Bug 809832 - avc on tuned-adm profile powersave
Summary: avc on tuned-adm profile powersave
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 17
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 809836 809837 809838 810021 810025 810027 810029 810030 810031 810032 820464 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-04-04 13:35 UTC by Richard Marko
Modified: 2016-02-01 02:22 UTC (History)
17 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-06-03 23:29:35 UTC
Type: Bug


Attachments (Terms of Use)
tuned_audit.log (426.05 KB, text/x-log)
2012-04-05 00:09 UTC, Michal Ambroz
no flags Details

Description Richard Marko 2012-04-04 13:35:37 UTC
Running
tuned-adm profile powersave

produces avc.

Additional Information:
Source Context                system_u:system_r:tuned_t:s0
Target Context                system_u:object_r:lib_t:s0
Target Objects                /usr/lib/tuned/balanced/script.sh [ file ]
Source                        tuned
Source Path                   tuned
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           
Target RPM Packages           tuned-2.0.1-1.fc17.noarch
Policy RPM                    selinux-policy-3.10.0-110.fc17.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 3.3.0-1.fc17.i686 #1
                              SMP Mon Mar 19 03:19:22 UTC 2012 i686 i686
Alert Count                   4
First Seen                    Wed 04 Apr 2012 10:10:55 AM EDT
Last Seen                     Wed 04 Apr 2012 10:32:07 AM EDT
Local ID                      bb4e9b10-5b90-43b1-860c-ccbf0bcbf30f

Raw Audit Messages
type=AVC msg=audit(1333549927.362:310): avc:  denied  { execute_no_trans } for  pid=2689 comm="tuned" path="/usr/lib/tuned/balanced/script.sh" dev="dm-0" ino=37954 scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file

Comment 1 Michal Ambroz 2012-04-04 23:43:58 UTC
*** Bug 810025 has been marked as a duplicate of this bug. ***

Comment 2 Michal Ambroz 2012-04-04 23:45:05 UTC
*** Bug 809836 has been marked as a duplicate of this bug. ***

Comment 3 Michal Ambroz 2012-04-04 23:45:53 UTC
*** Bug 810021 has been marked as a duplicate of this bug. ***

Comment 4 Michal Ambroz 2012-04-04 23:47:12 UTC
*** Bug 809837 has been marked as a duplicate of this bug. ***

Comment 5 Michal Ambroz 2012-04-04 23:50:57 UTC
*** Bug 810029 has been marked as a duplicate of this bug. ***

Comment 6 Michal Ambroz 2012-04-04 23:51:45 UTC
*** Bug 810030 has been marked as a duplicate of this bug. ***

Comment 7 Michal Ambroz 2012-04-04 23:52:28 UTC
*** Bug 809838 has been marked as a duplicate of this bug. ***

Comment 8 Michal Ambroz 2012-04-04 23:52:52 UTC
*** Bug 810031 has been marked as a duplicate of this bug. ***

Comment 9 Michal Ambroz 2012-04-04 23:53:35 UTC
*** Bug 810032 has been marked as a duplicate of this bug. ***

Comment 10 Michal Ambroz 2012-04-04 23:54:06 UTC
*** Bug 810027 has been marked as a duplicate of this bug. ***

Comment 11 Michal Ambroz 2012-04-05 00:09:57 UTC
Created attachment 575243 [details]
tuned_audit.log

Running of "tuned-adm profile {something}" triggered yet some SElinux events.

Attached (tuned_audit.log) is grep from audit.log from running it / allowing it until SElinux was happy so you get idea what everything is triggered.

tuned-adm list | grep -e "^-" | cut -c 3-|xargs -n 1 tuned-adm profile
grep -E "sysctl|df|ls|tuned|script.sh|mount" /var/log/audit/audit.log | audit2allow -M mypol 
semodule -i mypol.pp

Comment 12 Miroslav Grepl 2012-04-05 08:01:27 UTC
Some of these issues are fixed in the latest policy. I am fixing labeling for scripts located in the /usr/lib/tuned.

But what does /usr/lib/tuned/balanced/script.sh do?

Comment 13 Michal Ambroz 2012-04-05 09:15:35 UTC
Hi,
this question is probably best to be answered by Jaroslav Škarvada (jskarvad).

Issues were found as part of the PM test day.
https://fedoraproject.org/w/index.php?title=Test_Day:2012-04-04_Power_Management

Best regards
Michal Ambroz

Comment 14 Miroslav Grepl 2012-04-05 09:22:57 UTC
Yes, this is a question for Jaroslav.

Comment 15 Jaroslav Škarvada 2012-04-05 10:02:49 UTC
(In reply to comment #12)
> Some of these issues are fixed in the latest policy. I am fixing labeling for
> scripts located in the /usr/lib/tuned.
> 
> But what does /usr/lib/tuned/balanced/script.sh do?
>
Functionality is similar to our previous ktune tool from old tuned.

Currently system profiles are stored under the following tree:
 /usr/lib/tuned/PROFILE_NAME/

Some profiles has script.sh, e.g. for balanced profile there is:
 /usr/lib/tuned/balanced/script.sh

Currently the script.sh from balanced profile do:
Writes temporal files under /run/tuned/
RW /sys/devices/system/cpu/$cpu/cpufreq/scaling_governor
RW /sys/module/snd_ac97_codec/parameters/power_save
RW /sys/module/snd_hda_intel/parameters/power_save
RW /sys/class/drm/card0/device/power_profile
RW /sys/class/drm/card0/device/power_method

Other profiles also do:
RW /sys/block/*/queue/scheduler
Remounts no boot and no root partitions with parameters 'barrier', 'nobarrier',
'commit=*', 'noatime' 
RW /sys/block/*/queue/read_ahead_kb
RW to /sys/bus/pci/devices/*/power_level
Executes iwpriv
Executes /usr/libexec/tuned/pmqos-static.py
RW /sys/bus/usb/devices/*/power/autosuspend
RW /sys/class/scsi_host/*/link_power_management_policy
R /sys/class/scsi_host/*/ahci_port_cmd
RW /sys/devices/system/cpu/sched_mc_power_savings
Executes hdparm
Executes hciconfig
Executes sync
Modifies /etc/rsyslog.conf
RW /sys/kernel/mm/redhat_transparent_hugepage/enabled

We maintain dbase of tunings and periodically update it / add new tunings.

User profiles (administrators provided) are stored under:
/etc/tuned/PROFILE_NAME

This profiles can be written / modified by administrators. They can also
execute scripts - mostly files under:
/etc/tuned/PROFILE_NAME/
by default script.sh, but can have arbitrary name.

Tuned process also needs to listen on D-Bus system bus.
It also sends signals to itself.

tuned-adm needs to send signals to tuned process.

Comment 16 Miroslav Grepl 2012-05-11 05:22:58 UTC
*** Bug 820464 has been marked as a duplicate of this bug. ***

Comment 17 Miroslav Grepl 2012-05-17 14:51:18 UTC
Added more fixes to selinux-policy-3.10.0-126.fc17

Comment 18 Fedora Update System 2012-05-31 06:24:25 UTC
selinux-policy-3.10.0-128.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-128.fc17

Comment 19 Fedora Update System 2012-06-01 17:06:56 UTC
Package selinux-policy-3.10.0-128.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-128.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-8720/selinux-policy-3.10.0-128.fc17
then log in and leave karma (feedback).

Comment 20 Fedora Update System 2012-06-03 23:29:35 UTC
selinux-policy-3.10.0-128.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 21 Scott Castaline 2012-12-21 18:54:46 UTC
I have just recently started getting this error. It has occurred 12 times in the last week and a half. Currently running 3.6.10-2.fc17.x86_64

Comment 22 Scott Castaline 2012-12-21 18:57:19 UTC
Forgot to add policy: selinux-policy-3.10.0-161.fc17.

Comment 23 Daniel Walsh 2012-12-21 19:01:23 UTC
Please attach the actual AVC.

Comment 24 Scott Castaline 2012-12-21 19:05:46 UTC
Not sure if this is it or TMI:

type=AVC msg=audit(1356115325.166:719): avc:  denied  { getattr } for  pid=5470 comm="df" path="/sys/kernel/config" dev="configfs" ino=11317 scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:configfs_t:s0 tclass=dir


type=SYSCALL msg=audit(1356115325.166:719): arch=x86_64 syscall=stat success=no exit=EACCES a0=150e350 a1=7fff7123ad60 a2=7fff7123ad60 a3=334ae83d90 items=0 ppid=5468 pid=5470 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=3 comm=df exe=/usr/bin/df subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023 key=(null)

Comment 25 Daniel Walsh 2012-12-21 19:44:57 UTC
Not related to this bug, although I do see this as fixed on F18.

Comment 26 Miroslav Grepl 2012-12-27 09:15:35 UTC
Added to F17.

# sesearch -A -s logwatch_t -t configfs_t
Found 1 semantic av rules:
   allow logwatch_t filesystem_type : filesystem getattr


Note You need to log in before you can comment on or make changes to this bug.