AVC msg=audit(1515323163.771:291): avc: denied { open } for pid=11613 comm="tlp" path="/run/tlp/lock_tlp" dev="tmpfs" ino=17816 scontext=system_u:system_r:tlp_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=0 SELinux is preventing tlp from 'open' accesses on the file /run/tlp/lock_tlp. ***** Plugin restorecon (99.5 confidence) suggests ************************ If you want to fix the label. /run/tlp/lock_tlp default label should be tlp_var_run_t. Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly. Do # /sbin/restorecon -v /run/tlp/lock_tlp ***** Plugin catchall (1.49 confidence) suggests ************************** If you believe that tlp should be allowed open access on the lock_tlp file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'tlp' --raw | audit2allow -M my-tlp # semodule -X 300 -i my-tlp.pp Additional Information: Source Context system_u:system_r:tlp_t:s0 Target Context system_u:object_r:var_run_t:s0 Target Objects /run/tlp/lock_tlp [ file ] Source tlp Source Path tlp Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.19.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.14.11-300.fc27.x86_64 #1 SMP Wed Jan 3 13:52:28 UTC 2018 x86_64 x86_64 Alert Count 2 First Seen 2018-01-06 18:30:51 AWST Last Seen 2018-01-06 18:30:51 AWST Local ID b3ab5538-076f-45f2-b786-12d977ac9755 Raw Audit Messages type=AVC msg=audit(1515234651.688:554): avc: denied { open } for pid=12086 comm="tlp" path="/run/tlp/lock_tlp" dev="tmpfs" ino=18891 scontext=system_u:system_r:tlp_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=0 Hash: tlp,tlp_t,var_run_t,file,open Version-Release number of selected component: selinux-policy-3.13.1-283.19.fc27.noarch Additional info: component: selinux-policy reporter: libreport-2.9.3 hashmarkername: setroubleshoot kernel: 4.14.11-300.fc27.x86_64 type: libreport Potential duplicate: bug 1405280
Please, update selinux-policy rpm package to the latest version and run: ***** Plugin restorecon (99.5 confidence) suggests ************************ If you want to fix the label. /run/tlp/lock_tlp default label should be tlp_var_run_t. Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly. Do # /sbin/restorecon -v /run/tlp/lock_tlp Thanks, Lukas.
If you read my comments, I already tried everything you suggested. At the time of writing, my selinux-policy was already at the latest available via dnf (I tried dnf update selinux policy). This was selinux-policy-3.13.1-283.19.fc27.noarch. I tried: /sbin/restorecon -v /run/tlp/lock_tlp and /sbin/restorecon -v /run/tlp/ This worked for some time, but the issue returned because the security context of the file got changed back to system_u:object_r:var_run_t:s0 (instead of system_u:object_r:tlp_var_run_t:s0). How can I figure out what is changing it and why?
Description of problem: Resumed from suspend Version-Release number of selected component: selinux-policy-3.13.1-283.26.fc27.noarch Additional info: reporter: libreport-2.9.3 hashmarkername: setroubleshoot kernel: 4.15.8-300.fc27.x86_64 type: libreport
selinux-policy-3.13.1-284.37.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-4bb4de2d86
selinux-policy-3.13.1-284.37.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-4bb4de2d86
selinux-policy-3.13.1-284.37.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.