Description of problem: Hardware is an Asus UX21A. Here's what I did: 1. installed powertop, tuned and tuned-utils 2. enabled tuned 3. set the active tuned profile to powersave: 'tuned-adm profile powersave' 4. ran powertop2tuned with the -e option: 'powertop2tuned -e my-powersave' 5. set the active tuned profile to the newly created one: 'tuned-adm profile my-powersave' I guess that the tuned script contains something which affects the wlan module of this laptop. SELinux is preventing /usr/sbin/iw from using the 'net_admin' capabilities. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that iw should have the net_admin capability by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep iw /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:tuned_t:s0 Target Context system_u:system_r:tuned_t:s0 Target Objects [ capability ] Source iw Source Path /usr/sbin/iw Port <Unknown> Host (removed) Source RPM Packages iw-3.7-1.fc18.x86_64 Target RPM Packages Policy RPM selinux-policy-3.11.1-97.fc18.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.9.4-200.fc18.x86_64 #1 SMP Fri May 24 20:10:49 UTC 2013 x86_64 x86_64 Alert Count 1 First Seen 2013-06-10 22:02:19 CEST Last Seen 2013-06-10 22:02:19 CEST Local ID 0b4de908-b31b-4b3c-b7fe-7537687fe10f Raw Audit Messages type=AVC msg=audit(1370894539.21:332): avc: denied { net_admin } for pid=2122 comm="iw" capability=12 scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:system_r:tuned_t:s0 tclass=capability type=SYSCALL msg=audit(1370894539.21:332): arch=x86_64 syscall=sendmsg success=yes exit=ENAMETOOLONG a0=3 a1=7fffb31e3be0 a2=0 a3=4 items=0 ppid=2113 pid=2122 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=iw exe=/usr/sbin/iw subj=system_u:system_r:tuned_t:s0 key=(null) Hash: iw,tuned_t,tuned_t,capability,net_admin audit2allow #============= tuned_t ============== allow tuned_t self:capability net_admin; audit2allow -R require { type tuned_t; class capability net_admin; } #============= tuned_t ============== allow tuned_t self:capability net_admin; Additional info: reporter: libreport-2.1.4 hashmarkername: setroubleshoot kernel: 3.9.4-200.fc18.x86_64 type: libreport
Could you try to execute # chcon -t ifconfig_exec_t /usr/sbin/iw
Hi Miroslav, I executed the command as root. After that I executed 'tuned-adm profile my-powersave' once more and the SELinux alert popped up the same way as before.
Interesting: I can execute 'iw dev wlan0 set power_save on' (this is what's in the tuned script) and I don't get any error messages from that. Seems that the problem is only that tuned can't execute this command.
(In reply to Timur Kristóf from comment #2) > Hi Miroslav, > > I executed the command as root. After that I executed 'tuned-adm profile > my-powersave' once more and the SELinux alert popped up the same way as > before. So did yo get exactly the same AVC msg?
commit bb9ba7752174206c743bdca0e877b5fa3eaf8f0a Author: Miroslav Grepl <mgrepl> Date: Thu Jun 13 12:51:35 2013 +0200 Allow net_admin for tuned_t
Hi, Yes, I got exactly the same message when tuned tried to run its script, and no message at all when I ran the iw command manually.
selinux-policy-3.11.1-98.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-98.fc18
Package selinux-policy-3.11.1-98.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-98.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-11859/selinux-policy-3.11.1-98.fc18 then log in and leave karma (feedback).
Hi, I tested the update. Now I get a different error message: SELinux is preventing /usr/sbin/iw from create access on the netlink_socket . ***** Plugin catchall (100. confidence) suggests *************************** If you believe that iw should be allowed create access on the netlink_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep iw /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:ifconfig_t:s0 Target Context system_u:system_r:ifconfig_t:s0 Target Objects [ netlink_socket ] Source iw Source Path /usr/sbin/iw Port <Unknown> Host Timur-Zenbook Source RPM Packages iw-3.7-1.fc18.x86_64 Target RPM Packages Policy RPM selinux-policy-3.11.1-98.fc18.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name Timur-Zenbook Platform Linux Timur-Zenbook 3.9.6-200.fc18.x86_64 #1 SMP Thu Jun 13 18:56:55 UTC 2013 x86_64 x86_64 Alert Count 12 First Seen 2013-06-13 08:39:33 CEST Last Seen 2013-06-28 10:42:14 CEST Local ID d35d071e-2688-4659-bfdd-6e35a6da0198 Raw Audit Messages type=AVC msg=audit(1372408934.273:343): avc: denied { create } for pid=1971 comm="iw" scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:ifconfig_t:s0 tclass=netlink_socket type=SYSCALL msg=audit(1372408934.273:343): arch=x86_64 syscall=socket success=no exit=EACCES a0=10 a1=3 a2=10 a3=38 items=0 ppid=1956 pid=1971 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=iw exe=/usr/sbin/iw subj=system_u:system_r:ifconfig_t:s0 key=(null) Hash: iw,ifconfig_t,ifconfig_t,netlink_socket,create audit2allow #============= ifconfig_t ============== allow ifconfig_t self:netlink_socket create; audit2allow -R require { type ifconfig_t; class netlink_socket create; } #============= ifconfig_t ============== allow ifconfig_t self:netlink_socket create;
I allowed this in git 1e6ea6476ceda815baffeb023329904a12a3bb3d
selinux-policy-3.11.1-98.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.