Bug 1586329 - SELinux is preventing iw from 'write' accesses on the file /run/tlp/lock_tlp.
Summary: SELinux is preventing iw from 'write' accesses on the file /run/tlp/lock_tlp.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 28
Hardware: x86_64
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:7bb98eff09db578f92e6b6786d9...
: 1510249 1577532 1585485 1585486 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-06-06 02:07 UTC by goghard
Modified: 2018-10-17 05:16 UTC (History)
17 users (show)

Fixed In Version: selinux-policy-3.14.1-36.fc28
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-07-29 03:22:13 UTC
Type: ---


Attachments (Terms of Use)

Description goghard 2018-06-06 02:07:02 UTC
Description of problem:
I installed TLP and alerts started to appear. I modified the /etc/default/tlp file to reduce cpu fequencies before starting tlp.
SELinux is preventing iw from 'write' accesses on the file /run/tlp/lock_tlp.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that iw should be allowed write access on the lock_tlp file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'iw' --raw | audit2allow -M my-iw
# semodule -X 300 -i my-iw.pp

Additional Information:
Source Context                system_u:system_r:ifconfig_t:s0-s0:c0.c1023
Target Context                system_u:object_r:var_run_t:s0
Target Objects                /run/tlp/lock_tlp [ file ]
Source                        iw
Source Path                   iw
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.14.1-30.fc28.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.16.12-300.fc28.x86_64 #1 SMP Fri
                              May 25 21:13:28 UTC 2018 x86_64 x86_64
Alert Count                   8
First Seen                    2018-06-05 20:57:08 -05
Last Seen                     2018-06-05 20:58:08 -05
Local ID                      2c4f9829-34e2-4e11-8ad3-a49fdd03beed

Raw Audit Messages
type=AVC msg=audit(1528250288.390:330): avc:  denied  { write } for  pid=8623 comm="ethtool" path="/run/tlp/lock_tlp" dev="tmpfs" ino=411421 scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=0


Hash: iw,ifconfig_t,var_run_t,file,write

Version-Release number of selected component:
selinux-policy-3.14.1-30.fc28.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.9.5
hashmarkername: setroubleshoot
kernel:         4.16.12-300.fc28.x86_64
type:           libreport

Potential duplicate: bug 1373791

Comment 1 Milos Malik 2018-06-06 06:32:45 UTC
# ls -Z /run/tlp/lock_tlp
system_u:object_r:tlp_var_run_t:s0 /run/tlp/lock_tlp
# matchpathcon /run/tlp/lock_tlp 
/run/tlp/lock_tlp	system_u:object_r:var_run_t:s0
#

I believe the problem is the first fcontext pattern:

# semanage fcontext -l | grep tlp
/run/tlp(/.*)?                                     all files          system_u:object_r:tlp_var_run_t:s0 
/usr/lib/systemd/system/((tlp-sleep.*)|(tlp.*))    regular file       system_u:object_r:tlp_unit_file_t:s0 
/usr/sbin/tlp                                      regular file       system_u:object_r:tlp_exec_t:s0 
/var/lib/tlp(/.*)?                                 all files          system_u:object_r:tlp_var_lib_t:s0 
# 

The fcontext pattern should look this way:

/var/run/tlp(/.*)?    all files    system_u:object_r:tlp_var_run_t:s0

Use of restorecon does not help the reporter:

# restorecon -vn /run/tlp/lock_tlp
Would relabel /run/tlp/lock_tlp from system_u:object_r:tlp_var_run_t:s0 to system_u:object_r:var_run_t:s0
#

Comment 2 Milos Malik 2018-06-06 06:40:31 UTC
If the fcontext pattern was correctly defined, the denial would not have appeared, because appropriate rule is already present:

# sesearch -s ifconfig_t -t tlp_var_run_t -c file -A
allow ifconfig_t tlp_var_run_t:file { append create getattr ioctl link lock open read rename setattr unlink write };
#

Tested on:

# rpm -qa selinux\* | sort
selinux-policy-3.14.1-30.fc28.noarch
selinux-policy-devel-3.14.1-30.fc28.noarch
selinux-policy-doc-3.14.1-30.fc28.noarch
selinux-policy-minimum-3.14.1-30.fc28.noarch
selinux-policy-mls-3.14.1-30.fc28.noarch
selinux-policy-targeted-3.14.1-30.fc28.noarch
#

Comment 3 Lukas Vrabec 2018-06-10 20:57:26 UTC
*** Bug 1585486 has been marked as a duplicate of this bug. ***

Comment 4 Lukas Vrabec 2018-06-10 20:57:31 UTC
*** Bug 1585485 has been marked as a duplicate of this bug. ***

Comment 5 Lukas Vrabec 2018-06-10 20:57:39 UTC
*** Bug 1577532 has been marked as a duplicate of this bug. ***

Comment 6 Lukas Vrabec 2018-06-10 20:57:53 UTC
*** Bug 1510249 has been marked as a duplicate of this bug. ***

Comment 7 seb 2018-07-01 12:33:58 UTC
Not solved in selinux-policy-3.14.1-32.fc28.noarch :(

Comment 8 Mário Lopes 2018-07-09 08:19:56 UTC
Description of problem:
After received the following updates:
cinnamon-3.8.7-1.fc28.x86_64                  Mon 09 Jul 2018 07:48:45 AM WEST
nemo-3.8.4-1.fc28.x86_64                      Mon 09 Jul 2018 07:48:43 AM WEST
nemo-extensions-3.8.4-1.fc28.x86_64           Mon 09 Jul 2018 07:48:42 AM WEST
After rebooting the machine iv start to receive the notifications on continuous loop

Version-Release number of selected component:
selinux-policy-3.14.1-32.fc28.noarch

Additional info:
reporter:       libreport-2.9.5
hashmarkername: setroubleshoot
kernel:         4.17.3-200.fc28.x86_64
type:           libreport

Comment 9 Fedora Update System 2018-07-25 22:27:44 UTC
selinux-policy-3.14.1-36.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-1050fb248b

Comment 10 Fedora Update System 2018-07-26 16:30:13 UTC
selinux-policy-3.14.1-36.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-1050fb248b

Comment 11 Michael 2018-07-27 13:54:28 UTC
The problem is still present with selinux-policy-3.14.1-36.fc28.

See: 1609307

Comment 12 Fedora Update System 2018-07-29 03:22:13 UTC
selinux-policy-3.14.1-36.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.

Comment 13 John Gardner 2018-07-29 16:53:26 UTC
Description of problem:
Running TLP on Fedora 28.  Dell XPS 9560, every time I plug in the power cable I get the SELinux error

Version-Release number of selected component:
selinux-policy-3.14.1-32.fc28.noarch

Additional info:
reporter:       libreport-2.9.5
hashmarkername: setroubleshoot
kernel:         4.17.7-200.fc28.x86_64
type:           libreport

Comment 14 amarty 2018-08-10 06:43:33 UTC
Description of problem:
installet TLP for PowerManagment on Fedora 28 and after a wakeup from standby this came up.

Version-Release number of selected component:
selinux-policy-3.14.1-37.fc28.noarch

Additional info:
reporter:       libreport-2.9.5
hashmarkername: setroubleshoot
kernel:         4.17.11-200.fc28.x86_64
type:           libreport

Comment 15 amarty 2018-08-12 16:21:13 UTC
Description of problem:
Installer TLP on Fedora 28 and after wake up from standby this message came up.

Version-Release number of selected component:
selinux-policy-3.14.1-37.fc28.noarch

Additional info:
reporter:       libreport-2.9.5
hashmarkername: setroubleshoot
kernel:         4.17.11-200.fc28.x86_64
type:           libreport

Comment 16 ju.labbe 2018-08-21 07:20:36 UTC
Description of problem:
after installing TLP
after a first troubleshoot
here we are with this second one
good luck guys

Version-Release number of selected component:
selinux-policy-3.14.1-32.fc28.noarch

Additional info:
reporter:       libreport-2.9.5
hashmarkername: setroubleshoot
kernel:         4.17.6-200.fc28.x86_64
type:           libreport

Comment 17 Jean-Loup Tastet 2018-09-24 17:42:46 UTC
Still affected on Fedora 28, with selinux-policy-3.14.1-42.fc28.

Running `sudo systemctl start tlp` results in an AVC and the TLP service fails to start:

● tlp.service - TLP system startup/shutdown
   Loaded: loaded (/usr/lib/systemd/system/tlp.service; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Mon 2018-09-24 19:34:56 CEST; 2min 54s ago
     Docs: http://linrunner.de/tlp
  Process: 21073 ExecStart=/usr/sbin/tlp init start (code=exited, status=1/FAILURE)
 Main PID: 21073 (code=exited, status=1/FAILURE)

Sep 24 19:34:56 jl-xps systemd[1]: Starting TLP system startup/shutdown...
Sep 24 19:34:56 jl-xps systemd[1]: tlp.service: Main process exited, code=exited, status=1/FAILURE
Sep 24 19:34:56 jl-xps systemd[1]: tlp.service: Failed with result 'exit-code'.
Sep 24 19:34:56 jl-xps systemd[1]: Failed to start TLP system startup/shutdown.

The relevant part of the journal seems to be:

-- Subject: Unit tlp.service has begun start-up
-- Defined-By: systemd
-- Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit tlp.service has begun starting up.
Sep 24 19:37:53 jl-xps audit[21411]: AVC avc:  denied  { open } for  pid=21411 comm="tlp" path="/run/tlp/lock_tlp" dev="tmpfs" ino=291918 scontext=system_u:system_r:tlp_t:s0 tcontext=unconfined_u:object_r:var_ru>
Sep 24 19:37:53 jl-xps audit[21411]: AVC avc:  denied  { open } for  pid=21411 comm="tlp" path="/run/tlp/lock_tlp" dev="tmpfs" ino=291918 scontext=system_u:system_r:tlp_t:s0 tcontext=unconfined_u:object_r:var_ru>
Sep 24 19:37:53 jl-xps systemd[1]: tlp.service: Main process exited, code=exited, status=1/FAILURE
Sep 24 19:37:53 jl-xps systemd[1]: tlp.service: Failed with result 'exit-code'.
Sep 24 19:37:53 jl-xps systemd[1]: Failed to start TLP system startup/shutdown.
-- Subject: Unit tlp.service has failed
-- Defined-By: systemd
-- Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit tlp.service has failed.
-- 
-- The result is RESULT.

Comment 18 Jean-Loup Tastet 2018-09-25 09:25:54 UTC
Description of problem:
When resuming the laptop from suspend, with TLP enabled.

Version-Release number of selected component:
selinux-policy-3.14.1-42.fc28.noarch

Additional info:
reporter:       libreport-2.9.5
hashmarkername: setroubleshoot
kernel:         4.18.6-301.local.fc29.x86_64
type:           libreport

Comment 19 Arsalan Rezazadeh 2018-10-17 05:16:48 UTC
Description of problem:
1- installed tlp
2-in each shutdown Selinux give this error 
3- also tlp service is not active 
4- systemctl status give a faild to running tlp
5- lock_tlp error


I use fedora 27

Version-Release number of selected component:
selinux-policy-3.13.1-284.37.fc27.noarch

Additional info:
reporter:       libreport-2.9.3
hashmarkername: setroubleshoot
kernel:         4.18.12-100.fc27.x86_64
type:           libreport


Note You need to log in before you can comment on or make changes to this bug.