Bug 1070960

Summary: SELinux is preventing /usr/sbin/apcupsd from using the 'signull' accesses on a process.
Product: [Fedora] Fedora Reporter: Nicolas Berrehouc <nberrehouc>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 20CC: dominick.grift, dwalsh, lvrabec, mgrepl, mhlavink
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:1fdf8886e6841fb87026a13017bbeb119639aef434a723ff882358f5235b5e1d
Fixed In Version: selinux-policy-3.12.1-163.fc20 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-05-21 23:30:27 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Nicolas Berrehouc 2014-02-27 19:57:28 UTC 
Description of problem:
SELinux is preventing /usr/sbin/apcupsd from using the 'signull' accesses on a process.

*****  Plugin catchall (100. confidence) suggests   **************************

If vous pensez que apcupsd devrait être autorisé à accéder signull sur les processus étiquetés sshd_keygen_t par défaut.
Then vous devriez rapporter ceci en tant qu'anomalie.
Vous pouvez générer un module de stratégie local pour autoriser cet accès.
Do
autoriser cet accès pour le moment en exécutant :
# grep apcupsd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:apcupsd_t:s0
Target Context                system_u:system_r:sshd_keygen_t:s0
Target Objects                 [ process ]
Source                        apcupsd
Source Path                   /usr/sbin/apcupsd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           apcupsd-3.14.11-1.fc20.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-127.fc20.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 3.13.3-201.fc20.x86_64 #1 SMP Fri
                              Feb 14 19:08:32 UTC 2014 x86_64 x86_64
Alert Count                   1
First Seen                    2014-02-27 20:47:17 CET
Last Seen                     2014-02-27 20:47:17 CET
Local ID                      3e5c7e37-e0c4-4549-a789-ebb40473c15a

Raw Audit Messages
type=AVC msg=audit(1393530437.742:356): avc:  denied  { signull } for  pid=1284 comm="apcupsd" scontext=system_u:system_r:apcupsd_t:s0 tcontext=system_u:system_r:sshd_keygen_t:s0 tclass=process


type=SYSCALL msg=audit(1393530437.742:356): arch=x86_64 syscall=kill success=yes exit=0 a0=4ff a1=0 a2=504 a3=4ff items=0 ppid=1 pid=1284 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=apcupsd exe=/usr/sbin/apcupsd subj=system_u:system_r:apcupsd_t:s0 key=(null)

Hash: apcupsd,apcupsd_t,sshd_keygen_t,process,signull

Additional info:
reporter:       libreport-2.1.12
hashmarkername: setroubleshoot
kernel:         3.13.3-201.fc20.x86_64
type:           libreport
Comment 1 Miroslav Grepl 2014-02-28 12:01:42 UTC 
Why would apcupsd want to check sshd_keygen_t process?
Comment 2 Daniel Walsh 2014-02-28 22:12:20 UTC 
I think it sends signull to every process on the system.
Comment 3 Michal Hlavinka 2014-04-08 16:58:34 UTC 
(In reply to Miroslav Grepl from comment #1)
> Why would apcupsd want to check sshd_keygen_t process?

   /*
    * Okay, now we have a stalepid to check.
    * kill(pid,0) checks to see if the process is still running.
    */
   if (kill(stalepid, 0) == -1 ....

It's a check for stale pid file. 
Similar to bug #843631
Comment 4 Daniel Walsh 2014-05-05 19:22:25 UTC 
commit 2b37e8083b2b09c2fec7e892a6004005024f6b33

fixes this in git.
Comment 5 Fedora Update System 2014-05-07 09:44:24 UTC 
selinux-policy-3.12.1-161.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-161.fc20
Comment 6 Fedora Update System 2014-05-08 10:01:38 UTC 
Package selinux-policy-3.12.1-161.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-161.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-6084/selinux-policy-3.12.1-161.fc20
then log in and leave karma (feedback).
Comment 7 Fedora Update System 2014-05-14 23:53:10 UTC 
Package selinux-policy-3.12.1-163.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-163.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-6084/selinux-policy-3.12.1-163.fc20
then log in and leave karma (feedback).
Comment 8 Fedora Update System 2014-05-21 23:30:27 UTC 
selinux-policy-3.12.1-163.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.