Bug 2163015

Summary: SELinux is preventing /usr/sbin/upsd from using the kill capability
Product: [Fedora] Fedora EPEL Reporter: Graham Leggett <minfrin>
Component: nutAssignee: Michal Hlavinka <mhlavink>
Status: NEW --- QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: epel9CC: cra, james, mhlavink, orion, scott
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Graham Leggett 2023-01-22 22:54:12 UTC 
Description of problem:

SELinux failure while using upsd.

Version-Release number of selected component (if applicable):

2.8.0-3.el9

How reproducible:

Always

Steps to Reproduce:
1. Configure upsd with a USB UPS on RHEL9
2. Change /etc/ups/ups.conf configuration
3.

Actual results:

SELinux starts complaining.

Expected results:

No complaints from SELinux.

Additional info:

Jan 23 00:48:40 blackadder setroubleshoot[51526]: SELinux is preventing /usr/sbin/upsd from using the kill capability. For complete SELinux messages run: sealert -l 3a932861-930c-4ea9-9c9f-0d048c565c42
Jan 23 00:48:40 blackadder setroubleshoot[51526]: SELinux is preventing /usr/sbin/upsd from using the kill capability.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that upsd should have the kill capability by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'upsd' --raw | audit2allow -M my-upsd#012# semodule -X 300 -i my-upsd.pp#012
Jan 23 00:48:49 blackadder systemd[1]: dbus-:1.5-org.fedoraproject.SetroubleshootPrivileged: Main process exited, code=killed, status=14/ALRM
Jan 23 00:48:49 blackadder systemd[1]: dbus-:1.5-org.fedoraproject.SetroubleshootPrivileged: Failed with result 'signal'.
Jan 23 00:48:49 blackadder systemd[1]: dbus-:1.5-org.fedoraproject.SetroubleshootPrivileged: Consumed 1.550s CPU time.
Jan 23 00:48:50 blackadder systemd[1]: dbus-:1.5-org.fedoraproject.Setroubleshootd: Main process exited, code=killed, status=14/ALRM
Jan 23 00:48:50 blackadder systemd[1]: dbus-:1.5-org.fedoraproject.Setroubleshootd: Failed with result 'signal'.
Jan 23 00:48:50 blackadder systemd[1]: dbus-:1.5-org.fedoraproject.Setroubleshootd: Consumed 1.889s CPU time.
Comment 1 Orion Poplawski 2023-01-23 02:01:01 UTC 
So, I submitted a fix for this to fedora-selinux - https://github.com/fedora-selinux/selinux-policy/pull/1552  but it's going to take a long time to trickle down.  I think the thing to do is to start shipping the selinux policy as part of the nut package.