acpid, killing processes or accessing ttys with selinux on fc4

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi all, I was addressed here from the fedora-general list.

When I try to kill kwin (workaround I am trying for a bug) which is not
owned by root, from an acpid event handler, I see

==============
type=PATH msg=audit(1120137170.131:15862051): item=0 name="/home/vincenzo"
inode=2 dev=03:03 mode=040755 ouid=0 ogid=0 rdev=00:00
type=SYSCALL msg=audit(1120137170.131:15862051): arch=40000003 syscall=195
success=no exit=-13 a0=8608218 a1=bfaec42c a2=236ff4 a3=bfaec42c items=1
pid=2381 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="sh" exe="/bin/bash"
type=AVC msg=audit(1120137170.131:15862051): avc:  denied  { search } for 
pid=2381 comm="sh" name=/ dev=hda3 ino=2 scontext=root:system_r:apmd_t
tcontext=system_u:object_r:home_root_t tclass=dir
type=SYSCALL msg=audit(1120137170.138:15862566): arch=40000003 syscall=37
success=no exit=-1 a0=b97 a1=9 a2=0 a3=b97 items=0 pid=2381 auid=500 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="killall"
exe="/usr/bin/killall"
type=AVC msg=audit(1120137170.138:15862566): avc:  denied  { kill } for 
pid=2381 comm="killall" capability=5 scontext=root:system_r:apmd_t
tcontext=root:system_r:apmd_t tclass=capability
===============

in audit.log

Also, if I try to use 

 action=chvt 1 < /dev/tty10

(because chvt needs a tty to operate)

I find

========
type=PATH msg=audit(1120137360.814:62404): item=0 name="/home/vincenzo"
inode=2 dev=03:03 mode=040755 ouid=0 ogid=0 rdev=00:00
type=SYSCALL msg=audit(1120137360.814:62404): arch=40000003 syscall=195
success=no exit=-13 a0=957e218 a1=bfb7578c a2=987ff4 a3=bfb7578c items=1
pid=2450 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="sh" exe="/bin/bash"
type=AVC msg=audit(1120137360.814:62404): avc:  denied  { search } for 
pid=2450 comm="sh" name=/ dev=hda3 ino=2 scontext=root:system_r:apmd_t
tcontext=system_u:object_r:home_root_t tclass=dir
========

even if /dev/tty10 is owned by root.

How do I allow both operations? I can't find any reference to acpid in the
selinux configuration tool.

Bye and thanks

Vincenzo Ciancia

-- 
Please note that I do not read the e-mail address used in the from field but
I read vincenzo_ml at yahoo dot it
Attenzione: non leggo l'indirizzo di posta usato nel campo from, ma leggo
vincenzo_ml at yahoo dot it

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
http://www.redhat.com/mailman/listinfo/fedora-selinux-list
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux