Bug 2297933

Summary: selinux blocks upsmon (nut-monitor.service) from sending wall messages
Product: [Fedora] Fedora Reporter: Matt Kinni <matt>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 40CC: dwalsh, lvrabec, mmalik, omosnacek, pkoncity, vmojzis, zpytela
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-40.28-1.fc40 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2024-10-08 01:38:35 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Matt Kinni 2024-07-15 12:13:06 UTC 
These avc denials are logged when nut-monitor attempts to broadcast wall messages in response to a UPS going online/offline (which is the default notification action in /etc/ups/upsmon.conf)

Jul 15 04:53:07 cipix nut-monitor[20084]: UPS OfficeMain@localhost on battery
Jul 15 04:53:07 cipix audit[22200]: AVC avc:  denied  { read } for  pid=22200 comm="wall" name="sessions" dev="tmpfs" ino=94 scontext=system_u:system_r:nut_upsmon_t:s0 tcontext=system_u:object_r:systemd_login>
Jul 15 04:53:07 cipix audit[22200]: AVC avc:  denied  { read } for  pid=22200 comm="wall" name="2" dev="tmpfs" ino=3010 scontext=system_u:system_r:nut_upsmon_t:s0 tcontext=system_u:object_r:systemd_logind_ses>
Jul 15 04:53:07 cipix audit[22200]: AVC avc:  denied  { open } for  pid=22200 comm="wall" path="/run/systemd/sessions/2" dev="tmpfs" ino=3010 scontext=system_u:system_r:nut_upsmon_t:s0 tcontext=system_u:objec>
Jul 15 04:53:07 cipix audit[22200]: AVC avc:  denied  { getattr } for  pid=22200 comm="wall" path="/run/systemd/sessions/2" dev="tmpfs" ino=3010 scontext=system_u:system_r:nut_upsmon_t:s0 tcontext=system_u:ob>

Detail of one of these:
Additional Information:
Source Context                system_u:system_r:nut_upsmon_t:s0
Target Context                system_u:object_r:systemd_logind_sessions_t:s0
Target Objects                /run/systemd/sessions/2 [ file ]
Source                        wall
Source Path                   wall
Port                          <Unknown>
Host                          cipix
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-40.23-1.fc40.noarch
Local Policy RPM              selinux-policy-targeted-40.23-1.fc40.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     cipix
Platform                      Linux cipix 6.9.5-200.fc40.x86_64 #1 SMP
                              PREEMPT_DYNAMIC Sun Jun 16 15:47:09 UTC 2024
                              x86_64
Alert Count                   2
First Seen                    2024-07-15 04:53:07 MST
Last Seen                     2024-07-15 04:54:02 MST
Local ID                      0ff7fcde-6761-4867-8100-4bb5c8e847a7


Reproducible: Always
Comment 1 Zdenek Pytela 2024-07-15 13:40:48 UTC 
Matt,

Can you include untruncated audit logs or ausearch output?

ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today
Comment 2 Matt Kinni 2024-08-25 22:10:37 UTC 
Hello, apologies for not responding until now I lost sight of this.  Here is the output from my system which is now running selinux-policy-targeted-40.26-1.fc40.noarch:


$>ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today
----
type=AVC msg=audit(08/25/24 15:08:31.976:201) : avc:  denied  { read } for  pid=6543 comm=wall name=sessions dev="tmpfs" ino=1257 scontext=system_u:system_r:nut_upsmon_t:s0 tcontext=system_u:object_r:systemd_logind_sessions_t:s0 tclass=dir permissive=1 
----
type=AVC msg=audit(08/25/24 15:08:31.976:202) : avc:  denied  { read } for  pid=6543 comm=wall name=2 dev="tmpfs" ino=3185 scontext=system_u:system_r:nut_upsmon_t:s0 tcontext=system_u:object_r:systemd_logind_sessions_t:s0 tclass=file permissive=1 
----
type=AVC msg=audit(08/25/24 15:08:31.976:203) : avc:  denied  { open } for  pid=6543 comm=wall path=/run/systemd/sessions/2 dev="tmpfs" ino=3185 scontext=system_u:system_r:nut_upsmon_t:s0 tcontext=system_u:object_r:systemd_logind_sessions_t:s0 tclass=file permissive=1 
----
type=AVC msg=audit(08/25/24 15:08:31.976:204) : avc:  denied  { getattr } for  pid=6543 comm=wall path=/run/systemd/sessions/2 dev="tmpfs" ino=3185 scontext=system_u:system_r:nut_upsmon_t:s0 tcontext=system_u:object_r:systemd_logind_sessions_t:s0 tclass=file permissive=1 
----
type=AVC msg=audit(08/25/24 15:08:51.971:210) : avc:  denied  { read } for  pid=6673 comm=wall name=sessions dev="tmpfs" ino=1257 scontext=system_u:system_r:nut_upsmon_t:s0 tcontext=system_u:object_r:systemd_logind_sessions_t:s0 tclass=dir permissive=1 
----
type=AVC msg=audit(08/25/24 15:08:51.971:211) : avc:  denied  { read } for  pid=6673 comm=wall name=2 dev="tmpfs" ino=3185 scontext=system_u:system_r:nut_upsmon_t:s0 tcontext=system_u:object_r:systemd_logind_sessions_t:s0 tclass=file permissive=1 
----
type=AVC msg=audit(08/25/24 15:08:51.971:212) : avc:  denied  { open } for  pid=6673 comm=wall path=/run/systemd/sessions/2 dev="tmpfs" ino=3185 scontext=system_u:system_r:nut_upsmon_t:s0 tcontext=system_u:object_r:systemd_logind_sessions_t:s0 tclass=file permissive=1 
----
type=AVC msg=audit(08/25/24 15:08:51.971:213) : avc:  denied  { getattr } for  pid=6673 comm=wall path=/run/systemd/sessions/2 dev="tmpfs" ino=3185 scontext=system_u:system_r:nut_upsmon_t:s0 tcontext=system_u:object_r:systemd_logind_sessions_t:s0 tclass=file permissive=1
Comment 3 Fedora Update System 2024-10-02 18:44:18 UTC 
FEDORA-2024-75212378ea (selinux-policy-40.28-1.fc40) has been submitted as an update to Fedora 40.
https://bodhi.fedoraproject.org/updates/FEDORA-2024-75212378ea
Comment 4 Fedora Update System 2024-10-03 03:38:15 UTC 
FEDORA-2024-75212378ea has been pushed to the Fedora 40 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-75212378ea`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-75212378ea

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 5 Fedora Update System 2024-10-08 01:38:35 UTC 
FEDORA-2024-75212378ea (selinux-policy-40.28-1.fc40) has been pushed to the Fedora 40 stable repository.
If problem still persists, please make note of it in this bug report.