2319355 – power-profiles-daemon is blocked in SELinux

Bug 2319355 - power-profiles-daemon is blocked in SELinux

Summary: power-profiles-daemon is blocked in SELinux

Keywords:
Status:	CLOSED DUPLICATE of bug 2319316
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	41
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Zdenek Pytela
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2024-10-17 11:05 UTC by Kamil Páral
Modified:	2024-10-21 10:43 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2024-10-21 10:43:14 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Kamil Páral 2024-10-17 11:05:09 UTC

Description of problem:
In F41, the power-profiles-daemon is blocked by SELinux:

----
type=AVC msg=audit(17.10.2024 12:26:31.529:214) : avc:  denied  { read } for  pid=4259 comm=power-profiles- name=platform_profile_choices dev="sysfs" ino=52678 scontext=system_u:system_r:powerprofiles_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1 
----
type=AVC msg=audit(17.10.2024 12:26:31.529:215) : avc:  denied  { open } for  pid=4259 comm=power-profiles- path=/sys/firmware/acpi/platform_profile_choices dev="sysfs" ino=52678 scontext=system_u:system_r:powerprofiles_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1 
----
type=AVC msg=audit(17.10.2024 12:26:31.529:216) : avc:  denied  { getattr } for  pid=4259 comm=power-profiles- path=/sys/firmware/acpi/platform_profile_choices dev="sysfs" ino=52678 scontext=system_u:system_r:powerprofiles_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1 
----
type=AVC msg=audit(17.10.2024 12:26:31.529:218) : avc:  denied  { read } for  pid=4259 comm=power-profiles- name=passwd dev="dm-0" ino=1627296 scontext=system_u:system_r:powerprofiles_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1 
----
type=AVC msg=audit(17.10.2024 12:26:31.529:219) : avc:  denied  { open } for  pid=4259 comm=power-profiles- path=/etc/passwd dev="dm-0" ino=1627296 scontext=system_u:system_r:powerprofiles_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1 
----
type=AVC msg=audit(17.10.2024 12:26:31.529:220) : avc:  denied  { getattr } for  pid=4259 comm=power-profiles- path=/etc/passwd dev="dm-0" ino=1627296 scontext=system_u:system_r:powerprofiles_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1 
----
type=AVC msg=audit(17.10.2024 12:26:31.530:221) : avc:  denied  { watch } for  pid=4259 comm=power-profiles- path=/sys/firmware/acpi dev="sysfs" ino=1677 scontext=system_u:system_r:powerprofiles_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir permissive=1 
----
type=AVC msg=audit(17.10.2024 12:26:31.533:222) : avc:  denied  { read } for  pid=4259 comm=power-profiles- name=+platform:i2c_designware.0 dev="tmpfs" ino=2085 scontext=system_u:system_r:powerprofiles_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1 
----
type=AVC msg=audit(17.10.2024 12:26:31.533:223) : avc:  denied  { open } for  pid=4259 comm=power-profiles- path=/run/udev/data/+platform:i2c_designware.0 dev="tmpfs" ino=2085 scontext=system_u:system_r:powerprofiles_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1 
----
type=AVC msg=audit(17.10.2024 12:26:31.533:224) : avc:  denied  { getattr } for  pid=4259 comm=power-profiles- path=/run/udev/data/+platform:i2c_designware.0 dev="tmpfs" ino=2085 scontext=system_u:system_r:powerprofiles_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1 
----
type=AVC msg=audit(17.10.2024 12:26:31.535:225) : avc:  denied  { write } for  pid=4259 comm=power-profiles- name=scaling_governor dev="sysfs" ino=19152 scontext=system_u:system_r:powerprofiles_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1 
----


Version-Release number of selected component (if applicable):
selinux-policy-41.21-1.fc41.noarch

How reproducible:
always 

Steps to Reproduce:
1. boot F41 and log in

Additional info:
Related (but probably not containing all of this) are bug 2319316, bug 2319317, bug 2319318.

Comment 1 Kamil Páral 2024-10-18 10:35:44 UTC

This is a regression in selinux-policy-0:41.21-1.fc41.noarch. With selinux-policy-0:41.20-1.fc41.noarch I see no such denials.

Comment 2 Christopher Klooz 2024-10-19 17:58:25 UTC

We have a ticket in ask.fedora that seems to describe the same problem: https://discussion.fedoraproject.org/t/constantly-getting-se-linux-avc-denial-notifications-after-upgrading-to-fedora-41/134100

The user has selinux-policy-41.21-1.fc41.src.rpm. Here a related extract of the user's log:

The logs are not fully equal (but comparable) to the above, but look like a different manifest of the same issue. Maybe the differences can add some information to the problem solving:

```
time->Fri Oct 18 15:40:08 2024
type=AVC msg=audit(1729258808.972:1532): avc:  denied  { getattr } for  pid=2357 comm="power-profiles-" path="/sys/devices/pci0000:00/0000:00:01.1/0000:01:00.0/drm/card0/uevent" dev="sysfs" ino=53823 scontext=system_u:system_r:powerprofiles_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
----
time->Fri Oct 18 15:41:39 2024
type=AVC msg=audit(1729258899.237:1589): avc:  denied  { read } for  pid=2357 comm="power-profiles-" name="uevent" dev="sysfs" ino=53823 scontext=system_u:system_r:powerprofiles_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
----
time->Fri Oct 18 15:41:39 2024
type=AVC msg=audit(1729258899.237:1590): avc:  denied  { open } for  pid=2357 comm="power-profiles-" path="/sys/devices/pci0000:00/0000:00:01.1/0000:01:00.0/drm/card0/uevent" dev="sysfs" ino=53823 scontext=system_u:system_r:powerprofiles_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
----
time->Fri Oct 18 15:41:39 2024
type=AVC msg=audit(1729258899.237:1591): avc:  denied  { getattr } for  pid=2357 comm="power-profiles-" path="/sys/devices/pci0000:00/0000:00:01.1/0000:01:00.0/drm/card0/uevent" dev="sysfs" ino=53823 scontext=system_u:system_r:powerprofiles_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
----
time->Fri Oct 18 15:41:39 2024
type=AVC msg=audit(1729258899.237:1592): avc:  denied  { read } for  pid=2357 comm="power-profiles-" name="c226:0" dev="tmpfs" ino=5600 scontext=system_u:system_r:powerprofiles_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1
----
time->Fri Oct 18 15:41:39 2024
type=AVC msg=audit(1729258899.237:1593): avc:  denied  { open } for  pid=2357 comm="power-profiles-" path="/run/udev/data/c226:0" dev="tmpfs" ino=5600 scontext=system_u:system_r:powerprofiles_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1
----
time->Fri Oct 18 15:41:39 2024
type=AVC msg=audit(1729258899.237:1594): avc:  denied  { getattr } for  pid=2357 comm="power-profiles-" path="/run/udev/data/c226:0" dev="tmpfs" ino=5600 scontext=system_u:system_r:powerprofiles_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1
----
time->Fri Oct 18 15:42:39 2024
type=AVC msg=audit(1729258959.444:1599): avc:  denied  { read } for  pid=2357 comm="power-profiles-" name="c226:0" dev="tmpfs" ino=5600 scontext=system_u:system_r:powerprofiles_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1
----
time->Fri Oct 18 15:42:39 2024
type=AVC msg=audit(1729258959.444:1600): avc:  denied  { open } for  pid=2357 comm="power-profiles-" path="/run/udev/data/c226:0" dev="tmpfs" ino=5600 scontext=system_u:system_r:powerprofiles_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1
----
time->Fri Oct 18 15:42:39 2024
type=AVC msg=audit(1729258959.444:1601): avc:  denied  { getattr } for  pid=2357 comm="power-profiles-" path="/run/udev/data/c226:0" dev="tmpfs" ino=5600 scontext=system_u:system_r:powerprofiles_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1
```

Some more data can be found in the ask.fedora ticket

Comment 3 Zdenek Pytela 2024-10-21 10:43:14 UTC

It is a superset of two other bugs and will be addressed by the next build.

*** This bug has been marked as a duplicate of bug 2319316 ***

Note You need to log in before you can comment on or make changes to this bug.