2082404 – SELinux policy prevents systemd_sleep_t from actually suspending

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2082404 - SELinux policy prevents systemd_sleep_t from actually suspending

Summary: SELinux policy prevents systemd_sleep_t from actually suspending

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	9.0
Hardware:	Unspecified
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	9.1
Assignee:	Zdenek Pytela
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-05-06 03:52 UTC by James Ralston
Modified:	2022-11-15 12:58 UTC (History)
CC List:	5 users (show)
Fixed In Version:	selinux-policy-34.1.32-1.el9
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed:	2022-11-15 11:13:50 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-121229	0	None	None	None	2022-05-06 04:02:48 UTC
Red Hat Product Errata	RHBA-2022:8283	0	None	None	None	2022-11-15 11:14:09 UTC

Description James Ralston 2022-05-06 03:52:55 UTC

Description of problem:

I have RHEL9 beta installed on a Dell Latitude 7420.

SELinux is preventing the laptop from suspending when the lid is closed:

May 05 19:55:40 laptop.example.org [7232]: Failed to execute /usr/lib/systemd/system-sleep/sysstat.sleep: Permission denied
May 05 19:55:40 laptop.example.org [7231]: /usr/lib/systemd/system-sleep/sysstat.sleep failed with exit status 1.
May 05 19:55:41 laptop.example.org setroubleshoot[7233]: SELinux is preventing /usr/lib/systemd/systemd-sleep from execute access on the file /usr/lib/systemd/system-sleep/sysstat.sleep.
May 05 19:55:42 laptop.example.org setroubleshoot[7233]: SELinux is preventing /usr/lib/systemd/systemd-sleep from execute access on the file /usr/lib/systemd/system-sleep/sysstat.sleep.

If I place systemd_sleep_t in permissive mode, then suspending works, but a bevvy of SELinux (permissive) denies are logged:

May 05 23:13:21 laptop.example.org setroubleshoot[10630]: SELinux is preventing /usr/bin/bash from execute access on the file /lib64/ld-linux-x86-64.so.2.
May 05 23:13:21 laptop.example.org setroubleshoot[10630]: SELinux is preventing /usr/bin/bash from execute access on the file /lib64/ld-linux-x86-64.so.2.
May 05 23:13:21 laptop.example.org setroubleshoot[10630]: SELinux is preventing /usr/bin/bash from getattr access on the file /usr/lib64/sa/sa1.
May 05 23:13:21 laptop.example.org setroubleshoot[10630]: SELinux is preventing /usr/bin/bash from ioctl access on the file /usr/lib64/sa/sa1.
May 05 23:13:21 laptop.example.org setroubleshoot[10630]: SELinux is preventing /usr/bin/bash from getattr access on the directory /var/log/sa.
May 05 23:13:21 laptop.example.org setroubleshoot[10630]: SELinux is preventing /usr/lib64/sa/sadc from map access on the file /usr/lib64/sa/sadc.
May 05 23:13:21 laptop.example.org setroubleshoot[10630]: SELinux is preventing /usr/lib64/sa/sadc from read access on the file dev.
May 05 23:13:21 laptop.example.org setroubleshoot[10630]: SELinux is preventing /usr/lib64/sa/sadc from getattr access on the file /proc/<pid>/net/dev.
May 05 23:13:22 laptop.example.org setroubleshoot[10630]: SELinux is preventing /usr/lib64/sa/sadc from search access on the directory /var/log/sa/sa05.
May 05 23:13:22 laptop.example.org setroubleshoot[10630]: SELinux is preventing /usr/bin/bash from execute access on the file /lib64/ld-linux-x86-64.so.2.
May 05 23:13:22 laptop.example.org setroubleshoot[10630]: SELinux is preventing /usr/bin/bash from getattr access on the file /usr/lib64/sa/sa1.
May 05 23:13:22 laptop.example.org setroubleshoot[10630]: SELinux is preventing /usr/bin/bash from ioctl access on the file /usr/lib64/sa/sa1.
May 05 23:13:22 laptop.example.org setroubleshoot[10630]: SELinux is preventing /usr/lib64/sa/sadc from map access on the file /usr/lib64/sa/sadc.
May 05 23:13:22 laptop.example.org setroubleshoot[10630]: SELinux is preventing /usr/lib64/sa/sadc from read access on the file /var/log/sa/sa05.

And:

$ ausearch -m avc -ts today | audit2allow

#============= systemd_sleep_t ==============
allow systemd_sleep_t bin_t:file { execute execute_no_trans };
allow systemd_sleep_t proc_net_t:file { getattr open read };

#!!!! This avc can be allowed using the boolean 'domain_can_mmap_files'
allow systemd_sleep_t shell_exec_t:file map;
allow systemd_sleep_t shell_exec_t:file execute;
allow systemd_sleep_t sysstat_exec_t:file { execute execute_no_trans getattr ioctl open read };

#!!!! This avc can be allowed using the boolean 'domain_can_mmap_files'
allow systemd_sleep_t sysstat_exec_t:file map;
allow systemd_sleep_t sysstat_log_t:dir { getattr search };
allow systemd_sleep_t sysstat_log_t:file { open read };

This doesn’t look like a rule or two is missing; it looks like either there is a transition rule that is missing (meaning, systemd_sleep_t is being denied all over the place because all of this should be executing in a different SELinux context), or systemd_sleep_t is the correct context, but most of the policy it should have is simply missing.

Version-Release number of selected component (if applicable):

selinux-policy-targeted-34.1.28-1.el9_0.noarch

How reproducible:

Install RHEL9 beta on a laptop and close the lid.

Alternatively, using a tool like pm-suspend to manually force a suspend will likely demonstrate the issue on any modern hardware that supports the ACPI S3 suspend state.

Comment 1 James Ralston 2022-05-06 03:56:15 UTC

Forgot to add: I preceded the above testing with:

$ restorecon -FRv /

…so I know that the issue isn’t that the SELinux file contexts are incorrect.

Comment 2 Zdenek Pytela 2022-05-06 07:20:20 UTC

systemd-sleep policy has been updated a lot since creating RHEL 9 branches off Fedora:

d777042ed Allow systemd-sleep get removable devices attributes
6a15f8a70 Allow systemd-sleep tlp_filetrans_named_content()
0a86d22a1 Allow systemd-sleep execute generic programs
ee1015919 Allow systemd-sleep execute shell
c10b82dec Allow systemd-sleep transition to sysstat_t
e51919ac9 Allow systemd-sleep transition to tlp_t
127687278 Allow systemd-sleep transition to unconfined_service_t on bin_t executables
e497209ca allow systemd-sleep to set timer for suspend-then-hibernate

Comment 10 Ceri Williams 2022-10-23 12:38:56 UTC

When will the fix be released? It still seems to be a problem 5 months on.

========================================================================================================
If you believe that systemd-sleep should be allowed execute access on the sysstat.sleep file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.

Source RPM Packages           systemd-udev-250-6.el9_0.1.x86_64
Target RPM Packages           sysstat-12.5.4-3.el9.x86_64
SELinux Policy RPM            selinux-policy-targeted-34.1.29-1.el9_0.2.noarch
Local Policy RPM              selinux-policy-targeted-34.1.29-1.el9_0.2.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Platform                      Linux 5.14.0-70.26.1.el9_0.x86_64 #1
                              SMP PREEMPT Fri Sep 2 16:07:40 EDT 2022 x86_64
                              x86_64
Alert Count                   2
First Seen                    2022-10-23 12:47:47 BST
Last Seen                     2022-10-23 13:22:58 BST
Local ID                      35d59f0b-4daf-48b3-ae1e-a4ade128ab45
========================================================================================================

$ sudo dmidecode --string system-family      
ThinkPad P14s Gen 1

Comment 11 Zdenek Pytela 2022-10-24 08:26:21 UTC

The fix is a part of selinux-policy-34.1.32-1.el9 which is available in centos stream since May.
For RHEL, it will be released with RHEL 9.1 GA later this year.

Comment 13 errata-xmlrpc 2022-11-15 11:13:50 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:8283

Note You need to log in before you can comment on or make changes to this bug.