Bug 249993
Summary: | selinux denials apcupsd-3.14.1-2.fc7 | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | vikram goyal <vikigoyal> | ||||||||
Component: | apcupsd | Assignee: | Orion Poplawski <orion> | ||||||||
Status: | CLOSED DUPLICATE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||||
Severity: | low | Docs Contact: | |||||||||
Priority: | low | ||||||||||
Version: | 7 | CC: | apcupsd-users, dwalsh | ||||||||
Target Milestone: | --- | Keywords: | Reopened | ||||||||
Target Release: | --- | ||||||||||
Hardware: | i386 | ||||||||||
OS: | Linux | ||||||||||
Whiteboard: | |||||||||||
Fixed In Version: | 3.14.2-1.fc7 | Doc Type: | Bug Fix | ||||||||
Doc Text: | Story Points: | --- | |||||||||
Clone Of: | Environment: | ||||||||||
Last Closed: | 2007-10-19 14:19:10 UTC | Type: | --- | ||||||||
Regression: | --- | Mount Type: | --- | ||||||||
Documentation: | --- | CRM: | |||||||||
Verified Versions: | Category: | --- | |||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||
Embargoed: | |||||||||||
Attachments: |
|
Description
vikram goyal
2007-07-29 04:16:24 UTC
Created attachment 160182 [details]
selinux denied message log for apcupsd
Looks like you've got an incorrectly labeled /var/log/apcupsd.status file. Try "restorecon -v /var/log/apcupsd.status" and see if that changes the label to apcupsd_log_t. Dan - apcupsd will try to write /etc/nologin when power has failed to prevent further logins. It gets removed by /etc/apcupsd/apccontrol. Can this get added to policy? apcuspd.status does not have the right context. Fixing in selinux-policy-2.6.4-30 Also adding the ability to create nologin. apcupsd-3.14.1-2.fc7 selinux-policy-2.6.4-42.fc7 selinux-policy-targeted-2.6.4-42.fc7 Fresh selinux denials. Occur only on mail power failure. Attaching audit.log Created attachment 199101 [details]
selinux messages ( apcupsd )on mains power failure
Created attachment 199111 [details]
selinux messages ( apcupsd ) on mains power failure
audit2allow #============= system_mail_t ============== allow system_mail_t apcupsd_log_t:file { read write append }; allow system_mail_t apcupsd_t:tcp_socket { read write }; allow system_mail_t apcupsd_tmp_t:file { read getattr ioctl }; allow system_mail_t usb_device_t:chr_file { read write }; Comment on attachment 199101 [details]
selinux messages ( apcupsd )on mains power failure
filed two times
These are leaked file descriptors from apcupsd, apcupsd should call fcntl(fd, F_SETFD, FD_CLOEXEC) On all its file descriptors before execing sendmail. (In reply to comment #9) > These are leaked file descriptors from apcupsd, apcupsd should call > fcntl(fd, F_SETFD, FD_CLOEXEC) > > On all its file descriptors before execing sendmail. Should be fixed in apcupsd-3.14.2 which includes code to close all open fds before exec'ing apccontrol. apcupsd-3.14.2-1.fc7 has been pushed to the Fedora 7 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update apcupsd' apcupsd-3.14.2-1.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report. After updating apcupsd to version apcupsd-3.14.2-1.fc7 as suggested, I relabeled the system on boot. Below are the avc messages generated after power failure. #============================================================================ type=AVC msg=audit(1192689949.385:62): avc: denied { read } for pid=5795 comm="sendmail" name="RsTSsaCP" dev=sdc8 ino=52 scontext=system_u:system_r:system_mail_t:s0 tcontext=system_u:object_r:apcupsd_tmp_t:s0 tclass=file type=AVC msg=audit(1192689949.392:63): avc: denied { getattr } for pid=5795 comm="sendmail" name="RsTSsaCP" dev=sdc8 ino=52 scontext=system_u:system_r:system_mail_t:s0 tcontext=system_u:object_r:apcupsd_tmp_t:s0 tclass=file type=AVC msg=audit(1192689949.399:64): avc: denied { ioctl } for pid=5795 comm="sendmail" name="RsTSsaCP" dev=sdc8 ino=52 scontext=system_u:system_r:system_mail_t:s0 tcontext=system_u:object_r:apcupsd_tmp_t:s0 tclass=file #============================================================================= running audit2allow, I get the this result. #============================================================================= #============= system_mail_t ============== allow system_mail_t apcupsd_tmp_t:file { read getattr ioctl }; #============================================================================= Thanks! *** This bug has been marked as a duplicate of 247162 *** |