I have an APC UPS supporting one of our web servers and would like to
keep SELinux enabled, but the apcupsd is unable to run its support
script /etc/apcupsd/apccontrol when a power out even occurs. This script
is needed to gracefully inform users and power off the machine cleanly.
Jun 12 12:51:40 web kernel: audit(1181649100.560:15): avc: denied {
execute } for pid=4129 comm="apcupsd" name="apccontrol" dev=dm-0
ino=1870532 sconte
xt=root:system_r:apcupsd_t:s0 tcontext=system_u:object_r:etc_t:s0
tclass=file
Jun 12 12:51:40 web kernel: audit(1181649100.560:16): avc: denied {
execute } for pid=4130 comm="apcupsd" name="apccontrol" dev=dm-0
ino=1870532 sconte
xt=root:system_r:apcupsd_t:s0 tcontext=system_u:object_r:etc_t:s0
tclass=file
I've tried writing a local policy, but just seem to propagate the problem:
module local 1.0;
require {
type bin_t;
type apcupsd_t;
type net_conf_t;
type etc_t;
type shell_exec_t;
type hostname_exec_t;
type proc_t;
class file { read execute getattr execute_no_trans };
class dir search;
class lnk_file read;
}
#============= apcupsd_t ==============
allow apcupsd_t etc_t:file execute;
allow apcupsd_t etc_t:file execute_no_trans;
allow apcupsd_t net_conf_t:file read;
allow apcupsd_t bin_t:dir search;
allow apcupsd_t bin_t:lnk_file read;
allow apcupsd_t shell_exec_t:file execute;
allow apcupsd_t shell_exec_t:file read;
allow apcupsd_t bin_t:file { read getattr execute execute_no_trans };
allow apcupsd_t hostname_exec_t:file { read execute getattr };
allow apcupsd_t proc_t:file {read getattr};
type=AVC msg=audit(1181656523.928:210): avc: denied { read write } for
pid=7520 comm="wall" name="utmp" dev=dm-2 ino=8060933
scontext=root:system_r:apcupsd
_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1181656523.928:210): arch=40000003 syscall=5
success=no exit=-13 a0=4997c08b a1=8002 a2=0 a3=4997c091 items=0 ppid=1
pid=7520 auid=4294
967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=5 sgid=5 fsgid=5
tty=(none) comm="wall" exe="/usr/bin/wall"
subj=root:system_r:apcupsd_t:s0 key=(null)
type=AVC msg=audit(1181656523.928:211): avc: denied { read } for
pid=7520 comm="wall" name="utmp" dev=dm-2 ino=8060933
scontext=root:system_r:apcupsd_t:s0
tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1181656523.928:211): arch=40000003 syscall=5
success=no exit=-13 a0=4997c08b a1=8000 a2=0 a3=4997c091 items=0 ppid=1
pid=7520 auid=4294
967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=5 sgid=5 fsgid=5
tty=(none) comm="wall" exe="/usr/bin/wall"
subj=root:system_r:apcupsd_t:s0 key=(null)
type=AVC msg=audit(1181656523.928:212): avc: denied { read write } for
pid=7520 comm="wall" name="utmp" dev=dm-2 ino=8060933
scontext=root:system_r:apcupsd
_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1181656523.928:212): arch=40000003 syscall=5
success=no exit=-13 a0=4997c08b a1=8002 a2=0 a3=4997c091 items=0 ppid=1
pid=7520 auid=4294
967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=5 sgid=5 fsgid=5
tty=(none) comm="wall" exe="/usr/bin/wall"
subj=root:system_r:apcupsd_t:s0 key=(null)
type=AVC msg=audit(1181656523.928:213): avc: denied { read } for
pid=7520 comm="wall" name="utmp" dev=dm-2 ino=8060933
scontext=root:system_r:apcupsd_t:s0
tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1181656523.928:213): arch=40000003 syscall=5
success=no exit=-13 a0=4997c08b a1=8000 a2=0 a3=4997c091 items=0 ppid=1
pid=7520 auid=4294
967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=5 sgid=5 fsgid=5
tty=(none) comm="wall" exe="/usr/bin/wall"
subj=root:system_r:apcupsd_t:s0 key=(null)
type=USER_AVC msg=audit(1181656637.910:214): user pid=1869 uid=81
auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc:
received policyload noti
ce (seqno=14) : exe="?" (sauid=81, hostname=?, addr=?, terminal=?)'
System:
kernel-2.6.21-1.3226.fc7
selinux-policy-2.6.4-13.fc7
Any help appreciated,
Simon
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
