Bug 248248 (acpidsocketSELinux)

Summary: SELinux is preventing /usr/libexec/hald-addon-acpi (hald_t) "write" to acpid.socket (var_run_t).
Product: [Fedora] Fedora Reporter: Thomas <tk>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED WORKSFORME QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: low    
Version: 7   
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-07-14 16:06:41 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Thomas 2007-07-14 05:50:46 UTC 
Description of problem:
SELinux is preventing /usr/libexec/hald-addon-acpi (hald_t) "write" to
acpid.socket (var_run_t).

Version-Release number of selected component (if applicable):
Target Context:  system_u:object_r:var_run_t
Target Objects:  acpid.socket [ sock_file ]
Affected RPM Packages:  hal-0.5.9-8.fc7 [application]
Policy RPM:  selinux-policy-2.6.4-26.fc7
Selinux Enabled:  True
Policy Type:  targetedMLS Enabled:  True
Enforcing Mode:  Enforcing
Plugin Name:  plugins.mislabeled_file
Host Name:  localhost.localdomain
Platform:  Linux localhost.localdomain 2.6.21-1.3228.fc7 #1 SMP Tue Jun 12
15:37:31 EDT 2007 i686 i686
Alert Count:  180
First Seen:  Sat 14 Jul 2007 01:35:25 AM CST
Last Seen:  Sat 14 Jul 2007 01:23:16 PM CSTLocal
ID:  515a3715-29fa-4740-8abe-6070330cf6c4
Line Numbers:  Raw Audit Messages :avc: denied { write } for
comm="hald-addon-acpi" dev=dm-0 egid=68 euid=68
exe="/usr/libexec/hald-addon-acpi" exit=-13 fsgid=68 fsuid=68 gid=68 items=0
name="acpid.socket" pid=2245 scontext=system_u:system_r:hald_t:s0 sgid=68
subj=system_u:system_r:hald_t:s0 suid=68 tclass=sock_file
tcontext=system_u:object_r:var_run_t:s0 tty=(none) uid=68 

How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Daniel Walsh 2007-07-14 12:42:01 UTC 
The problem here is that acpid.socket is labeled incorrectly
It should be labeled like the following:
ls -lZ /var/run/acpid.socket 
srw-rw-rw-  root root system_u:object_r:apmd_var_run_t /var/run/acpid.socket

This would indicate that acpid is running under the wrong context

ps -eZ | grep acpid
system_u:system_r:kernel_t         50 ?        00:00:00 kacpid
system_u:system_r:apmd_t        21500 ?        00:00:00 acpid

Did you do something to start these apps outside of the init scripts?
Comment 2 Thomas 2007-07-14 16:06:41 UTC 
No, I did not, except for th regular uppdate with the Fedora update manager. I
fixed the issue by the rebooting and relabelling routine of SELinux. Frankly, I
have not idea if that is now secure or not, but the issue went away.