Re: acpid avcs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 12/25/05, Tom London <selinux@xxxxxxxxx> wrote:
> On 12/24/05, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote:
> > Steve G wrote:
> > > Hi...from my logs:
> > >
> > > type=PATH msg=audit(12/23/2005 10:36:04.030:20507) : item=0 name=(null)
> > > inode=14909846 dev=03:07 mode=socket,666 ouid=root ogid=root rdev=00:00
> > > obj=system_u:object_r:var_run_t:s0
> > > type=SOCKADDR msg=audit(12/23/2005 10:36:04.030:20507) : saddr=local
> > > /var/run/acpid.socket
> > > type=SYSCALL msg=audit(12/23/2005 10:36:04.030:20507) : arch=x86_64
> > > syscall=connect success=no exit=-13(Permission denied) a0=4 a1=7fffffbf25c0
> > > a2=6e a3=7fffffbf2428 items=1 pid=2242 auid=unknown(4294967295) uid=root
> > > gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root
> > > comm=hald-addon-acpi exe=/usr/libexec/hald-addon-acpi
> > > subj=system_u:system_r:hald_t:s0
> > > type=AVC msg=audit(12/23/2005 10:36:04.030:20507) : avc:  denied  { write }
> > > for pid=2242 comm=hald-addon-acpi name=acpid.socket dev=hda7 ino=14909846
> > > scontext=system_u:system_r:hald_t:s0 context=system_u:object_r:var_run_t:s0
> > > tclass=sock_file
> > >
> > > This just scrolls for hours and hours...
> > >
> > >
> > You have a mislabled socket file in /var/run.
> >
> > restorecon -v /var/run/acpid.socket
> > ls -lZ /var/run/acpid.socket
> > srw-rw-rw- root root system_u:object_r:apmd_var_run_t /var/run/acpid.socket
> >
> > > -Steve
> > >
> Uhhh, a bit more here:  I get many 100s of these (while running latest
> rawhide, targeted/enforcing):
> ----
> type=PATH msg=audit(12/25/2005 11:15:38.770:1619) : item=0
> flags=follow inode=2142287 dev=fd:00 mode=socket,666 ouid=root
> ogid=root rdev=00:00
> type=SOCKETCALL msg=audit(12/25/2005 11:15:38.770:1619) : nargs=3 a0=4
> a1=bffabfb6 a2=6e
> type=SOCKADDR msg=audit(12/25/2005 11:15:38.770:1619) : saddr=local
> /var/run/acpid.socket
> type=AVC_PATH msg=audit(12/25/2005 11:15:38.770:1619) :
> path=/var/run/acpid.socket
> type=SYSCALL msg=audit(12/25/2005 11:15:38.770:1619) : arch=i386
> syscall=socketcall(connect) success=no exit=-13(Permission denied)
> a0=3 a1=bffabf80 a2=4 a3=989d030 items=1 pid=2719
> auid=unknown(4294967295) uid=root gid=root euid=root suid=root
> fsuid=root egid=root sgid=root fsgid=root comm=hald-addon-acpi
> exe=/usr/libexec/hald-addon-acpi
> type=AVC msg=audit(12/25/2005 11:15:38.770:1619) : avc:  denied  {
> connectto } for  pid=2719 comm=hald-addon-acpi name=acpid.socket
> scontext=system_u:system_r:hald_t:s0
> tcontext=system_u:system_r:crond_t:s0 tclass=unix_stream_socket
> ----
> type=PATH msg=audit(12/25/2005 11:15:43.774:1620) : item=0
> flags=follow inode=2142287 dev=fd:00 mode=socket,666 ouid=root
> ogid=root rdev=00:00
> type=SOCKETCALL msg=audit(12/25/2005 11:15:43.774:1620) : nargs=3 a0=4
> a1=bffabfb6 a2=6e
> type=SOCKADDR msg=audit(12/25/2005 11:15:43.774:1620) : saddr=local
> /var/run/acpid.socket
> type=AVC_PATH msg=audit(12/25/2005 11:15:43.774:1620) :
> path=/var/run/acpid.socket
> type=SYSCALL msg=audit(12/25/2005 11:15:43.774:1620) : arch=i386
> syscall=socketcall(connect) success=no exit=-13(Permission denied)
> a0=3 a1=bffabf80 a2=4 a3=989d030 items=1 pid=2719
> auid=unknown(4294967295) uid=root gid=root euid=root suid=root
> fsuid=root egid=root sgid=root fsgid=root comm=hald-addon-acpi
> exe=/usr/libexec/hald-addon-acpi
> type=AVC msg=audit(12/25/2005 11:15:43.774:1620) : avc:  denied  {
> connectto } for  pid=2719 comm=hald-addon-acpi name=acpid.socket
> scontext=system_u:system_r:hald_t:s0
> tcontext=system_u:system_r:crond_t:s0 tclass=unix_stream_socket
>
> Strange thing is, /var/run/acpid.socket is NOT labeled crond_t, but
> apmd_var_run_t:
> [root@tlondon ~]# ls -lZ /var/run/acpi*
> srw-rw-rw-  root     root     system_u:object_r:apmd_var_run_t
> /var/run/acpid.socket
> [root@tlondon ~]#
>
A bit more on this:

[root@tlondon ~]# ps gaxZ | grep crond_t
system_u:system_r:crond_t:SystemLow-SystemHigh 2639 ? Ss   0:00 crond
system_u:system_r:crond_t:SystemLow-SystemHigh 2656 ? Ss   0:00 /usr/sbin/atd
system_u:system_r:crond_t        4295 ?        SNs    0:00 /usr/sbin/acpid
system_u:system_r:crond_t        4307 ?        SNs    0:00 cupsd
[root@tlondon ~]#

Should acpid and cupsd be running as crond_t?

[root@tlondon ~]# ls -lZ /usr/sbin/acpid
-rwxr-x---  root     root     system_u:object_r:apmd_exec_t    /usr/sbin/acpid
[root@tlondon ~]# ls -lZ /usr/sbin/cupsd
-rwxr-xr-x  root     root     system_u:object_r:cupsd_exec_t   /usr/sbin/cupsd
[root@tlondon ~]#

Is there a missing transition (or some such)?
tom
--
Tom London

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux