Bug 809832 - avc on tuned-adm profile powersave
avc on tuned-adm profile powersave
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
17
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
:
: 809836 809837 809838 810021 810025 810027 810029 810030 810031 810032 820464 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-04-04 09:35 EDT by Richard Marko
Modified: 2016-01-31 21:22 EST (History)
17 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-06-03 19:29:35 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
tuned_audit.log (426.05 KB, text/x-log)
2012-04-04 20:09 EDT, Michal Ambroz
no flags Details

  None (edit)
Description Richard Marko 2012-04-04 09:35:37 EDT
Running
tuned-adm profile powersave

produces avc.

Additional Information:
Source Context                system_u:system_r:tuned_t:s0
Target Context                system_u:object_r:lib_t:s0
Target Objects                /usr/lib/tuned/balanced/script.sh [ file ]
Source                        tuned
Source Path                   tuned
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           
Target RPM Packages           tuned-2.0.1-1.fc17.noarch
Policy RPM                    selinux-policy-3.10.0-110.fc17.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 3.3.0-1.fc17.i686 #1
                              SMP Mon Mar 19 03:19:22 UTC 2012 i686 i686
Alert Count                   4
First Seen                    Wed 04 Apr 2012 10:10:55 AM EDT
Last Seen                     Wed 04 Apr 2012 10:32:07 AM EDT
Local ID                      bb4e9b10-5b90-43b1-860c-ccbf0bcbf30f

Raw Audit Messages
type=AVC msg=audit(1333549927.362:310): avc:  denied  { execute_no_trans } for  pid=2689 comm="tuned" path="/usr/lib/tuned/balanced/script.sh" dev="dm-0" ino=37954 scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file
Comment 1 Michal Ambroz 2012-04-04 19:43:58 EDT
*** Bug 810025 has been marked as a duplicate of this bug. ***
Comment 2 Michal Ambroz 2012-04-04 19:45:05 EDT
*** Bug 809836 has been marked as a duplicate of this bug. ***
Comment 3 Michal Ambroz 2012-04-04 19:45:53 EDT
*** Bug 810021 has been marked as a duplicate of this bug. ***
Comment 4 Michal Ambroz 2012-04-04 19:47:12 EDT
*** Bug 809837 has been marked as a duplicate of this bug. ***
Comment 5 Michal Ambroz 2012-04-04 19:50:57 EDT
*** Bug 810029 has been marked as a duplicate of this bug. ***
Comment 6 Michal Ambroz 2012-04-04 19:51:45 EDT
*** Bug 810030 has been marked as a duplicate of this bug. ***
Comment 7 Michal Ambroz 2012-04-04 19:52:28 EDT
*** Bug 809838 has been marked as a duplicate of this bug. ***
Comment 8 Michal Ambroz 2012-04-04 19:52:52 EDT
*** Bug 810031 has been marked as a duplicate of this bug. ***
Comment 9 Michal Ambroz 2012-04-04 19:53:35 EDT
*** Bug 810032 has been marked as a duplicate of this bug. ***
Comment 10 Michal Ambroz 2012-04-04 19:54:06 EDT
*** Bug 810027 has been marked as a duplicate of this bug. ***
Comment 11 Michal Ambroz 2012-04-04 20:09:57 EDT
Created attachment 575243 [details]
tuned_audit.log

Running of "tuned-adm profile {something}" triggered yet some SElinux events.

Attached (tuned_audit.log) is grep from audit.log from running it / allowing it until SElinux was happy so you get idea what everything is triggered.

tuned-adm list | grep -e "^-" | cut -c 3-|xargs -n 1 tuned-adm profile
grep -E "sysctl|df|ls|tuned|script.sh|mount" /var/log/audit/audit.log | audit2allow -M mypol 
semodule -i mypol.pp
Comment 12 Miroslav Grepl 2012-04-05 04:01:27 EDT
Some of these issues are fixed in the latest policy. I am fixing labeling for scripts located in the /usr/lib/tuned.

But what does /usr/lib/tuned/balanced/script.sh do?
Comment 13 Michal Ambroz 2012-04-05 05:15:35 EDT
Hi,
this question is probably best to be answered by Jaroslav Škarvada (jskarvad).

Issues were found as part of the PM test day.
https://fedoraproject.org/w/index.php?title=Test_Day:2012-04-04_Power_Management

Best regards
Michal Ambroz
Comment 14 Miroslav Grepl 2012-04-05 05:22:57 EDT
Yes, this is a question for Jaroslav.
Comment 15 Jaroslav Škarvada 2012-04-05 06:02:49 EDT
(In reply to comment #12)
> Some of these issues are fixed in the latest policy. I am fixing labeling for
> scripts located in the /usr/lib/tuned.
> 
> But what does /usr/lib/tuned/balanced/script.sh do?
>
Functionality is similar to our previous ktune tool from old tuned.

Currently system profiles are stored under the following tree:
 /usr/lib/tuned/PROFILE_NAME/

Some profiles has script.sh, e.g. for balanced profile there is:
 /usr/lib/tuned/balanced/script.sh

Currently the script.sh from balanced profile do:
Writes temporal files under /run/tuned/
RW /sys/devices/system/cpu/$cpu/cpufreq/scaling_governor
RW /sys/module/snd_ac97_codec/parameters/power_save
RW /sys/module/snd_hda_intel/parameters/power_save
RW /sys/class/drm/card0/device/power_profile
RW /sys/class/drm/card0/device/power_method

Other profiles also do:
RW /sys/block/*/queue/scheduler
Remounts no boot and no root partitions with parameters 'barrier', 'nobarrier',
'commit=*', 'noatime' 
RW /sys/block/*/queue/read_ahead_kb
RW to /sys/bus/pci/devices/*/power_level
Executes iwpriv
Executes /usr/libexec/tuned/pmqos-static.py
RW /sys/bus/usb/devices/*/power/autosuspend
RW /sys/class/scsi_host/*/link_power_management_policy
R /sys/class/scsi_host/*/ahci_port_cmd
RW /sys/devices/system/cpu/sched_mc_power_savings
Executes hdparm
Executes hciconfig
Executes sync
Modifies /etc/rsyslog.conf
RW /sys/kernel/mm/redhat_transparent_hugepage/enabled

We maintain dbase of tunings and periodically update it / add new tunings.

User profiles (administrators provided) are stored under:
/etc/tuned/PROFILE_NAME

This profiles can be written / modified by administrators. They can also
execute scripts - mostly files under:
/etc/tuned/PROFILE_NAME/
by default script.sh, but can have arbitrary name.

Tuned process also needs to listen on D-Bus system bus.
It also sends signals to itself.

tuned-adm needs to send signals to tuned process.
Comment 16 Miroslav Grepl 2012-05-11 01:22:58 EDT
*** Bug 820464 has been marked as a duplicate of this bug. ***
Comment 17 Miroslav Grepl 2012-05-17 10:51:18 EDT
Added more fixes to selinux-policy-3.10.0-126.fc17
Comment 18 Fedora Update System 2012-05-31 02:24:25 EDT
selinux-policy-3.10.0-128.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-128.fc17
Comment 19 Fedora Update System 2012-06-01 13:06:56 EDT
Package selinux-policy-3.10.0-128.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-128.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-8720/selinux-policy-3.10.0-128.fc17
then log in and leave karma (feedback).
Comment 20 Fedora Update System 2012-06-03 19:29:35 EDT
selinux-policy-3.10.0-128.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 21 Scott Castaline 2012-12-21 13:54:46 EST
I have just recently started getting this error. It has occurred 12 times in the last week and a half. Currently running 3.6.10-2.fc17.x86_64
Comment 22 Scott Castaline 2012-12-21 13:57:19 EST
Forgot to add policy: selinux-policy-3.10.0-161.fc17.
Comment 23 Daniel Walsh 2012-12-21 14:01:23 EST
Please attach the actual AVC.
Comment 24 Scott Castaline 2012-12-21 14:05:46 EST
Not sure if this is it or TMI:

type=AVC msg=audit(1356115325.166:719): avc:  denied  { getattr } for  pid=5470 comm="df" path="/sys/kernel/config" dev="configfs" ino=11317 scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:configfs_t:s0 tclass=dir


type=SYSCALL msg=audit(1356115325.166:719): arch=x86_64 syscall=stat success=no exit=EACCES a0=150e350 a1=7fff7123ad60 a2=7fff7123ad60 a3=334ae83d90 items=0 ppid=5468 pid=5470 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=3 comm=df exe=/usr/bin/df subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023 key=(null)
Comment 25 Daniel Walsh 2012-12-21 14:44:57 EST
Not related to this bug, although I do see this as fixed on F18.
Comment 26 Miroslav Grepl 2012-12-27 04:15:35 EST
Added to F17.

# sesearch -A -s logwatch_t -t configfs_t
Found 1 semantic av rules:
   allow logwatch_t filesystem_type : filesystem getattr

Note You need to log in before you can comment on or make changes to this bug.