| Summary: | SELinux is preventing /sbin/upsdrvctl from using the 'signal' accesses on a process. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Nikita Bige <bignikita> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 14 | CC: | dwalsh, mgrepl |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | setroubleshoot_trace_hash:8de96967a8c208eb1dea99f6cf0299a9132ac0395f76318e15b04d1e0a616d57 | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-02-24 21:53:09 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
Did you execute some of nut service directly? I mean without using service script. # ps -eZ | grep ups # ps -eZ | grep ups system_u:system_r:cupsd_t:s0-s0:c0.c1023 1533 ? 00:00:03 cupsd unconfined_u:system_r:nut_upsdrvctl_t:s0 6038 ? 00:00:00 blazer_usb unconfined_u:system_r:nut_upsd_t:s0 6041 ? 00:00:00 upsd unconfined_u:system_r:nut_upsmon_t:s0 6044 ? 00:00:00 upsmon unconfined_u:system_r:nut_upsmon_t:s0 6046 ? 00:00:00 upsmon I can't reproduce this alert, may be it heppened when because I execute upsdrvctl directly (In reply to comment #2) > > I can't reproduce this alert, may be it heppened when because I execute > upsdrvctl directly Yes, good catch. This is a reason why you saw this issue. Since then upsdrvctl was running in the unconfined_t domain which is wrong domain for this service. |
SELinux is preventing /sbin/upsdrvctl from using the 'signal' accesses on a process. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that upsdrvctl should be allowed signal access on processes labeled unconfined_t by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep upsdrvctl /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:system_r:nut_upsdrvctl_t:s0 Target Context unconfined_u:unconfined_r:unconfined_t:s0 Target Objects Unknown [ process ] Source upsdrvctl Source Path /sbin/upsdrvctl Port <Unknown> Host (removed) Source RPM Packages nut-2.4.3-7.fc14 Target RPM Packages Policy RPM selinux-policy-3.9.7-29.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 2.6.35.11-83.fc14.x86_64 #1 SMP Mon Feb 7 07:06:44 UTC 2011 x86_64 x86_64 Alert Count 1 First Seen Wed 23 Feb 2011 11:08:40 AM MSK Last Seen Wed 23 Feb 2011 11:08:40 AM MSK Local ID 03e10177-e5c6-4001-88e2-99d35ba758f4 Raw Audit Messages type=AVC msg=audit(1298448520.372:339): avc: denied { signal } for pid=3332 comm="upsdrvctl" scontext=unconfined_u:system_r:nut_upsdrvctl_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process type=SYSCALL msg=audit(1298448520.372:339): arch=x86_64 syscall=kill success=yes exit=0 a0=6770 a1=f a2=0 a3=7fff4a8aca70 items=0 ppid=3320 pid=3332 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm=upsdrvctl exe=/sbin/upsdrvctl subj=unconfined_u:system_r:nut_upsdrvctl_t:s0 key=(null) Hash: upsdrvctl,nut_upsdrvctl_t,unconfined_t,process,signal audit2allow #============= nut_upsdrvctl_t ============== allow nut_upsdrvctl_t unconfined_t:process signal; audit2allow -R #============= nut_upsdrvctl_t ============== allow nut_upsdrvctl_t unconfined_t:process signal;