Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SELinux blocking TLP #1987

Open
amogus07 opened this issue Dec 29, 2023 · 3 comments
Open

SELinux blocking TLP #1987

amogus07 opened this issue Dec 29, 2023 · 3 comments

Comments

@amogus07
Copy link

I installed TLP from the latest release tarball, and encountered the following SELinux alert:


*****  Plugin catchall_labels (83.8 confidence) suggests   *******************

If you want to allow tlp to have create access on the rfkill_saved file
Then you need to change the label on rfkill_saved
Do
# semanage fcontext -a -t FILE_TYPE 'rfkill_saved'
where FILE_TYPE is one of the following: ica_tmpfs_t, sysfs_t, systemd_passwd_var_run_t, tlp_var_lib_t, tlp_var_run_t.
Then execute:
restorecon -v 'rfkill_saved'


*****  Plugin catchall (17.1 confidence) suggests   **************************

If you believe that tlp should be allowed create access on the rfkill_saved file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'tlp' --raw | audit2allow -M my-tlp
# semodule -X 300 -i my-tlp.pp

Additional Information:
Source Context                system_u:system_r:tlp_t:s0
Target Context                system_u:object_r:var_lib_t:s0
Target Objects                rfkill_saved [ file ]
Source                        tlp
Source Path                   tlp
Port                          <Unknown>
Host                          konstantin-fedora
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-39.3-1.fc39.noarch
Local Policy RPM              selinux-policy-targeted-39.3-1.fc39.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     konstantin-fedora
Platform                      Linux konstantin-fedora 6.6.8-200.fc39.x86_64 #1
                              SMP PREEMPT_DYNAMIC Thu Dec 21 04:01:49 UTC 2023
                              x86_64
Alert Count                   3
First Seen                    2023-12-28 19:15:31 PST
Last Seen                     2023-12-28 21:19:00 PST
Local ID                      7804234d-5593-4650-8a49-f4c6dbddafd1

Raw Audit Messages
type=AVC msg=audit(1703827140.363:240): avc:  denied  { create } for  pid=5504 comm="tlp" name="rfkill_saved" scontext=system_u:system_r:tlp_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=0


Hash: tlp,tlp_t,var_lib_t,file,create```
@zpytela
Copy link
Contributor

zpytela commented Jan 18, 2024

@amogus07 What is the file path?

@Taxicletter
Copy link

I'm not sure, but is this related? It is also tlp, but about searching and snapd...

SELinux belet tlp search toegang op map /var/lib/snapd.

*****  Plugin catchall (met 100. vertrouwen) suggereert   ********************

Als je denkt dat tlp standaard search toegang moet hebben tot de snapd directory.
Dan je moet dit melden als een fout.
Je kunt een locale tactiek module genereren om deze toegang toe te staan.
Doe
sta deze toegang nu toe door het uitvoeren van:
# ausearch -c 'tlp' --raw | audit2allow -M my-tlp
# semodule -X 300 -i my-tlp.pp

Aanvullende informatie:
Broncontext                   system_u:system_r:tlp_t:s0
Doelcontext                   system_u:object_r:snappy_var_lib_t:s0
Doelobjecten                  /var/lib/snapd [ dir ]
Bron                          tlp
Bronpad                       tlp
Poort                         <Onbekend>
Host                          fedora
Bron RPM-pakketten            
Doel RPM-pakketten            snapd-2.61.2-0.fc39.x86_64
SELinux Beleid RPM            selinux-policy-targeted-39.5-1.fc39.noarch
Lokale Beleid RPM             selinux-policy-targeted-39.5-1.fc39.noarch
SELinux aangezet              True
Beleidstype                   targeted
Afdwingende modus             Enforcing
Hostnaam                      fedora
Platform                      Linux fedora 6.7.9-200.fc39.x86_64 #1 SMP
                              PREEMPT_DYNAMIC Wed Mar  6 19:35:04 UTC 2024
                              x86_64
Aantal waarschuwingen         199
Eerst gezien op               2024-03-06 17:26:46 CET
Laatst gezien op              2024-03-19 22:21:05 CET
Locale ID                     5741e711-c34c-4eb6-bfd2-5c69f682cbd5

Onbewerkte auditboodschappen
type=AVC msg=audit(1710883265.1:33140): avc:  denied  { search } for  pid=65577 comm="tlp" name="snapd" dev="nvme0n1p3" ino=1236784 scontext=system_u:system_r:tlp_t:s0 tcontext=system_u:object_r:snappy_var_lib_t:s0 tclass=dir permissive=0


Hash: tlp,tlp_t,snappy_var_lib_t,dir,search

@iHarryPotter178
Copy link

TLP says it's a problem after fedora 40, - https://linrunner.de/tlp/installation/fedora.html

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@zpytela @Taxicletter @iHarryPotter178 @amogus07