search

fedora-selinux / selinux-policy

selinux-policy for Fedora is a large patch off the mainline
GNU General Public License v2.0
161 stars 162 forks source link

SELinux blocking TLP #1987

Open amogus07 opened 8 months ago

amogus07 commented 8 months ago

I installed TLP from the latest release tarball, and encountered the following SELinux alert:



*****  Plugin catchall_labels (83.8 confidence) suggests   *******************

If you want to allow tlp to have create access on the rfkill_saved file
Then you need to change the label on rfkill_saved
Do
# semanage fcontext -a -t FILE_TYPE 'rfkill_saved'
where FILE_TYPE is one of the following: ica_tmpfs_t, sysfs_t, systemd_passwd_var_run_t, tlp_var_lib_t, tlp_var_run_t.
Then execute:
restorecon -v 'rfkill_saved'

*****  Plugin catchall (17.1 confidence) suggests   **************************

If you believe that tlp should be allowed create access on the rfkill_saved file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'tlp' --raw | audit2allow -M my-tlp
# semodule -X 300 -i my-tlp.pp

Additional Information:
Source Context                system_u:system_r:tlp_t:s0
Target Context                system_u:object_r:var_lib_t:s0
Target Objects                rfkill_saved [ file ]
Source                        tlp
Source Path                   tlp
Port                          <Unknown>
Host                          konstantin-fedora
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-39.3-1.fc39.noarch
Local Policy RPM              selinux-policy-targeted-39.3-1.fc39.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     konstantin-fedora
Platform                      Linux konstantin-fedora 6.6.8-200.fc39.x86_64 #1
                              SMP PREEMPT_DYNAMIC Thu Dec 21 04:01:49 UTC 2023
                              x86_64
Alert Count                   3
First Seen                    2023-12-28 19:15:31 PST
Last Seen                     2023-12-28 21:19:00 PST
Local ID                      7804234d-5593-4650-8a49-f4c6dbddafd1

Raw Audit Messages
type=AVC msg=audit(1703827140.363:240): avc:  denied  { create } for  pid=5504 comm="tlp" name="rfkill_saved" scontext=system_u:system_r:tlp_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=0

Hash: tlp,tlp_t,var_lib_t,file,create```
zpytela commented 7 months ago

@amogus07 What is the file path?

Taxicletter commented 5 months ago

I'm not sure, but is this related? It is also tlp, but about searching and snapd...

SELinux belet tlp search toegang op map /var/lib/snapd.

*****  Plugin catchall (met 100. vertrouwen) suggereert   ********************

Als je denkt dat tlp standaard search toegang moet hebben tot de snapd directory.
Dan je moet dit melden als een fout.
Je kunt een locale tactiek module genereren om deze toegang toe te staan.
Doe
sta deze toegang nu toe door het uitvoeren van:
# ausearch -c 'tlp' --raw | audit2allow -M my-tlp
# semodule -X 300 -i my-tlp.pp

Aanvullende informatie:
Broncontext                   system_u:system_r:tlp_t:s0
Doelcontext                   system_u:object_r:snappy_var_lib_t:s0
Doelobjecten                  /var/lib/snapd [ dir ]
Bron                          tlp
Bronpad                       tlp
Poort                         <Onbekend>
Host                          fedora
Bron RPM-pakketten            
Doel RPM-pakketten            snapd-2.61.2-0.fc39.x86_64
SELinux Beleid RPM            selinux-policy-targeted-39.5-1.fc39.noarch
Lokale Beleid RPM             selinux-policy-targeted-39.5-1.fc39.noarch
SELinux aangezet              True
Beleidstype                   targeted
Afdwingende modus             Enforcing
Hostnaam                      fedora
Platform                      Linux fedora 6.7.9-200.fc39.x86_64 #1 SMP
                              PREEMPT_DYNAMIC Wed Mar  6 19:35:04 UTC 2024
                              x86_64
Aantal waarschuwingen         199
Eerst gezien op               2024-03-06 17:26:46 CET
Laatst gezien op              2024-03-19 22:21:05 CET
Locale ID                     5741e711-c34c-4eb6-bfd2-5c69f682cbd5

Onbewerkte auditboodschappen
type=AVC msg=audit(1710883265.1:33140): avc:  denied  { search } for  pid=65577 comm="tlp" name="snapd" dev="nvme0n1p3" ino=1236784 scontext=system_u:system_r:tlp_t:s0 tcontext=system_u:object_r:snappy_var_lib_t:s0 tclass=dir permissive=0

Hash: tlp,tlp_t,snappy_var_lib_t,dir,search
iHarryPotter178 commented 4 months ago

TLP says it's a problem after fedora 40, - https://linrunner.de/tlp/installation/fedora.html