Description of problem: SELinux is preventing (sd-executor) from 'getattr' accesses on the file /usr/lib/systemd/system-sleep/tlp. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that (sd-executor) should be allowed getattr access on the tlp file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c '(sd-executor)' --raw | audit2allow -M my-sdexecutor # semodule -X 300 -i my-sdexecutor.pp Additional Information: Source Context system_u:system_r:systemd_sleep_t:s0 Target Context system_u:object_r:tlp_exec_t:s0 Target Objects /usr/lib/systemd/system-sleep/tlp [ file ] Source (sd-executor) Source Path (sd-executor) Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages tlp-1.3.1-3.fc34.noarch SELinux Policy RPM selinux-policy-targeted-3.14.7-25.fc34.noarch Local Policy RPM selinux-policy-targeted-3.14.7-25.fc34.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 5.11.7-300.fc34.x86_64 #1 SMP Wed Mar 17 18:43:52 UTC 2021 x86_64 x86_64 Alert Count 2 First Seen 2021-03-21 07:12:54 PDT Last Seen 2021-03-21 23:46:32 PDT Local ID 8e68a690-dc7a-4679-8463-32f60e330bdf Raw Audit Messages type=AVC msg=audit(1616395592.466:2384): avc: denied { getattr } for pid=45374 comm="(sd-executor)" path="/usr/lib/systemd/system-sleep/tlp" dev="sda3" ino=1472230 scontext=system_u:system_r:systemd_sleep_t:s0 tcontext=system_u:object_r:tlp_exec_t:s0 tclass=file permissive=0 Hash: (sd-executor),systemd_sleep_t,tlp_exec_t,file,getattr Version-Release number of selected component: selinux-policy-targeted-3.14.7-25.fc34.noarch Additional info: component: selinux-policy reporter: libreport-2.14.0 hashmarkername: setroubleshoot kernel: 5.11.7-300.fc34.x86_64 type: libreport
Similar problem has been detected: Wake up from sleep hashmarkername: setroubleshoot kernel: 5.11.14-300.fc34.x86_64 package: selinux-policy-targeted-34.3-1.fc34.noarch reason: SELinux is preventing (sd-executor) from 'getattr' accesses on the file /usr/lib/systemd/system-sleep/tlp. type: libreport
I've already submitted a Fedora PR to address the issue, awaiting review: https://github.com/fedora-selinux/selinux-policy/pull/612
I'm testing selinux-policy-34.4-1.fc34.src.rpm. Selinux still denies tlp execution. AVC avc: denied { execute } for pid=36298 comm="(direxec)" name="bash" dev="dm-2" ino=1474434 scontext=system_u:system_r:systemd_sleep_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=0 Failed to execute /usr/lib/systemd/system-sleep/tlp: Permission denied /usr/lib/systemd/system-sleep/tlp failed with exit status 1. SELinux is preventing (direxec) from execute access on the file /usr/bin/bash. For complete SELinux messages run: sealert -l 979e096e-44d7-4dc5-b345-25fd53c17143 SELinux is preventing (direxec) from execute access on the file /usr/bin/bash. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that (direxec) should be allowed execute access on the bash file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c '(direxec)' --raw | audit2allow -M my-direxec # semodule -X 300 -i my-direxec.pp And this is what sealert says $ sealert -l 979e096e-44d7-4dc5-b345-25fd53c17143 SELinux is preventing (direxec) from execute access on the file /usr/bin/bash. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that (direxec) should be allowed execute access on the bash file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c '(direxec)' --raw | audit2allow -M my-direxec # semodule -X 300 -i my-direxec.pp Additional Information: Source Context system_u:system_r:systemd_sleep_t:s0 Target Context system_u:object_r:shell_exec_t:s0 Target Objects /usr/bin/bash [ file ] Source (direxec) Source Path (direxec) Port <Unknown> Host localhost.localdomain Source RPM Packages Target RPM Packages bash-5.1.0-2.fc34.x86_64 SELinux Policy RPM selinux-policy-targeted-34.4-1.fc34.noarch Local Policy RPM selinux-policy-targeted-34.4-1.fc34.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name localhost.localdomain Platform Linux localhost.localdomain 5.11.16-200.fc33.x86_64 #1 SMP Wed Apr 21 16:08:37 UTC 2021 x86_64 x86_64 Alert Count 8 First Seen 2021-04-29 14:47:27 CEST Last Seen 2021-04-30 09:18:52 CEST Local ID 979e096e-44d7-4dc5-b345-25fd53c17143 Raw Audit Messages type=AVC msg=audit(1619767132.700:1232): avc: denied { execute } for pid=36298 comm="(direxec)" name="bash" dev="dm-2" ino=1474434 scontext=system_u:system_r:systemd_sleep_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=0 Hash: (direxec),systemd_sleep_t,shell_exec_t,file,execute
Similar problem has been detected: Happens after waking from sleep. Started immediately after upgrading to Fedora 34. hashmarkername: setroubleshoot kernel: 5.11.16-300.fc34.x86_64 package: selinux-policy-targeted-34.3-1.fc34.noarch reason: SELinux is preventing (sd-executor) from 'getattr' accesses on the file /usr/lib/systemd/system-sleep/tlp. type: libreport
Similar problem has been detected: After update from F33->F34, /.autorelabel -- closed laptop and opened again, got this error. hashmarkername: setroubleshoot kernel: 5.11.16-300.fc34.x86_64 package: selinux-policy-targeted-34.3-1.fc34.noarch reason: SELinux is preventing (sd-executor) from 'getattr' accesses on the file /usr/lib/systemd/system-sleep/tlp. type: libreport
Similar problem has been detected: Upgraded to F34. Happens on wakeup after suspending. hashmarkername: setroubleshoot kernel: 5.11.15-300.fc34.x86_64 reason: SELinux is preventing (sd-executor) from 'getattr' accesses on the file /usr/lib/systemd/system-sleep/tlp. type: libreport
The issue as reported has been fixed in selinux-policy-34.4-1.fc34.noarch: # sesearch -A -s systemd_sleep_t -t tlp_exec_t -c file -p getattr allow systemd_sleep_t tlp_exec_t:file { execute execute_no_trans getattr ioctl map open read }; There are some other follow-up problems known which should be fixed in the next build.
*** Bug 1956136 has been marked as a duplicate of this bug. ***
Similar problem has been detected: I don't know hashmarkername: setroubleshoot kernel: 5.11.15-300.fc34.x86_64 reason: SELinux is preventing (sd-executor) from 'getattr' accesses on the file /usr/lib/systemd/system-sleep/tlp. type: libreport