Bug 244525

Summary: SELinux apcupsd denial for execution of apccontrol
Product: [Fedora] Fedora Reporter: Anthony Messina <amessina>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact: Ben Levenson <benl>
Severity: low Docs Contact:
Priority: low    
Version: 7   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Current Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-08-14 11:57:06 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Anthony Messina 2007-06-16 17:43:15 UTC 
Description of problem:
SELinux prevents apcupsd from executing apccontrol in enforcing mode

Version-Release number of selected component (if applicable):


How reproducible:
Every time

Steps to Reproduce:
1. Hold the battery test button on your APC ups while running apcupsd and
SELinux in enforcing mode.
2. Watch the apcupsd logs and sealert
  
Actual results:
Summary
    SELinux is preventing /usr/sbin/apcupsd (apcupsd_t) "execute" to apccontrol
    (bin_t).     

Source Context                system_u:system_r:apcupsd_t
Target Context                system_u:object_r:bin_t
Target Objects                apccontrol [ file ]
Affected RPM Packages         apcupsd-3.14.1-1.fc7 [application]
Policy RPM                    selinux-policy-2.6.4-14.fc7
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.catchall_file
Platform                      Linux 2.6.21-1.3228.fc7 #1 SMP Tue Jun 12 14:56:37 EDT
                              2007 x86_64 x86_64
Alert Count                   2
First Seen                    Sat 16 Jun 2007 12:27:04 PM CDT
Last Seen                     Sat 16 Jun 2007 12:27:10 PM CDT
Local ID                      f4619676-d470-40a1-ac84-97fabbc96456
Line Numbers                  

Raw Audit Messages            

avc: denied { execute } for comm="apcupsd" dev=sda2 egid=0 euid=0
exe="/usr/sbin/apcupsd" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="apccontrol"
pid=7387 scontext=system_u:system_r:apcupsd_t:s0 sgid=0
subj=system_u:system_r:apcupsd_t:s0 suid=0 tclass=file
tcontext=system_u:object_r:bin_t:s0 tty=(none) uid=0

Expected results:
I know this has been a difficult area and that the maintainer of apcupsd is to
be working on moving those executables out of /etc/apcupsd.

Anyway, this occurred during a test of the battery.  No tty messages were sent
and I get a permission denied error for apccontrol, which means that if the
power failed and the battery ran out, it wouldn't shut down the machine.

I'm hoping we can get this to work as my power is a bit unreliable in the summer.
Comment 1 Daniel Walsh 2007-08-14 11:57:06 UTC 
Fixed in current release.