acpid cannot run 'amixer' due to SELinux issue?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello,

I'm trying to control the system volume on my laptop using the special
volume keys on the keyboard.
Pressing the keys generates acpi events, so I am using acpid to handle them.
I have a script at /etc/acpid/actions that runs, no problem.

However, the script does not work when run via the acpid daemon. In
particular the "amixer" command it uses to alter the volume fails.

It works fine when run manually, and fine when run as root.

I suspect SELinux because:

1) Running 'setenforce 0' causes it to start working

2) I see denials in the audit.log:

    type=AVC msg=audit(1450643943.351:1071): avc:  denied  { read }
for  pid=17124 comm="amixer" name="controlC0" dev="devtmpfs" ino=13431
scontext=system_u:system_r:apmd_t:s0
tcontext=system_u:object_r:sound_device_t:s0 tclass=chr_file
permissive=0

First question: Should I be opening a bug report about this? This page
indicates maybe so:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow.html

Now, I have gone ahead trying to get this working using audit2allow.
Indeed, I have created a policy package, with these bits:
    allow apmd_t sound_device_t:chr_file ioctl;
    allow apmd_t sound_device_t:chr_file { read open };

I installed the .pp file with "semodule -i", and it shows up in "semodule -l".

Now, no audit.log entries are produced. But it still doesn't work!
It *does* work when I use "setenforce 0", but apparently my custom
policy package, while it does silence the audit log, does not fix the
issue.

So, my second question: What else could be going on?
Wouldn't any denials show up in the log?

I would like to solve this in a focused way, rather than turning off
SELinux entirely, but currently that seems to be the only thing that
works, and I can't see how to proceed...

My system info, if you want:

    $ uname -a
    Linux biglap.home.lan 3.18.9-200.fc21.x86_64 #1 SMP Mon Mar 9
15:10:50 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
    $ cat /etc/fedora-release
    Fedora release 21 (Twenty One)

Thanks
-John
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
http://lists.fedoraproject.org/admin/lists/selinux@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux