Bug 1047535

Summary: selinux preventing proper operation of apcupsd
Product: [Fedora] Fedora Reporter: Bill Gianopoulos <wgianopoulos>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 20CC: awilliam, dominick.grift, dwalsh, jorge.fabregas, lvrabec, mgrepl, mhlavink, nberrehouc, philipp
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-05-03 10:05:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Bill Gianopoulos 2013-12-31 15:23:11 UTC 
I am not sure if this should be filed under apcupsd or selinux, but apcupsd fails to properly power off the UPS on the powerfail condition because selinux is preventing it from creating and writing to the /etc/apcupsd/powerfial file.

I have added the following policy based on the selinux troubleshooter help:

module mypol 1.0;

require {
	type etc_t;
	type apcupsd_t;
	type power_unit_file_t;
	class service status;
	class file { write create };
}

#============= apcupsd_t ==============
allow apcupsd_t etc_t:file { write create };
allow apcupsd_t power_unit_file_t:service status;
Comment 1 Bill Gianopoulos 2013-12-31 15:53:48 UTC 
I should have made it more clear that adding that policy corrects the issue.  Although I have a fix, I should not be required to do this.  Installing apcupsd on a system with selunix, should result in this policy being enabled by default.
Comment 2 Bill Gianopoulos 2013-12-31 17:01:16 UTC 
Oh, and I did mean /etc/apcupsd/powerfail
Comment 3 Daniel Walsh 2014-01-02 22:50:10 UTC 
Could you attach the original avcs.

We want to label /etc/apcupsd/powerfail with something other then etc_t and then allow access to it.

apcupsd maintainers, why is apcupsd writing to /etc/apcupsd directory?  /etc should be considered read only from the daemons point of view.

3ddf9bd44bc938651877ff1605bcd1122b5ff7ba and
abef9364bdb70226d536eda105a1318fbff32721 in git allow the status of the power unit file.
Comment 4 Bill Gianopoulos 2014-01-02 23:06:15 UTC 
This is where it writes the file that causes the power off of the UPS during shutdown.  Not saying a better location might not be advisable.
Comment 5 Daniel Walsh 2014-01-03 18:08:08 UTC 
Could it be written to /run?  Or does it need to be on disk?  If not could we put it in /var/lib/apcupsd/poweoff?
Comment 6 Bill Gianopoulos 2014-01-03 18:34:57 UTC 
I have no idea. this is file that evidently the kernel looks at to determine that after system is down to tell the UPS to turn itself off.  Not at all sure how this works.
Comment 7 Daniel Walsh 2014-01-03 20:03:01 UTC 
Waiting for the package maintainer to respond.  Thanks Bill,
Comment 8 Michal Hlavinka 2014-01-06 10:27:31 UTC 
(In reply to Daniel Walsh from comment #5)
> Could it be written to /run?  Or does it need to be on disk?  If not could
> we put it in /var/lib/apcupsd/poweoff?

No, this is flag file and is basically part of the API
Comment 9 Daniel Walsh 2014-01-06 19:42:21 UTC 
Michal what would happen if the /etc was read/only?
Comment 10 Daniel Walsh 2014-01-06 19:46:35 UTC 
3593a02d6cbf68e4c2411ffd01ae5871b185aafa fixes this in git.
Comment 11 Michal Hlavinka 2014-01-08 09:34:25 UTC 
(In reply to Daniel Walsh from comment #9)
> Michal what would happen if the /etc was read/only?

The same problem as in this bug description. Computer would shut down, but UPS would not turn off.
Comment 12 Jorge Fábregas 2014-01-08 22:58:07 UTC 
I just bumped into this.  Is the fix available on updates-testing?
Comment 13 Adam Williamson 2014-02-21 17:46:46 UTC 
Is this causing https://bugzilla.redhat.com/show_bug.cgi?id=1064099 ?
Comment 14 Adam Williamson 2014-02-27 19:33:34 UTC 
Michal: I rather disagree with "No, this is flag file and is basically part of the API".

apcupsd's build process explicitly makes the location configurable and even puts it in different places on different platforms. Extracts from apcupsd configure:

-----

# set the default PWRFAILDIR
PWRFAILDIR=${sysconfdir}

...

# Now we set appropriate distribution specific
#  variables and defaults

case "$DISTNAME" in
...
freebsd)
...
   PWRFAILDIR=/var/run
...
sun)
   PWRFAILDIR=/etc

...

# now allow user to specify PWRFAILDIR

# Check whether --with-pwrfail-dir or --without-pwrfail-dir was given.
if test "${with_pwrfail_dir+set}" = set; then
  withval="$with_pwrfail_dir"
  PWRFAILDIR="$withval";
fi;

-----

The apcupsd build process really doesn't appear to support your assertion that the location of this file is extremely fixed.
Comment 15 Miroslav Grepl 2014-02-28 12:05:11 UTC 
*** Bug 1070961 has been marked as a duplicate of this bug. ***
Comment 16 Michal Hlavinka 2014-04-01 12:01:01 UTC 
(In reply to Adam Williamson from comment #14)
> Michal: I rather disagree with "No, this is flag file and is basically part
> of the API".
> 
> apcupsd's build process explicitly makes the location configurable 

Configurable is also location of nologin flag file yet it has to be in /etc/nologin

apcupsd can change file location and it will know about it, but others won't. Internal api changes are fine, external are not.

I will not change the location of the file. apcupsd needs /etc/ writeable for nologin anyway, so this does not create any extra requirement.
Comment 17 Daniel Walsh 2014-05-03 10:05:10 UTC 
sesearch -T -s apcupsd_t -t etc_t

Found 2 named file transition filename_trans:
type_transition apcupsd_t etc_t : file apcupsd_power_t "powerfail"; 
type_transition apcupsd_t etc_t : file etc_runtime_t "nologin"; 

Here are the two files that SELinux will allow apcuspd_t to write, which is fine.  But I still think we need to start moving tools to use /run rather then /etc/ for runtime flags.