SElinux AVCs

[keysteal72]

Hi, every time I boot my Fedora, it appears a Selinux warning that has blocked 2 processes started bye tlp with destination dac_override and search (on /var/lib/snapd folder). Anyone has same issue?

[linrunner]

Hi, how do you expect to start a discussion if you are silent about most of the facts? The very least would be the output of:

 sudo ausearch -su 'tlp' -ts boot

Please don't just copy the long output here. Instead, use https://gist.github.com/. Thanks!

[keysteal72]

It's not long:

---
time->Sun Sep 29 15:40:01 2024
type=AVC msg=audit(1727617201.069:188): avc:  denied  { search } for  pid=2712 comm="tlp" name="snapd" dev="sda3" ino=718591 scontext=system_u:system_r:tlp_t:s0 tcontext=system_u:object_r:snappy_var_lib_t:s0 tclass=dir permissive=0
----
time->Sun Sep 29 15:40:01 2024
type=AVC msg=audit(1727617201.311:189): avc:  denied  { dac_override } for  pid=2712 comm="tlp" capability=1  scontext=system_u:system_r:tlp_t:s0 tcontext=system_u:system_r:tlp_t:s0 tclass=capability permissive=0
----
time->Sun Sep 29 15:40:01 2024
type=AVC msg=audit(1727617201.311:190): avc:  denied  { dac_override } for  pid=2712 comm="tlp" capability=1  scontext=system_u:system_r:tlp_t:s0 tcontext=system_u:system_r:tlp_t:s0 tclass=capability permissive=0

[linrunner]

I don't see parts of TLP being blocked here. TLP doesn't touch dac_override (whatever that might be) or /var/lib/snapd/.

You are welcome to wait and see if anyone gets in touch.

However, please note that I do not take care of SELinux issues upstream. If you want this fixed, you need to open a Fedora bug report against the selinux-policy package. If you do, please post the link here. Thank you.