Bug 948261 - When running "tuned-adm recommend", notification "SELinux is preventing /usr/bin/bash from getattr access on the file /usr/sbin/dmidecode."
Summary: When running "tuned-adm recommend", notification "SELinux is preventing /usr/...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 18
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-04-04 12:40 UTC by Gwendal
Modified: 2013-04-18 02:51 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-04-18 02:51:30 UTC


Attachments (Terms of Use)
Lines appearing in /var/log/audit/audit.log when I run "'tuned-adm recommend" (2.87 KB, text/plain)
2013-04-05 07:29 UTC, Gwendal
no flags Details
Lines appearing in /var/log/audit/audit.log when I run "'tuned-adm recommend" after "setenforce 0" (3.04 KB, application/octet-stream)
2013-04-05 08:29 UTC, Gwendal
no flags Details

Description Gwendal 2013-04-04 12:40:08 UTC
Description of problem: SELinux doesn't like it when I run "tuned-adm recommend" in bash.


Version-Release number of selected component (if applicable):

Nom                 : tuned
Architecture        : noarch
Version             : 2.2.2
Révision            : 1.fc18

Nom                 : selinux-policy
Architecture        : noarch
Version             : 3.11.1
Révision            : 86.fc18


How reproducible: Every time on my system.


Steps to Reproduce:
1. Open a terminal
2. Run "tuned-adm recommend"

  
Actual results: A SELinux notification pops up, details being "SELinux is preventing /usr/bin/bash from getattr access on the file /usr/sbin/dmidecode."


Expected results: SELinux should not be angry about that.


Additional info: I tried as root as well, and the situation is the same.

Comment 1 Jaroslav Škarvada 2013-04-04 12:48:04 UTC
Thanks for the report, reassigning to selinux-policy component.

Comment 2 Daniel Walsh 2013-04-04 21:16:57 UTC
Please attach the AVC's.  Does tuned need to execute dmidecode?

Comment 3 Gwendal 2013-04-05 07:29:25 UTC
Created attachment 731843 [details]
Lines appearing in /var/log/audit/audit.log when I run "'tuned-adm recommend"

Comment 4 Gwendal 2013-04-05 07:34:08 UTC
I am not entirely sure about what you ask, but I've attached the end of my /var/log/audit/audit.log file right after calling the command.

I have no idea whether tuned should execute dmidecode or not. The only thing I know is that running tuned-adm with the "recommend" option will analyze stuff and tell you what power management profile is the best for you at the moment.

Comment 5 Jaroslav Škarvada 2013-04-05 07:37:12 UTC
(In reply to comment #2)
> Does tuned need to execute dmidecode?

Yes, but indirectly. It detects the platform by calling the virt-what, which calls the dmidecode.

Comment 6 Jaroslav Škarvada 2013-04-05 07:39:02 UTC
(In reply to comment #3)
> Created attachment 731843 [details]
> Lines appearing in /var/log/audit/audit.log when I run "'tuned-adm recommend"

Thanks, please also attach the AVCs when running in permissve mode, i.e. with:
# setenforce 0

Comment 7 Gwendal 2013-04-05 08:29:09 UTC
Created attachment 731852 [details]
Lines appearing in /var/log/audit/audit.log when I run "'tuned-adm recommend" after "setenforce 0"

I've attached what happens with "setenforce 0".

This time the SELinux notification is "SELinux is preventing /usr/sbin/dmidecode from read access on the chr_file mem."

Comment 8 Miroslav Grepl 2013-04-05 14:07:40 UTC
commit 032b9b94bb423fdf091cfca60dc1771e79ec045f
Author: Dan Walsh <dwalsh@redhat.com>
Date:   Thu Apr 4 17:16:46 2013 -0400

    Allow tuned to transition to dmidecode

Comment 9 Fedora Update System 2013-04-15 11:11:31 UTC
selinux-policy-3.11.1-90.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-90.fc18

Comment 10 Fedora Update System 2013-04-16 00:07:00 UTC
Package selinux-policy-3.11.1-90.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-90.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-5742/selinux-policy-3.11.1-90.fc18
then log in and leave karma (feedback).

Comment 11 Fedora Update System 2013-04-18 02:51:32 UTC
selinux-policy-3.11.1-90.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.