Bug 249993

Summary: selinux denials apcupsd-3.14.1-2.fc7
Product: [Fedora] Fedora Reporter: vikram goyal <vikigoyal>
Component: apcupsdAssignee: Orion Poplawski <orion>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: 7CC: apcupsd-users, dwalsh
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: 3.14.2-1.fc7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-10-19 14:19:10 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
selinux denied message log for apcupsd
none
selinux messages ( apcupsd )on mains power failure
none
selinux messages ( apcupsd ) on mains power failure none

Description vikram goyal 2007-07-29 04:16:24 UTC 
Description of problem:


Version-Release number of selected component (if applicable):
apcupsd-3.14.1-2.fc7
selinux-policy-2.6.4-28.fc7
selinux-policy-targeted-2.6.4-28.fc7


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 vikram goyal 2007-07-29 04:16:25 UTC 
Created attachment 160182 [details]
selinux denied message log for apcupsd
Comment 2 Orion Poplawski 2007-07-30 15:28:14 UTC 
Looks like you've got an incorrectly labeled /var/log/apcupsd.status file.  Try
"restorecon -v /var/log/apcupsd.status" and see if that changes the label to
apcupsd_log_t.

Dan -

  apcupsd will try to write /etc/nologin when power has failed to prevent
further logins.  It gets removed by /etc/apcupsd/apccontrol.  Can this get added
to policy?
Comment 3 Daniel Walsh 2007-07-30 15:43:49 UTC 
apcuspd.status does not have the right context. 

Fixing in selinux-policy-2.6.4-30

Also adding the ability to create nologin.
Comment 4 vikram goyal 2007-09-19 02:59:52 UTC 
apcupsd-3.14.1-2.fc7
selinux-policy-2.6.4-42.fc7
selinux-policy-targeted-2.6.4-42.fc7

Fresh selinux denials. Occur only on mail power failure. Attaching audit.log
Comment 5 vikram goyal 2007-09-19 03:02:29 UTC 
Created attachment 199101 [details]
selinux messages ( apcupsd )on mains power failure
Comment 6 vikram goyal 2007-09-19 03:02:29 UTC 
Created attachment 199111 [details]
selinux messages ( apcupsd ) on mains power failure
Comment 7 vikram goyal 2007-09-19 03:04:04 UTC 
audit2allow

#============= system_mail_t ==============
allow system_mail_t apcupsd_log_t:file { read write append };
allow system_mail_t apcupsd_t:tcp_socket { read write };
allow system_mail_t apcupsd_tmp_t:file { read getattr ioctl };
allow system_mail_t usb_device_t:chr_file { read write };
Comment 8 vikram goyal 2007-09-19 03:05:29 UTC 
Comment on attachment 199101 [details]
selinux messages ( apcupsd )on mains power failure

filed two times
Comment 9 Daniel Walsh 2007-09-22 11:59:58 UTC 
These are leaked file descriptors from apcupsd,  apcupsd should call 
fcntl(fd, F_SETFD, FD_CLOEXEC)

On all its file descriptors before execing sendmail.
Comment 10 Adam Kropelin 2007-09-22 12:24:38 UTC 
(In reply to comment #9)
> These are leaked file descriptors from apcupsd,  apcupsd should call 
> fcntl(fd, F_SETFD, FD_CLOEXEC)
> 
> On all its file descriptors before execing sendmail.

Should be fixed in apcupsd-3.14.2 which includes code to close all open fds
before exec'ing apccontrol.
Comment 11 Fedora Update System 2007-10-11 22:55:16 UTC 
apcupsd-3.14.2-1.fc7 has been pushed to the Fedora 7 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update apcupsd'
Comment 12 Fedora Update System 2007-10-18 02:29:37 UTC 
apcupsd-3.14.2-1.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 13 vikram goyal 2007-10-18 06:56:07 UTC 
After updating apcupsd to version apcupsd-3.14.2-1.fc7 as suggested, I relabeled
the system on boot. Below are the avc messages generated after power failure.

#============================================================================
type=AVC msg=audit(1192689949.385:62): avc:  denied  { read } for  pid=5795
comm="sendmail" name="RsTSsaCP" dev=sdc8 ino=52
scontext=system_u:system_r:system_mail_t:s0
tcontext=system_u:object_r:apcupsd_tmp_t:s0 tclass=file
type=AVC msg=audit(1192689949.392:63): avc:  denied  { getattr } for  pid=5795
comm="sendmail" name="RsTSsaCP" dev=sdc8 ino=52
scontext=system_u:system_r:system_mail_t:s0
tcontext=system_u:object_r:apcupsd_tmp_t:s0 tclass=file
type=AVC msg=audit(1192689949.399:64): avc:  denied  { ioctl } for  pid=5795
comm="sendmail" name="RsTSsaCP" dev=sdc8 ino=52
scontext=system_u:system_r:system_mail_t:s0
tcontext=system_u:object_r:apcupsd_tmp_t:s0 tclass=file
#=============================================================================


running audit2allow, I get the this result.

#=============================================================================
#============= system_mail_t ==============
allow system_mail_t apcupsd_tmp_t:file { read getattr ioctl };
#=============================================================================

Thanks!
Comment 14 Orion Poplawski 2007-10-19 14:19:10 UTC 

*** This bug has been marked as a duplicate of 247162 ***