1586329 – SELinux is preventing iw from 'write' accesses on the file /run/tlp/lock_tlp.

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1586329 - SELinux is preventing iw from 'write' accesses on the file /run/tlp/lock_tlp.

Summary: SELinux is preventing iw from 'write' accesses on the file /run/tlp/lock_tlp.

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	28
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Lukas Vrabec
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	abrt_hash:7bb98eff09db578f92e6b6786d9...
Duplicates (3):	1510249 1585485 1585486 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-06-06 02:07 UTC by goghard
Modified:	2018-10-17 05:16 UTC (History)
CC List:	17 users (show)
Fixed In Version:	selinux-policy-3.14.1-36.fc28
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-07-29 03:22:13 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description goghard 2018-06-06 02:07:02 UTC

Description of problem:
I installed TLP and alerts started to appear. I modified the /etc/default/tlp file to reduce cpu fequencies before starting tlp.
SELinux is preventing iw from 'write' accesses on the file /run/tlp/lock_tlp.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that iw should be allowed write access on the lock_tlp file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'iw' --raw | audit2allow -M my-iw
# semodule -X 300 -i my-iw.pp

Additional Information:
Source Context                system_u:system_r:ifconfig_t:s0-s0:c0.c1023
Target Context                system_u:object_r:var_run_t:s0
Target Objects                /run/tlp/lock_tlp [ file ]
Source                        iw
Source Path                   iw
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.14.1-30.fc28.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.16.12-300.fc28.x86_64 #1 SMP Fri
                              May 25 21:13:28 UTC 2018 x86_64 x86_64
Alert Count                   8
First Seen                    2018-06-05 20:57:08 -05
Last Seen                     2018-06-05 20:58:08 -05
Local ID                      2c4f9829-34e2-4e11-8ad3-a49fdd03beed

Raw Audit Messages
type=AVC msg=audit(1528250288.390:330): avc:  denied  { write } for  pid=8623 comm="ethtool" path="/run/tlp/lock_tlp" dev="tmpfs" ino=411421 scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=0


Hash: iw,ifconfig_t,var_run_t,file,write

Version-Release number of selected component:
selinux-policy-3.14.1-30.fc28.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.9.5
hashmarkername: setroubleshoot
kernel:         4.16.12-300.fc28.x86_64
type:           libreport

Potential duplicate: bug 1373791

Comment 1 Milos Malik 2018-06-06 06:32:45 UTC

# ls -Z /run/tlp/lock_tlp
system_u:object_r:tlp_var_run_t:s0 /run/tlp/lock_tlp
# matchpathcon /run/tlp/lock_tlp 
/run/tlp/lock_tlp	system_u:object_r:var_run_t:s0
#

I believe the problem is the first fcontext pattern:

# semanage fcontext -l | grep tlp
/run/tlp(/.*)?                                     all files          system_u:object_r:tlp_var_run_t:s0 
/usr/lib/systemd/system/((tlp-sleep.*)|(tlp.*))    regular file       system_u:object_r:tlp_unit_file_t:s0 
/usr/sbin/tlp                                      regular file       system_u:object_r:tlp_exec_t:s0 
/var/lib/tlp(/.*)?                                 all files          system_u:object_r:tlp_var_lib_t:s0 
# 

The fcontext pattern should look this way:

/var/run/tlp(/.*)?    all files    system_u:object_r:tlp_var_run_t:s0

Use of restorecon does not help the reporter:

# restorecon -vn /run/tlp/lock_tlp
Would relabel /run/tlp/lock_tlp from system_u:object_r:tlp_var_run_t:s0 to system_u:object_r:var_run_t:s0
#

Comment 2 Milos Malik 2018-06-06 06:40:31 UTC

If the fcontext pattern was correctly defined, the denial would not have appeared, because appropriate rule is already present:

# sesearch -s ifconfig_t -t tlp_var_run_t -c file -A
allow ifconfig_t tlp_var_run_t:file { append create getattr ioctl link lock open read rename setattr unlink write };
#

Tested on:

# rpm -qa selinux\* | sort
selinux-policy-3.14.1-30.fc28.noarch
selinux-policy-devel-3.14.1-30.fc28.noarch
selinux-policy-doc-3.14.1-30.fc28.noarch
selinux-policy-minimum-3.14.1-30.fc28.noarch
selinux-policy-mls-3.14.1-30.fc28.noarch
selinux-policy-targeted-3.14.1-30.fc28.noarch
#

Comment 3 Lukas Vrabec 2018-06-10 20:57:26 UTC

*** Bug 1585486 has been marked as a duplicate of this bug. ***

Comment 4 Lukas Vrabec 2018-06-10 20:57:31 UTC

*** Bug 1585485 has been marked as a duplicate of this bug. ***

Comment 5 Lukas Vrabec 2018-06-10 20:57:39 UTC

*** Bug 1577532 has been marked as a duplicate of this bug. ***

Comment 6 Lukas Vrabec 2018-06-10 20:57:53 UTC

*** Bug 1510249 has been marked as a duplicate of this bug. ***

Comment 7 seb 2018-07-01 12:33:58 UTC

Not solved in selinux-policy-3.14.1-32.fc28.noarch :(

Comment 8 Mário Lopes 2018-07-09 08:19:56 UTC

Description of problem:
After received the following updates:
cinnamon-3.8.7-1.fc28.x86_64                  Mon 09 Jul 2018 07:48:45 AM WEST
nemo-3.8.4-1.fc28.x86_64                      Mon 09 Jul 2018 07:48:43 AM WEST
nemo-extensions-3.8.4-1.fc28.x86_64           Mon 09 Jul 2018 07:48:42 AM WEST
After rebooting the machine iv start to receive the notifications on continuous loop

Version-Release number of selected component:
selinux-policy-3.14.1-32.fc28.noarch

Additional info:
reporter:       libreport-2.9.5
hashmarkername: setroubleshoot
kernel:         4.17.3-200.fc28.x86_64
type:           libreport

Comment 9 Fedora Update System 2018-07-25 22:27:44 UTC

selinux-policy-3.14.1-36.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-1050fb248b

Comment 10 Fedora Update System 2018-07-26 16:30:13 UTC

selinux-policy-3.14.1-36.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-1050fb248b

Comment 11 Michael 2018-07-27 13:54:28 UTC

The problem is still present with selinux-policy-3.14.1-36.fc28.

See: 1609307

Comment 12 Fedora Update System 2018-07-29 03:22:13 UTC

selinux-policy-3.14.1-36.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.

Comment 13 John Gardner 2018-07-29 16:53:26 UTC

Description of problem:
Running TLP on Fedora 28.  Dell XPS 9560, every time I plug in the power cable I get the SELinux error

Version-Release number of selected component:
selinux-policy-3.14.1-32.fc28.noarch

Additional info:
reporter:       libreport-2.9.5
hashmarkername: setroubleshoot
kernel:         4.17.7-200.fc28.x86_64
type:           libreport

Comment 14 amarty 2018-08-10 06:43:33 UTC

Description of problem:
installet TLP for PowerManagment on Fedora 28 and after a wakeup from standby this came up.

Version-Release number of selected component:
selinux-policy-3.14.1-37.fc28.noarch

Additional info:
reporter:       libreport-2.9.5
hashmarkername: setroubleshoot
kernel:         4.17.11-200.fc28.x86_64
type:           libreport

Comment 15 amarty 2018-08-12 16:21:13 UTC

Description of problem:
Installer TLP on Fedora 28 and after wake up from standby this message came up.

Version-Release number of selected component:
selinux-policy-3.14.1-37.fc28.noarch

Additional info:
reporter:       libreport-2.9.5
hashmarkername: setroubleshoot
kernel:         4.17.11-200.fc28.x86_64
type:           libreport

Comment 16 ju.labbe 2018-08-21 07:20:36 UTC

Description of problem:
after installing TLP
after a first troubleshoot
here we are with this second one
good luck guys

Version-Release number of selected component:
selinux-policy-3.14.1-32.fc28.noarch

Additional info:
reporter:       libreport-2.9.5
hashmarkername: setroubleshoot
kernel:         4.17.6-200.fc28.x86_64
type:           libreport

Comment 17 Jean-Loup Tastet 2018-09-24 17:42:46 UTC

Still affected on Fedora 28, with selinux-policy-3.14.1-42.fc28.

Running `sudo systemctl start tlp` results in an AVC and the TLP service fails to start:

● tlp.service - TLP system startup/shutdown
   Loaded: loaded (/usr/lib/systemd/system/tlp.service; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Mon 2018-09-24 19:34:56 CEST; 2min 54s ago
     Docs: http://linrunner.de/tlp
  Process: 21073 ExecStart=/usr/sbin/tlp init start (code=exited, status=1/FAILURE)
 Main PID: 21073 (code=exited, status=1/FAILURE)

Sep 24 19:34:56 jl-xps systemd[1]: Starting TLP system startup/shutdown...
Sep 24 19:34:56 jl-xps systemd[1]: tlp.service: Main process exited, code=exited, status=1/FAILURE
Sep 24 19:34:56 jl-xps systemd[1]: tlp.service: Failed with result 'exit-code'.
Sep 24 19:34:56 jl-xps systemd[1]: Failed to start TLP system startup/shutdown.

The relevant part of the journal seems to be:

-- Subject: Unit tlp.service has begun start-up
-- Defined-By: systemd
-- Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit tlp.service has begun starting up.
Sep 24 19:37:53 jl-xps audit[21411]: AVC avc:  denied  { open } for  pid=21411 comm="tlp" path="/run/tlp/lock_tlp" dev="tmpfs" ino=291918 scontext=system_u:system_r:tlp_t:s0 tcontext=unconfined_u:object_r:var_ru>
Sep 24 19:37:53 jl-xps audit[21411]: AVC avc:  denied  { open } for  pid=21411 comm="tlp" path="/run/tlp/lock_tlp" dev="tmpfs" ino=291918 scontext=system_u:system_r:tlp_t:s0 tcontext=unconfined_u:object_r:var_ru>
Sep 24 19:37:53 jl-xps systemd[1]: tlp.service: Main process exited, code=exited, status=1/FAILURE
Sep 24 19:37:53 jl-xps systemd[1]: tlp.service: Failed with result 'exit-code'.
Sep 24 19:37:53 jl-xps systemd[1]: Failed to start TLP system startup/shutdown.
-- Subject: Unit tlp.service has failed
-- Defined-By: systemd
-- Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit tlp.service has failed.
-- 
-- The result is RESULT.

Comment 18 Jean-Loup Tastet 2018-09-25 09:25:54 UTC

Description of problem:
When resuming the laptop from suspend, with TLP enabled.

Version-Release number of selected component:
selinux-policy-3.14.1-42.fc28.noarch

Additional info:
reporter:       libreport-2.9.5
hashmarkername: setroubleshoot
kernel:         4.18.6-301.local.fc29.x86_64
type:           libreport

Comment 19 Arsalan Rezazadeh 2018-10-17 05:16:48 UTC

Description of problem:
1- installed tlp
2-in each shutdown Selinux give this error 
3- also tlp service is not active 
4- systemctl status give a faild to running tlp
5- lock_tlp error


I use fedora 27

Version-Release number of selected component:
selinux-policy-3.13.1-284.37.fc27.noarch

Additional info:
reporter:       libreport-2.9.3
hashmarkername: setroubleshoot
kernel:         4.18.12-100.fc27.x86_64
type:           libreport

Note You need to log in before you can comment on or make changes to this bug.