Description of problem: Upgrade to Fedora 36 SELinux is preventing mktemp from 'write' accesses on the directory tlp. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that mktemp should be allowed write access on the tlp directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'mktemp' --raw | audit2allow -M my-mktemp # semodule -X 300 -i my-mktemp.pp Additional Information: Source Context system_u:system_r:NetworkManager_dispatcher_t:s0 Target Context system_u:object_r:var_run_t:s0 Target Objects tlp [ dir ] Source mktemp Source Path mktemp Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-36.5-1.fc36.noarch Local Policy RPM selinux-policy-targeted-36.5-1.fc36.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 5.16.16-200.fc35.x86_64 #1 SMP PREEMPT Wed Mar 23 00:44:58 CET 2022 x86_64 x86_64 Alert Count 18 First Seen 2022-03-30 22:12:13 CEST Last Seen 2022-03-30 22:22:10 CEST Local ID 3ea87a12-5db4-4ed7-9b81-228a8c290e84 Raw Audit Messages type=AVC msg=audit(1648671730.555:328): avc: denied { write } for pid=2406 comm="mktemp" name="tlp" dev="tmpfs" ino=829 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=0 Hash: mktemp,NetworkManager_dispatcher_t,var_run_t,dir,write Version-Release number of selected component: selinux-policy-targeted-36.5-1.fc36.noarch Additional info: component: selinux-policy reporter: libreport-2.17.1 hashmarkername: setroubleshoot kernel: 5.16.16-200.fc35.x86_64 type: libreport
Michael, Do you know which script triggered this denial?
I have no idea. It's a rather basic installation with TLP enabled, which was upgraded to Fedora 36. Before the upgrade I didn't get any alarms.
It is /usr/lib/NetworkManager/dispatcher.d/99tlp-rdw-nm which triggers this (I just tracked it down on my own system). Setting SELinux to permissive mode allows tlp-rdw to manage my WiFi radio as it did in F35, but with SELinux in enforcing mode every time this dispatcher script is invoked by NetworkManager it fails because it cannot write into /run/tlp.
This comes from the 'tlp-rdw' package, not the base 'tlp' package. For existing users who have enabled WiFi power switching (rfkill), the result of this problem is that disconnecting their LAN link does *not* enable their WiFi link, so they have no network connectivity.
Similar problem has been detected: system startup with tlp enabled hashmarkername: setroubleshoot kernel: 5.17.1-300.fc36.x86_64 package: selinux-policy-targeted-36.6-1.fc36.noarch reason: SELinux is preventing mktemp from 'write' accesses on the directory tlp. type: libreport
For what it's worth, I would be happy to test modified versions of the policies on my laptop to see if they address the problem.
AVC from the duplicate bz: type=AVC msg=audit(1649195759.77:395): avc: denied { read } for pid=2525 comm="readlink" name="virbr0" dev="sysfs" ino=48505 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file permissive=1
*** Bug 2072273 has been marked as a duplicate of this bug. ***
Similar problem has been detected: tlp enable hashmarkername: setroubleshoot kernel: 5.17.2-300.fc36.x86_64 package: selinux-policy-targeted-36.6-1.fc36.noarch reason: SELinux is preventing mktemp from 'write' accesses on the directory tlp. type: libreport
*** Bug 2072272 has been marked as a duplicate of this bug. ***
AVC from another dup bz: type=AVC msg=audit(1649956553.315:401): avc: denied { write } for pid=2704 comm="tlp-readconfs" name="tlp-run.conf_tmpt6VMXI" dev="tmpfs" ino=1939 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1
*** Bug 2075641 has been marked as a duplicate of this bug. ***
FEDORA-2022-76963fee71 has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2022-76963fee71
FEDORA-2022-76963fee71 has been pushed to the Fedora 36 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2022-76963fee71` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-76963fee71 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
The attached build now allows the script to write into the target directory, but then another AVC is generated when 'rfkill' is executed: type=AVC msg=audit(1650567176.426:309): avc: denied { read write } for pid=5826 comm="rfkill" name="rfkill" dev="devtmpfs" ino=209 scontext=system_u:system_r:NetworkManager_dispatcher_tlp_t:s0 tcontext=system_u:object_r:wireless_device_t:s0 tclass=chr_file permissive=0 If that should be reported in a separate BZ please let me know.
In reply to Kevin P. Fleming from comment #15) > The attached build now allows the script to write into the target directory, > but then another AVC is generated when 'rfkill' is executed: > > type=AVC msg=audit(1650567176.426:309): avc: denied { read write } for > pid=5826 comm="rfkill" name="rfkill" dev="devtmpfs" ino=209 > scontext=system_u:system_r:NetworkManager_dispatcher_tlp_t:s0 > tcontext=system_u:object_r:wireless_device_t:s0 tclass=chr_file permissive=0 > > If that should be reported in a separate BZ please let me know. It is easy to miss an update, so generally it is better, not this time, you can check if the latest scratch build fixes all problems: https://github.com/fedora-selinux/selinux-policy/pull/1161 Checks -> Details -> Artifacts -> rpms
Success! With the scratch build RPMs installed I'm able to switch between wired and WiFi connections using tlp-rdw as expected. Thanks!
FEDORA-2022-76963fee71 has been pushed to the Fedora 36 stable repository. If problem still persists, please make note of it in this bug report.