Description of problem: this happens on resume from S3 suspend SELinux is preventing tlp from 'execute_no_trans' accesses on the Datei /usr/sbin/tlp. ***** Plugin catchall (100. confidence) suggests ************************** Wenn Sie denken, dass es tlp standardmäßig erlaubt sein sollte, execute_no_trans Zugriff auf tlp file zu erhalten. Then sie sollten dies als Fehler melden. Um diesen Zugriff zu erlauben, können Sie ein lokales Richtlinien-Modul erstellen. Do zugriff jetzt erlauben, indem Sie die nachfolgenden Befehle ausführen: # ausearch -c 'tlp' --raw | audit2allow -M my-tlp # semodule -X 300 -i my-tlp.pp Additional Information: Source Context system_u:system_r:tlp_t:s0 Target Context system_u:object_r:tlp_exec_t:s0 Target Objects /usr/sbin/tlp [ file ] Source tlp Source Path tlp Port <Unbekannt> Host (removed) Source RPM Packages Target RPM Packages tlp-1.3.1-1.fc32.noarch SELinux Policy RPM selinux-policy-targeted-3.14.5-40.fc32.noarch Local Policy RPM selinux-policy-targeted-3.14.5-40.fc32.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 5.6.15-300.fc32.x86_64 #1 SMP Fri May 29 14:23:59 UTC 2020 x86_64 x86_64 Alert Count 2 First Seen 2020-06-06 16:32:18 CEST Last Seen 2020-06-07 00:12:08 CEST Local ID d6ba5a5e-ecf8-44e8-8f0a-a297371215d3 Raw Audit Messages type=AVC msg=audit(1591481528.851:350): avc: denied { execute_no_trans } for pid=10563 comm="tlp" path="/usr/sbin/tlp" dev="dm-1" ino=655433 scontext=system_u:system_r:tlp_t:s0 tcontext=system_u:object_r:tlp_exec_t:s0 tclass=file permissive=0 Hash: tlp,tlp_t,tlp_exec_t,file,execute_no_trans Version-Release number of selected component: selinux-policy-targeted-3.14.5-40.fc32.noarch Additional info: component: selinux-policy reporter: libreport-2.13.1 hashmarkername: setroubleshoot kernel: 5.6.15-300.fc32.x86_64 type: libreport
Not a direct duplicate, but the fix for 1806123 is apparently not complete yet. This is with selinux-policy and -targeted 3.14.5-40.fc32 from bodhi. *** This bug has been marked as a duplicate of bug 1806123 ***
Perhaps a "blocks" is better than a duplicate...
Matthias, This really is not a duplicate of any of the previous tlp-related AVCs, and it does not seem to be blocking.
Matthias, Could you help with gathering all remaining denials to finally have the required policy adjustments complete? # setenforce 0 <reproduce> # setenforce 1 # ausearch -i -m avc,user_avc -ts recent
Zdenek, here you are: ---- type=AVC msg=audit(12.06.2020 10:26:32.088:947) : avc: denied { execute_no_trans } for pid=135827 comm=tlp path=/usr/sbin/tlp dev="dm-1" ino=655433 scontext=system_u:system_r:tlp_t:s0 tcontext=system_u:object_r:tlp_exec_t:s0 tclass=file permissive=1 ---- type=USER_AVC msg=audit(12.06.2020 10:29:09.995:975) : pid=2019 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: received setenforce notice (enforcing=1) exe=/usr/bin/dbus-broker sauid=dbus hostname=? addr=? terminal=?'
Similar problem has been detected: Happens after suspend to ram hashmarkername: setroubleshoot kernel: 5.6.16-300.fc32.x86_64 package: selinux-policy-targeted-3.14.5-40.fc32.noarch reason: SELinux is preventing tlp from 'execute_no_trans' accesses on the file /usr/sbin/tlp. type: libreport
Similar problem has been detected: Issue occured upon waking laptop from sleep/suspend. hashmarkername: setroubleshoot kernel: 5.6.16-300.fc32.x86_64 package: selinux-policy-targeted-3.14.5-40.fc32.noarch reason: SELinux is preventing tlp from 'execute_no_trans' accesses on the file /usr/sbin/tlp. type: libreport
Similar problem has been detected: Started with a fresh install of Fedora Installed tlp and tlp-rdw from Fedora repos, both version 1.3.1-1.fc32 Installed akmod-acpi_call from TLP repo, 1.1.2-2.fc32 First incident happened two days after the original installation. Incident has reoccured three more times since then. Checking the system journal, there does not seem to be any corresponding events at those times (no reboots, changes to TLP service status, or suspend/wake events hashmarkername: setroubleshoot kernel: 5.6.16-300.fc32.x86_64 package: selinux-policy-targeted-3.14.5-40.fc32.noarch reason: SELinux is preventing tlp from 'execute_no_trans' accesses on the file /usr/sbin/tlp. type: libreport
Similar problem has been detected: Wake up from sleep hashmarkername: setroubleshoot kernel: 5.6.16-300.fc32.x86_64 package: selinux-policy-targeted-3.14.5-40.fc32.noarch reason: SELinux is preventing tlp from 'execute_no_trans' accesses on the file /usr/sbin/tlp. type: libreport
Matthias, Thank you, provided there are no other denials, this PR should address the issue: https://github.com/fedora-selinux/selinux-policy-contrib/pull/267
commit 95a9a41366ddba44d8831356cef4c6dbcf9fd154 (HEAD -> rawhide, origin/rawhide, origin/HEAD) Author: Zdenek Pytela <zpytela> Date: Mon Jun 15 16:56:29 2020 +0200 Allow tlp_t can_exec() tlp_exec_t Resolves: rhbz#1844755 Backported also to F32.
Similar problem has been detected: I get this SELinux warning after resuming my laptop from sleep (suspend to ram) hashmarkername: setroubleshoot kernel: 5.6.18-300.fc32.x86_64 package: selinux-policy-targeted-3.14.5-40.fc32.noarch reason: SELinux is preventing tlp from 'execute_no_trans' accesses on the file /usr/sbin/tlp. type: libreport
(In reply to Zdenek Pytela from comment #10) > Matthias, > > Thank you, provided there are no other denials, this PR should address the > issue: > https://github.com/fedora-selinux/selinux-policy-contrib/pull/267 Zdenek, thanks - however I am too unfamiliar with the setup to make let me test this. I take it that I'd need to apply this to the source package and then build, install, and try to reproduce? At any rate, with the troubleshooter that instructs me to use ausearch and audit2allow and a .te file that contains among others this line allow tlp_t tlp_exec_t:file execute_no_trans; and installing that, I can suspend-to-RAM and resume without further SELinux warnings.
Matthias, Thank you for confirming adding the execute_no_trans helped. There will be a new build soon. The pull requests was posted for reference, I can prepare a scratchbuild or give detailed instructions if needed, seems not needed this time.
Similar problem has been detected: I un-suspended the PC by pressing on the keyboard. The SELinux error appeared immediately after my desktop became visible. hashmarkername: setroubleshoot kernel: 5.6.14-300.fc32.x86_64 package: selinux-policy-targeted-3.14.5-40.fc32.noarch reason: SELinux is preventing tlp from 'execute_no_trans' accesses on the file /usr/sbin/tlp. type: libreport
Similar problem has been detected: the problem was cause after waking up the laptop from sleep hashmarkername: setroubleshoot kernel: 5.6.18-300.fc32.x86_64 package: selinux-policy-targeted-3.14.5-40.fc32.noarch reason: SELinux is preventing tlp from 'execute_no_trans' accesses on the file /usr/sbin/tlp. type: libreport
FEDORA-2020-5c374f680a has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-5c374f680a
FEDORA-2020-5c374f680a has been pushed to the Fedora 32 testing repository. In short time you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-5c374f680a` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-5c374f680a See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
(In reply to Fedora Update System from comment #18) > FEDORA-2020-5c374f680a ... > https://bodhi.fedoraproject.org/updates/FEDORA-2020-5c374f680a For me, this update fixes the problem I'd reported. Thank you!
Glad to hear it is working now. Thank everybody for reporting and troubleshooting.
FEDORA-2020-5c374f680a has been pushed to the Fedora 32 stable repository. If problem still persists, please make note of it in this bug report.