Bug 1844755 - SELinux is preventing tlp from 'execute_no_trans' accesses on the Datei /usr/sbin/tlp.
Summary: SELinux is preventing tlp from 'execute_no_trans' accesses on the Datei /usr/...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 32
Hardware: x86_64
OS: Unspecified
medium
medium
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:14ddf4b02640acd34efe7acbc49...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-06-06 22:14 UTC by Matthias Andree
Modified: 2020-07-02 01:11 UTC (History)
18 users (show)

Fixed In Version: selinux-policy-3.14.5-41.fc32
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-07-02 01:11:56 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Matthias Andree 2020-06-06 22:14:01 UTC
Description of problem:
this happens on resume from S3 suspend
SELinux is preventing tlp from 'execute_no_trans' accesses on the Datei /usr/sbin/tlp.

*****  Plugin catchall (100. confidence) suggests   **************************

Wenn Sie denken, dass es tlp standardmäßig erlaubt sein sollte, execute_no_trans Zugriff auf tlp file zu erhalten.
Then sie sollten dies als Fehler melden.
Um diesen Zugriff zu erlauben, können Sie ein lokales Richtlinien-Modul erstellen.
Do
zugriff jetzt erlauben, indem Sie die nachfolgenden Befehle ausführen:
# ausearch -c 'tlp' --raw | audit2allow -M my-tlp
# semodule -X 300 -i my-tlp.pp

Additional Information:
Source Context                system_u:system_r:tlp_t:s0
Target Context                system_u:object_r:tlp_exec_t:s0
Target Objects                /usr/sbin/tlp [ file ]
Source                        tlp
Source Path                   tlp
Port                          <Unbekannt>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           tlp-1.3.1-1.fc32.noarch
SELinux Policy RPM            selinux-policy-targeted-3.14.5-40.fc32.noarch
Local Policy RPM              selinux-policy-targeted-3.14.5-40.fc32.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 5.6.15-300.fc32.x86_64 #1 SMP Fri
                              May 29 14:23:59 UTC 2020 x86_64 x86_64
Alert Count                   2
First Seen                    2020-06-06 16:32:18 CEST
Last Seen                     2020-06-07 00:12:08 CEST
Local ID                      d6ba5a5e-ecf8-44e8-8f0a-a297371215d3

Raw Audit Messages
type=AVC msg=audit(1591481528.851:350): avc:  denied  { execute_no_trans } for  pid=10563 comm="tlp" path="/usr/sbin/tlp" dev="dm-1" ino=655433 scontext=system_u:system_r:tlp_t:s0 tcontext=system_u:object_r:tlp_exec_t:s0 tclass=file permissive=0


Hash: tlp,tlp_t,tlp_exec_t,file,execute_no_trans

Version-Release number of selected component:
selinux-policy-targeted-3.14.5-40.fc32.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.13.1
hashmarkername: setroubleshoot
kernel:         5.6.15-300.fc32.x86_64
type:           libreport

Comment 1 Matthias Andree 2020-06-06 22:17:15 UTC
Not a direct duplicate, but the fix for 1806123 is apparently not complete yet. This is with selinux-policy and -targeted 3.14.5-40.fc32 from bodhi.

*** This bug has been marked as a duplicate of bug 1806123 ***

Comment 2 Matthias Andree 2020-06-06 22:26:01 UTC
Perhaps a "blocks" is better than a duplicate...

Comment 3 Zdenek Pytela 2020-06-07 08:46:16 UTC
Matthias,

This really is not a duplicate of any of the previous tlp-related AVCs, and it does not seem to be blocking.

Comment 4 Zdenek Pytela 2020-06-08 09:43:37 UTC
Matthias,

Could you help with gathering all remaining denials to finally have the required policy adjustments complete?

  # setenforce 0
<reproduce>
  # setenforce 1
  # ausearch -i -m avc,user_avc -ts recent

Comment 5 Matthias Andree 2020-06-12 08:30:53 UTC
Zdenek, here you are:

----
type=AVC msg=audit(12.06.2020 10:26:32.088:947) : avc:  denied  { execute_no_trans } for  pid=135827 comm=tlp path=/usr/sbin/tlp dev="dm-1" ino=655433 scontext=system_u:system_r:tlp_t:s0 tcontext=system_u:object_r:tlp_exec_t:s0 tclass=file permissive=1 
----
type=USER_AVC msg=audit(12.06.2020 10:29:09.995:975) : pid=2019 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  received setenforce notice (enforcing=1)  exe=/usr/bin/dbus-broker sauid=dbus hostname=? addr=? terminal=?'

Comment 6 Andre Dierker 2020-06-12 13:09:37 UTC
Similar problem has been detected:

Happens after suspend to ram

hashmarkername: setroubleshoot
kernel:         5.6.16-300.fc32.x86_64
package:        selinux-policy-targeted-3.14.5-40.fc32.noarch
reason:         SELinux is preventing tlp from 'execute_no_trans' accesses on the file /usr/sbin/tlp.
type:           libreport

Comment 7 thedatum+bz 2020-06-12 22:43:30 UTC
Similar problem has been detected:

Issue occured upon waking laptop from sleep/suspend.

hashmarkername: setroubleshoot
kernel:         5.6.16-300.fc32.x86_64
package:        selinux-policy-targeted-3.14.5-40.fc32.noarch
reason:         SELinux is preventing tlp from 'execute_no_trans' accesses on the file /usr/sbin/tlp.
type:           libreport

Comment 8 jcos 2020-06-14 14:53:18 UTC
Similar problem has been detected:

Started with a fresh install of Fedora
Installed tlp and tlp-rdw from Fedora repos, both version 1.3.1-1.fc32
Installed akmod-acpi_call from TLP repo, 1.1.2-2.fc32

First incident happened two days after the original installation. Incident has reoccured three more times since then. 
Checking the system journal, there does not seem to be any corresponding events at those times (no reboots, changes to TLP service status, or suspend/wake events

hashmarkername: setroubleshoot
kernel:         5.6.16-300.fc32.x86_64
package:        selinux-policy-targeted-3.14.5-40.fc32.noarch
reason:         SELinux is preventing tlp from 'execute_no_trans' accesses on the file /usr/sbin/tlp.
type:           libreport

Comment 9 Michael 2020-06-14 16:01:48 UTC
Similar problem has been detected:

Wake up from sleep

hashmarkername: setroubleshoot
kernel:         5.6.16-300.fc32.x86_64
package:        selinux-policy-targeted-3.14.5-40.fc32.noarch
reason:         SELinux is preventing tlp from 'execute_no_trans' accesses on the file /usr/sbin/tlp.
type:           libreport

Comment 10 Zdenek Pytela 2020-06-15 14:59:56 UTC
Matthias,

Thank you, provided there are no other denials, this PR should address the issue:
https://github.com/fedora-selinux/selinux-policy-contrib/pull/267

Comment 11 Lukas Vrabec 2020-06-16 08:26:38 UTC
commit 95a9a41366ddba44d8831356cef4c6dbcf9fd154 (HEAD -> rawhide, origin/rawhide, origin/HEAD)
Author: Zdenek Pytela <zpytela>
Date:   Mon Jun 15 16:56:29 2020 +0200

    Allow tlp_t can_exec() tlp_exec_t
    
    Resolves: rhbz#1844755


Backported also to F32.

Comment 12 Zdeněk Zikán 2020-06-17 11:47:51 UTC
Similar problem has been detected:

I get this SELinux warning after resuming my laptop from sleep (suspend to ram)

hashmarkername: setroubleshoot
kernel:         5.6.18-300.fc32.x86_64
package:        selinux-policy-targeted-3.14.5-40.fc32.noarch
reason:         SELinux is preventing tlp from 'execute_no_trans' accesses on the file /usr/sbin/tlp.
type:           libreport

Comment 13 Matthias Andree 2020-06-17 23:25:48 UTC
(In reply to Zdenek Pytela from comment #10)
> Matthias,
> 
> Thank you, provided there are no other denials, this PR should address the
> issue:
> https://github.com/fedora-selinux/selinux-policy-contrib/pull/267

Zdenek, thanks - however I am too unfamiliar with the setup to make let me test this. I take it that I'd need to apply this to the source package and then build, install, and try to reproduce?

At any rate, with the troubleshooter that instructs me to use ausearch and audit2allow and a .te file that contains among others this line 
allow tlp_t tlp_exec_t:file execute_no_trans;

and installing that, I can suspend-to-RAM and resume without further SELinux warnings.

Comment 14 Zdenek Pytela 2020-06-18 06:49:01 UTC
Matthias,

Thank you for confirming adding the execute_no_trans helped. There will be a new build soon.

The pull requests was posted for reference, I can prepare a scratchbuild or give detailed instructions if needed, seems not needed this time.

Comment 15 Bastiaan Jacques 2020-06-20 09:08:02 UTC
Similar problem has been detected:

I un-suspended the PC by pressing on the keyboard. The SELinux error appeared immediately after my desktop became visible.

hashmarkername: setroubleshoot
kernel:         5.6.14-300.fc32.x86_64
package:        selinux-policy-targeted-3.14.5-40.fc32.noarch
reason:         SELinux is preventing tlp from 'execute_no_trans' accesses on the file /usr/sbin/tlp.
type:           libreport

Comment 16 Mircea Vutcovici 2020-06-21 21:43:47 UTC
Similar problem has been detected:

the problem was cause after waking up the laptop from sleep

hashmarkername: setroubleshoot
kernel:         5.6.18-300.fc32.x86_64
package:        selinux-policy-targeted-3.14.5-40.fc32.noarch
reason:         SELinux is preventing tlp from 'execute_no_trans' accesses on the file /usr/sbin/tlp.
type:           libreport

Comment 17 Fedora Update System 2020-06-24 11:33:13 UTC
FEDORA-2020-5c374f680a has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-5c374f680a

Comment 18 Fedora Update System 2020-06-25 01:03:41 UTC
FEDORA-2020-5c374f680a has been pushed to the Fedora 32 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-5c374f680a`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-5c374f680a

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 19 Matthias Andree 2020-06-25 19:47:25 UTC
(In reply to Fedora Update System from comment #18)
> FEDORA-2020-5c374f680a ...
> https://bodhi.fedoraproject.org/updates/FEDORA-2020-5c374f680a

For me, this update fixes the problem I'd reported. Thank you!

Comment 20 Zdenek Pytela 2020-06-26 14:28:44 UTC
Glad to hear it is working now. Thank everybody for reporting and troubleshooting.

Comment 21 Fedora Update System 2020-07-02 01:11:56 UTC
FEDORA-2020-5c374f680a has been pushed to the Fedora 32 stable repository.
If problem still persists, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.