Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1374051
Summary: | SELinux is preventing iw from 'write' accesses on the file /run/tlp/lock_tlp. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | xzj8b3 <xzj8b3> |
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 24 | CC: | adam, ben.r.xiao, bugzilla.somor, bugzilla, c.steinseifer, danilogcarolino, david.hajn+rh, dominick.grift, drfudgeboy, dwalsh, efsnefs, fahrever2, fedora.243908, fmuro, fnord, fortizc, huvith, javiertury, jbirch, jeancamargoreal, justin, linrunner, live, lmythreya, luis.st, lvrabec, lyubo.petrov, Marco_Anastasio, marcvanwageningen, metal3d, m.frangiamore, mgrepl, michael, mrummuka, plautrba, pushpamtiwari, robert, russ.otto.webdev, sahin508, seracon, s.gendre, Simon.Gerhards, spandie990, ssekidde, thebeardedhermit, trulsg, woiling, yupeak |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Unspecified | ||
Whiteboard: | abrt_hash:7bb98eff09db578f92e6b6786d9a3a24547375babba86273a01aedc9f76717e2;VARIANT_ID=workstation; | ||
Fixed In Version: | selinux-policy-3.13.1-191.23.fc24 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2017-01-10 08:18:21 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
xzj8b3
2016-09-07 20:01:48 UTC
Probably related, but I'd be happy to file a new bug if I'm wrong: SELinux is preventing ethtool from write access on the file /run/tlp/lock_tlp. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that ethtool should be allowed write access on the lock_tlp file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'ethtool' --raw | audit2allow -M my-ethtool # semodule -X 300 -i my-ethtool.pp Additional Information: Source Context system_u:system_r:ifconfig_t:s0-s0:c0.c1023 Target Context system_u:object_r:var_run_t:s0 Target Objects /run/tlp/lock_tlp [ file ] Source ethtool Source Path ethtool Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-191.14.fc24.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.7.2-201.fc24.x86_64 #1 SMP Fri Aug 26 15:58:40 UTC 2016 x86_64 x86_64 Alert Count 3 First Seen 2016-09-07 16:23:15 CEST Last Seen 2016-09-07 23:08:12 CEST Local ID f1c9dadb-0f6b-4cfa-a2d3-21026bcbc8ce Raw Audit Messages type=AVC msg=audit(1473282492.244:227): avc: denied { write } for pid=3361 comm="ethtool" path="/run/tlp/lock_tlp" dev="tmpfs" ino=27223 scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=0 Hash: ethtool,ifconfig_t,var_run_t,file,write Description of problem: Unplugged laptop power, got selinux error related to tlp Version-Release number of selected component: selinux-policy-3.13.1-191.14.fc24.noarch Additional info: reporter: libreport-2.7.2 hashmarkername: setroubleshoot kernel: 4.7.2-201.fc24.x86_64 type: libreport Description of problem: When I am hanging on charger cable, selinux show this problem Version-Release number of selected component: selinux-policy-3.13.1-191.14.fc24.noarch Additional info: reporter: libreport-2.7.2 hashmarkername: setroubleshoot kernel: 4.7.2-201.fc24.x86_64 type: libreport Description of problem: I switched from battery to an external power source. Version-Release number of selected component: selinux-policy-3.13.1-191.14.fc24.noarch Additional info: reporter: libreport-2.7.2 hashmarkername: setroubleshoot kernel: 4.7.2-201.fc24.x86_64 type: libreport Description of problem: The error occurred after installing the browser Google Chrome stable version on the 64-bit version Version-Release number of selected component: selinux-policy-3.13.1-191.14.fc24.noarch Additional info: reporter: libreport-2.7.2 hashmarkername: setroubleshoot kernel: 4.7.2-201.fc24.x86_64 type: libreport *** Bug 1377261 has been marked as a duplicate of this bug. *** Description of problem: I have tlp installed and just regular usage, nothing special. Version-Release number of selected component: selinux-policy-3.13.1-191.16.fc24.noarch Additional info: reporter: libreport-2.7.2 hashmarkername: setroubleshoot kernel: 4.7.3-200.fc24.x86_64 type: libreport *** Bug 1378988 has been marked as a duplicate of this bug. *** Description of problem: Quando ho disconnesso il portatile dalla presa della corrente. Version-Release number of selected component: selinux-policy-3.13.1-191.16.fc24.noarch Additional info: reporter: libreport-2.7.2 hashmarkername: setroubleshoot kernel: 4.7.4-200.fc24.x86_64 type: libreport Description of problem: When I removed the laptop from the electrical outlet. Version-Release number of selected component: selinux-policy-3.13.1-191.16.fc24.noarch Additional info: reporter: libreport-2.7.2 hashmarkername: setroubleshoot kernel: 4.7.4-200.fc24.x86_64 type: libreport Description of problem: Plugged off laptop. Logged into the system Version-Release number of selected component: selinux-policy-3.13.1-191.16.fc24.noarch Additional info: reporter: libreport-2.7.2 hashmarkername: setroubleshoot kernel: 4.7.4-200.fc24.x86_64 type: libreport Same, when unplugging charger. (FWIW mine is the Korora adaptation of Fedora) SELinux is preventing iw from 'write' accesses on the file /run/tlp/lock_tlp. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that iw should be allowed write access on the lock_tlp file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'iw' --raw | audit2allow -M my-iw # semodule -X 300 -i my-iw.pp Additional Information: Source Context system_u:system_r:ifconfig_t:s0-s0:c0.c1023 Target Context system_u:object_r:var_run_t:s0 Target Objects /run/tlp/lock_tlp [ file ] Source iw Source Path iw Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-191.16.fc24.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.7.4-200.fc24.x86_64 #1 SMP Thu Sep 15 18:42:09 UTC 2016 x86_64 x86_64 Alert Count 2 First Seen 2016-09-26 18:46:45 BST Last Seen 2016-09-26 18:46:45 BST Local ID b5222728-3c96-4a70-b290-c1acff52a6ca Raw Audit Messages type=AVC msg=audit(1474912005.522:908): avc: denied { write } for pid=13937 comm="ethtool" path="/run/tlp/lock_tlp" dev="tmpfs" ino=25987 scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=0 Hash: iw,ifconfig_t,var_run_t,file,write Description of problem: It happens once after booting/resuming or waking up from sleep Additional info: reporter: libreport-2.7.2 hashmarkername: setroubleshoot kernel: 4.7.4-200.fc24.x86_64 type: libreport Description of problem: Connected the power cable to the laptop after waking from standby. Version-Release number of selected component: selinux-policy-3.13.1-191.16.fc24.noarch Additional info: reporter: libreport-2.7.2 hashmarkername: setroubleshoot kernel: 4.7.4-200.fc24.x86_64 type: libreport This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component. Hi, I have the same problem here when I plug and unplug the charger... bugs 1371676 and 1373791 seems to be the same Hi, the same problem here when I plug and unplug the charger... bugs 1371676 and 1373791 seems to be the same *** Bug 1385573 has been marked as a duplicate of this bug. *** Description of problem: I plugged the pc to ac and this alert showed up. Version-Release number of selected component: selinux-policy-3.13.1-191.19.fc24.noarch Additional info: reporter: libreport-2.7.2 hashmarkername: setroubleshoot kernel: 4.7.9-200.fc24.x86_64 type: libreport Description of problem: Happens every time the ThinkPad laptop (T430) is plugged in / out of electricity Version-Release number of selected component: selinux-policy-3.13.1-191.18.fc24.noarch Additional info: reporter: libreport-2.7.2 hashmarkername: setroubleshoot kernel: 4.7.6-200.fc24.x86_64 type: libreport *** Bug 1392138 has been marked as a duplicate of this bug. *** Description of problem: Install TLP. Enable it. Suspend computer. Test platform is ThinkPad T460. Version-Release number of selected component: selinux-policy-3.13.1-191.19.fc24.noarch Additional info: reporter: libreport-2.7.2 hashmarkername: setroubleshoot kernel: 4.8.6-201.fc24.x86_64 type: libreport (In reply to Rob Tomsick from comment #22) > Description of problem: > Install TLP. Enable it. Suspend computer. Actually, disregard that. It happens on power state change (plugged -> unplugged), not suspend. Description of problem: I receive this selinux message after I unplug and plug the laptop while the system is running. Version-Release number of selected component: selinux-policy-3.13.1-191.20.fc24.noarch Additional info: reporter: libreport-2.7.2 hashmarkername: setroubleshoot kernel: 4.8.6-201.fc24.x86_64 type: libreport *** Bug 1394088 has been marked as a duplicate of this bug. *** Description of problem: This seems to happen at any power state change (i.e. unplug or replug the power cord). Additional info: reporter: libreport-2.7.2 hashmarkername: setroubleshoot kernel: 4.8.6-201.fc24.x86_64 type: libreport Description of problem: I installed tlp and cofigured it. After unplug the ac power connector this happened Version-Release number of selected component: selinux-policy-3.13.1-191.20.fc24.noarch Additional info: reporter: libreport-2.7.2 hashmarkername: setroubleshoot kernel: 4.8.7-200.fc24.x86_64 type: libreport We need to add a suitable label that ifconfig can work with. Please try semanage fcontext -a -t ifconfig_var_run_t /run/tlp/lock_tlp restorecon -R -v /run/tlp/lock_tlp Thanks Simon, your suggestion worked for me. - Received SELinux error after unplugging AC power connection. - Ran the following command in the terminal: semanage fcontext -a -t ifconfig_var_run_t /run/tlp/lock_tlp && restorecon -R -v /run/tlp/lock_tlp - No longer receiving SELinux errors when I unplug AC. Description of problem: This happened when I reconnected the mains adapter. Version-Release number of selected component: selinux-policy-3.13.1-191.21.fc24.noarch Additional info: reporter: libreport-2.7.2 hashmarkername: setroubleshoot kernel: 4.8.8-200.fc24.x86_64 type: libreport (In reply to Simon Sekidde from comment #28) > We need to add a suitable label that ifconfig can work with. > > Please try > > semanage fcontext -a -t ifconfig_var_run_t /run/tlp/lock_tlp > restorecon -R -v /run/tlp/lock_tlp Thanks Simon. This suggestion worked for me. This also work: chcon -t ifconfig_var_run_t /run/tlp/lock_tlp selinux-policy-3.13.1-191.23.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-90bd4d7d33 selinux-policy-3.13.1-191.23.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-90bd4d7d33 I'm still expiring this issue with selinux-policy-3.13.1-191.23.fc24, provided bodhi feedback accordingly. $ rpm -qi selinux-policy Name : selinux-policy Version : 3.13.1 Release : 191.23.fc24 Architecture: noarch Install Date: Mi 04 Jan 2017 17:08:10 CET Group : System Environment/Base Size : 20703 License : GPLv2+ Signature : RSA/SHA256, Mo 05 Dez 2016 19:11:58 CET, Key ID 73bde98381b46521 Source RPM : selinux-policy-3.13.1-191.23.fc24.src.rpm Build Date : Mo 05 Dez 2016 16:53:04 CET Build Host : buildhw-04.phx2.fedoraproject.org Relocations : (not relocatable) Packager : Fedora Project Vendor : Fedora Project URL : http://github.com/TresysTechnology/refpolicy/wiki Summary : SELinux policy configuration Description : SELinux Base package for SELinux Reference Policy - modular. Based off of reference policy: Checked out revision 2.20091117 SELinux is preventing iw from write access on the file /run/tlp/lock_tlp. ***** Plugin catchall (100. confidence) suggests ************************** If sie denken, dass es iw standardmäßig erlaubt sein sollte, write Zugriff auf lock_tlp file zu erhalten. Then sie sollten dies als Fehler melden. Um diesen Zugriff zu erlauben, können Sie ein lokales Richtlinien-Modul erstellen. Do allow this access for now by executing: # ausearch -c 'iw' --raw | audit2allow -M my-iw # semodule -X 300 -i my-iw.pp Additional Information: Source Context system_u:system_r:ifconfig_t:s0-s0:c0.c1023 Target Context system_u:object_r:var_run_t:s0 Target Objects /run/tlp/lock_tlp [ file ] Source iw Source Path iw Port <Unknown> Host localhost.localdomain Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-191.23.fc24.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name localhost.localdomain Platform Linux localhost.localdomain 4.8.15-200.fc24.x86_64 #1 SMP Thu Dec 15 23:09:22 UTC 2016 x86_64 x86_64 Alert Count 26 First Seen 2017-01-04 11:38:42 CET Last Seen 2017-01-09 15:55:26 CET Local ID d818df04-7b18-4e61-8f84-66f940e7d588 Raw Audit Messages type=AVC msg=audit(1483973726.508:671): avc: denied { write } for pid=11170 comm="ethtool" path="/run/tlp/lock_tlp" dev="tmpfs" ino=23353 scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=0 Hash: iw,ifconfig_t,var_run_t,file,write selinux-policy-3.13.1-191.23.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report. Problem still persists for me. For me the '/run/tlp/lock_tlp' issue is gone, but now upon reconnecting the power cable I get another selinux popup. selinux-policy.noarch 3.13.1-225.6.fc25 SELinux is preventing iw from open access on the file /proc/<pid>/net/psched. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that iw should be allowed open access on the psched file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'iw' --raw | audit2allow -M my-iw # semodule -X 300 -i my-iw.pp Additional Information: Source Context system_u:system_r:tlp_t:s0 Target Context system_u:object_r:proc_net_t:s0 Target Objects /proc/<pid>/net/psched [ file ] Source iw Source Path iw Port <Unknown> Host localhost.localdomain Source RPM Packages Target RPM Packages Policy RPM <Unknown> Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name localhost.localdomain Platform Linux localhost.localdomain 4.8.15-300.fc25.x86_64 #1 SMP Thu Dec 15 23:10:23 UTC 2016 x86_64 x86_64 Alert Count 151 First Seen 2016-12-22 23:36:11 CET Last Seen 2017-01-14 10:04:26 CET Local ID abb04f47-3b33-4ad5-afd3-5c5673b454cf Raw Audit Messages type=AVC msg=audit(1484384666.670:8353): avc: denied { open } for pid=19006 comm="iw" path="/proc/19006/net/psched" dev="proc" ino=4026531982 scontext=system_u:system_r:tlp_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=1 Hash: iw,tlp_t,proc_net_t,file,open Description of problem: Connect/unconnect Thinkpad X1 Carbon 4th Gen/2016 with installed TLP to OneLink Dock+ Version-Release number of selected component: selinux-policy-3.13.1-191.23.fc24.noarch Additional info: reporter: libreport-2.7.2 hashmarkername: setroubleshoot kernel: 4.9.5-100.fc24.x86_64 type: libreport Description of problem: Unconnect Thinkpad X1 Carbon 4th Gen/2016 with installed TLP to OneLink Dock+ Version-Release number of selected component: selinux-policy-3.13.1-191.23.fc24.noarch Additional info: reporter: libreport-2.7.2 hashmarkername: setroubleshoot kernel: 4.9.5-100.fc24.x86_64 type: libreport (In reply to Fedora Update System from comment #36) > If problems still persist, please make note of it in this bug > report. Three weeks already pass since I did as suggested without a reaction. So can someone please reopen this bug? I don't have the necessary rights to do it myself. Thanks Woi, Please run: # restorecon -Rv /var/run Thanks, Lukas. Thanks Lukas vor pointing out. However, nothing changed after doing so: I'm still getting selinux warning when plugging in or removing the power supply. $ sudo restorecon -Rv /var/run/ restorecon: Warning no default label for /run/lightdm.pid restorecon reset /run/user/1001/gvfs context unconfined_u:object_r:user_tmp_t:s0->unconfined_u:object_r:fusefs_t:s0 restorecon: Warning no default label for /run/lvmetad.pid restorecon: Warning no default label for /run/lock/subsys restorecon: Warning no default label for /run/lock/subsys/akmods restorecon: Warning no default label for /run/initramfs restorecon: Warning no default label for /run/initramfs/rwtab restorecon: Warning no default label for /run/initramfs/state restorecon: Warning no default label for /run/initramfs/state/var restorecon: Warning no default label for /run/initramfs/state/var/lib restorecon: Warning no default label for /run/initramfs/state/var/lib/dhclient restorecon: Warning no default label for /run/initramfs/state/etc restorecon: Warning no default label for /run/initramfs/state/etc/sysconfig restorecon: Warning no default label for /run/initramfs/state/etc/sysconfig/network-scripts restorecon: Warning no default label for /run/initramfs/.need_shutdown restorecon: Warning no default label for /run/initramfs/log $ This is still happening on Fedora 25 when I unplug or plug in my power cable. This is with selinux-policy 3.13.1-225.6.fc25 Feb 05 11:38:58 benxiao-fedora02 audit[9230]: AVC avc: denied { write } for pid=9230 comm="iw" path="/run/tlp/lock_tlp" dev="tmpfs" ino=41558 scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tlp_var_run_t:s0 tclass=file permissive=0 Feb 05 11:38:58 benxiao-fedora02 audit[9233]: AVC avc: denied { write } for pid=9233 comm="ethtool" path="/run/tlp/lock_tlp" dev="tmpfs" ino=41558 scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tlp_var_run_t:s0 tclass=file permissive=0 Any further advice? Can this bug be re-opened again? Should I open a new bug instead? (In reply to Benjamin Xiao from comment #44) > This is still happening on Fedora 25 when I unplug or plug in my power > cable. This is with selinux-policy 3.13.1-225.6.fc25 > > > Feb 05 11:38:58 benxiao-fedora02 audit[9230]: AVC avc: denied { write } > for pid=9230 comm="iw" path="/run/tlp/lock_tlp" dev="tmpfs" ino=41558 > scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:tlp_var_run_t:s0 tclass=file permissive=0 > Feb 05 11:38:58 benxiao-fedora02 audit[9233]: AVC avc: denied { write } > for pid=9233 comm="ethtool" path="/run/tlp/lock_tlp" dev="tmpfs" ino=41558 > scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:tlp_var_run_t:s0 tclass=file permissive=0 I have the same issue as Benjamin and the same version of selinux-policy. Here is my audit message type=AVC msg=audit(1488081410.111:922): avc: denied { write } for pid=17279 comm="iw" path="/run/tlp/lock_tlp" dev="tmpfs" ino=30995 scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tlp_var_run_t:s0 tclass=file permissive=1 Still with this in Fedora 26. Could someone at least reopen the bug? I don't have the hardware any more to confirm that the problem still persists. But I also don't have the necessary permissions to reopen this bug. |