1737106 – Trace mode: logger --id fails with "Operation not permitted"

Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be unavailable on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.

Bug 1737106 - Trace mode: logger --id fails with "Operation not permitted"

Summary: Trace mode: logger --id fails with "Operation not permitted"

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	30
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	low
Target Milestone:	---
Assignee:	Lukas Vrabec
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-08-02 16:35 UTC by javiertury
Modified:	2019-09-06 12:33 UTC (History)
CC List:	5 users (show)
Fixed In Version:	selinux-policy-3.14.3-45.fc30
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-09-06 12:33:38 UTC
Type:	Bug
Dependent Products:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description javiertury 2019-08-02 16:35:49 UTC

Description of problem:

In trace mode, tlp logger calls are blocked by selinux

Version-Release number of selected component (if applicable):

selinux-policy 3.14.3-42.fc30
tlp 1.2.1-1.fc30

How reproducible:

Follow https://linrunner.de/en/tlp/docs/tlp-configuration.html#tracemode

1. Add the following line to /etc/default/tlp
TLP_DEBUG="arg bat disk lock nm path pm ps rf run sysfs udev usb" 

2. Restart tlp service
$ systemctl restart tlp

3. Do something(e.g. suspend and resume laptop), then take a look at the logs
$ systemctl status tlp
$ tlp-stat -T

Actual results:

logger: Operation not permitted

Expected results:

Debug loggin events


Additional info:

In audit.log
type=AVC msg=audit(1564652336.513:9741): avc:  denied  { sys_admin } for  pid=24166 comm="logger" capability=21  scontext=system_u:system_r:tlp_t:s0-s0:c0.c1023 tcontext=system_u:system_r:tlp_t:s0-s0:c0.c1023 tclass=capability permissive=0
type=AVC msg=audit(1564653076.144:10069): avc:  denied  { setuid } for  pid=28814 comm="logger" capability=7  scontext=system_u:system_r:tlp_t:s0-s0:c0.c1023 tcontext=system_u:system_r:tlp_t:s0-s0:c0.c1023 tclass=capability permissive=0

Comment 1 Lukas Vrabec 2019-08-05 15:54:27 UTC

commit b7144a2bc612b9d65145ed485fe1531c064a9ce3 (HEAD -> rawhide)
Author: Lukas Vrabec <lvrabec@redhat.com>
Date:   Mon Aug 5 17:53:41 2019 +0200

    Allow tlp domain run tlp in trace mode BZ(1737106)

Comment 2 Fedora Update System 2019-09-05 06:52:03 UTC

FEDORA-2019-be14ea0375 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-be14ea0375

Comment 3 Fedora Update System 2019-09-05 12:53:03 UTC

selinux-policy-3.14.3-45.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-be14ea0375

Comment 4 Fedora Update System 2019-09-06 12:33:38 UTC

selinux-policy-3.14.3-45.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.