Description of problem: SELinux doesn't like it when I run "tuned-adm recommend" in bash.
Version-Release number of selected component (if applicable):
Nom : tuned
Architecture : noarch
Version : 2.2.2
Révision : 1.fc18
Nom : selinux-policy
Architecture : noarch
Version : 3.11.1
Révision : 86.fc18
How reproducible: Every time on my system.
Steps to Reproduce:
1. Open a terminal
2. Run "tuned-adm recommend"
Actual results: A SELinux notification pops up, details being "SELinux is preventing /usr/bin/bash from getattr access on the file /usr/sbin/dmidecode."
Expected results: SELinux should not be angry about that.
Additional info: I tried as root as well, and the situation is the same.
Thanks for the report, reassigning to selinux-policy component.
Please attach the AVC's. Does tuned need to execute dmidecode?
Created attachment 731843 [details]
Lines appearing in /var/log/audit/audit.log when I run "'tuned-adm recommend"
I am not entirely sure about what you ask, but I've attached the end of my /var/log/audit/audit.log file right after calling the command.
I have no idea whether tuned should execute dmidecode or not. The only thing I know is that running tuned-adm with the "recommend" option will analyze stuff and tell you what power management profile is the best for you at the moment.
(In reply to comment #2)
> Does tuned need to execute dmidecode?
Yes, but indirectly. It detects the platform by calling the virt-what, which calls the dmidecode.
(In reply to comment #3)
> Created attachment 731843 [details]
> Lines appearing in /var/log/audit/audit.log when I run "'tuned-adm recommend"
Thanks, please also attach the AVCs when running in permissve mode, i.e. with:
# setenforce 0
Created attachment 731852 [details]
Lines appearing in /var/log/audit/audit.log when I run "'tuned-adm recommend" after "setenforce 0"
I've attached what happens with "setenforce 0".
This time the SELinux notification is "SELinux is preventing /usr/sbin/dmidecode from read access on the chr_file mem."
Author: Dan Walsh <firstname.lastname@example.org>
Date: Thu Apr 4 17:16:46 2013 -0400
Allow tuned to transition to dmidecode
selinux-policy-3.11.1-90.fc18 has been submitted as an update for Fedora 18.
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-90.fc18'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).
selinux-policy-3.11.1-90.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.