Bug 663995 - SELinux is preventing /sbin/consoletype from 'ioctl' accesses on the file /var/log/pm-suspend.log.
Summary: SELinux is preventing /sbin/consoletype from 'ioctl' accesses on the file /va...
Alias: None
Product: Fedora
Classification: Fedora
Component: pm-utils
Version: 15
Hardware: x86_64
OS: Linux
Target Milestone: ---
Assignee: Jaroslav Škarvada
QA Contact: Fedora Extras Quality Assurance
Whiteboard: setroubleshoot_trace_hash:7b9ea96c480...
: 663993 (view as bug list)
Depends On:
TreeView+ depends on / blocked
Reported: 2010-12-17 17:01 UTC by Matěj Cepl
Modified: 2018-04-11 06:57 UTC (History)
10 users (show)

Fixed In Version: pm-utils-1.4.1-6.fc15
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2011-04-15 21:49:00 UTC
Type: ---

Attachments (Terms of Use)
SETroubleshoot log after resume (2.74 KB, text/plain)
2011-03-14 15:12 UTC, Jaroslav Škarvada
no flags Details

Description Matěj Cepl 2010-12-17 17:01:49 UTC
SELinux is preventing /sbin/consoletype from 'ioctl' accesses on the file /var/log/pm-suspend.log.

*****  Plugin restorecon (99.5 confidence) suggests  *************************

If you want to fix the label. 
/var/log/pm-suspend.log default label should be devicekit_var_log_t.
Then you can run restorecon.
# /sbin/restorecon -v /var/log/pm-suspend.log

*****  Plugin catchall (1.49 confidence) suggests  ***************************

If you believe that consoletype should be allowed ioctl access on the pm-suspend.log file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
allow this access for now by executing:
# grep /sbin/consoletype /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:system_r:consoletype_t:s0
Target Context                unconfined_u:object_r:var_log_t:s0
Target Objects                /var/log/pm-suspend.log [ file ]
Source                        consoletype
Source Path                   /sbin/consoletype
Port                          <Neznámé>
Host                          (removed)
Source RPM Packages           initscripts-9.23-2.fc15
Target RPM Packages           pm-utils-1.4.1-3.fc15
Policy RPM                    selinux-policy-3.9.10-12.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 2.6.37-0.rc5.git2.1.fc15.x86_64 #1
                              SMP Thu Dec 9 19:08:58 UTC 2010 x86_64 x86_64
Alert Count                   1
First Seen                    Čt 16. prosinec 2010, 07:46:00 CET
Last Seen                     Čt 16. prosinec 2010, 07:46:00 CET
Local ID                      3e35b573-97b8-47b9-a19c-526f0112b71e

Raw Audit Messages
type=AVC msg=audit(1292481960.607:1319): avc:  denied  { ioctl } for  pid=30635 comm="consoletype" path="/var/log/pm-suspend.log" dev=dm-1 ino=8036 scontext=unconfined_u:system_r:consoletype_t:s0 tcontext=unconfined_u:object_r:var_log_t:s0 tclass=file

type=SYSCALL msg=audit(1292481960.607:1319): arch=x86_64 syscall=ioctl success=no exit=ENOTTY a0=0 a1=541c a2=7fff85f867df a3=d items=0 ppid=30634 pid=30635 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=8 comm=consoletype exe=/sbin/consoletype subj=unconfined_u:system_r:consoletype_t:s0 key=(null)

#============= consoletype_t ==============
allow consoletype_t var_log_t:file ioctl;

Comment 1 Daniel Walsh 2010-12-17 20:43:04 UTC
restorecon /var/log/pm-suspend.log 

For some reason this file got created with the wrong label.

Did you run pm-suspend manually?

Comment 2 Daniel Walsh 2010-12-17 20:43:40 UTC
*** Bug 663993 has been marked as a duplicate of this bug. ***

Comment 3 Matěj Cepl 2010-12-20 08:58:48 UTC
(In reply to comment #1)
> restorecon /var/log/pm-suspend.log 
> For some reason this file got created with the wrong label.
> Did you run pm-suspend manually?

Yes, I did (with constantly crashing gnome-power-manager, it was the only way how to suspend). Why just plain

sudo pm-suspend

is not allowed?

Comment 4 Daniel Walsh 2010-12-20 14:26:16 UTC
I think I already have a bug report to switch pm-utils to append output to its log files rather then write to them.

Comment 5 Jaroslav Škarvada 2010-12-20 15:02:27 UTC
Bug 660329 description was already committed and present in pm-utils-1.4.1-3.fc15, probably it doesn't resolve this problem.

Comment 6 Daniel Walsh 2010-12-20 20:37:31 UTC
I believe that will fix this bug.

*** This bug has been marked as a duplicate of bug 660329 ***

Comment 7 Jaroslav Škarvada 2010-12-21 09:40:50 UTC
Sorry, it still does not work. The boot sequence seems clean, but the pm-suspend still emits AVC, thus reopening this one.

The problem: the init_logfile is called before every suspend, thus the /var/log/pm-suspend.log is recreated with wrong label, the code:

rm -f "$1"
exec >> "$1" 2>&1

This is the feature of pm-utils to store only the last suspend log.

Comment 8 Daniel Walsh 2010-12-21 14:04:31 UTC
What AVC?

Comment 9 Jaroslav Škarvada 2010-12-21 14:34:55 UTC
From comment 0 (description) of this bug.

Comment 10 Daniel Walsh 2010-12-21 14:50:56 UTC
Fixed in selinux-policy-3.9.12-2.fc15

Comment 11 Michel Alexandre Salim 2011-02-18 11:55:18 UTC
This exact bug just happened to me after running pm-hibernate, with:


Comment 12 Daniel Walsh 2011-02-18 14:17:35 UTC
ls -lZ /var/log/pm-utils.log
restorecon /var/log/pm-utils.log

The question is how did it get mislabelled.

What is the exact AVC that you got?

Comment 13 Jaroslav Škarvada 2011-03-14 15:12:58 UTC
Created attachment 484216 [details]
SETroubleshoot log after resume

Still problem on F15.

Currently the pm-utils rm the /var/log/pm-suspend.log file before suspend and the newly created log file is labelled var_log_t. It can be relabelled to devicekit_var_log_t by:

# /sbin/restorecon -v /var/log/pm-suspend.log
/sbin/restorecon reset /var/log/pm-suspend.log context unconfined_u:object_r:var_log_t:s0->system_u:object_r:devicekit_var_log_t:s0

# ls -Z /var/log/pm-suspend.log
-rw-r--r--. root root system_u:object_r:devicekit_var_log_t:s0 /var/log/pm-suspend.log

but after the next suspend:
# pm-suspend
# ls -Z /var/log/pm-suspend.log
-rw-r--r--. root root unconfined_u:object_r:var_log_t:s0 /var/log/pm-suspend.log

Comment 14 Jaroslav Škarvada 2011-03-16 16:53:20 UTC
Current code in /usr/lib[64]/pm-utils/pm-functions:

# Try to reinitalize the logfile. Fail unless certian criteria are met.
        rm -f "$1"
        exec >> "$1" 2>&1

Comment 15 Daniel Walsh 2011-03-16 19:23:26 UTC
        rm -f "$1"
        touch "$1"
        restorecon "$1"
        exec >> "$1" 2>&1

Will make SELinux stop complaining.

        > "$1"
        restorecon "$1"
        exec >> "$1" 2>&1

Comment 16 Jaroslav Škarvada 2011-03-17 11:19:01 UTC
Dan, thanks, but I am now getting another AVC before each suspend:

type=AVC msg=audit(1300360173.707:606): avc:  denied  { read } for  pid=6185 comm="restorecon" path="/var/run/pm-utils/locks/pm-powersave.lock" dev=tmpfs ino=174719 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:devicekit_var_run_t:s0 tclass=file

the code in ./pm-utils/functions:
	# $1 = file to use as lockfile
	local lock="${LOCKDIR}/${1##*/}"

	# make sure the directory where the lockfile should be exists
	mkdir -p "${LOCKDIR}"
	touch "${lock}"
	exec 3<"${lock}"
	flock -x -n 3 || return 1
	return 0

Comment 17 Daniel Walsh 2011-03-17 14:09:45 UTC
Ok that one we will need to fix.

Fixed in selinux-policy-3.9.16-5.fc15

Comment 18 Jaroslav Škarvada 2011-03-17 16:41:07 UTC
Thanks, now it is OK.

Comment 19 Fedora Update System 2011-03-17 17:11:39 UTC
pm-utils-1.4.1-6.fc15 has been submitted as an update for Fedora 15.

Comment 20 Fedora Update System 2011-04-15 21:48:54 UTC
pm-utils-1.4.1-6.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.