| Summary: | SELinux is preventing /sbin/apcupsd from 'read' accesses on the file LCK..ttyS0. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | John Griffiths <fedora.jrg01> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED WORKSFORME | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 15 | CC: | dominick.grift, dwalsh, mgrepl |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | i386 | ||
| OS: | Linux | ||
| Whiteboard: | setroubleshoot_trace_hash:1396ae768433cf55cbf6a24607aca771d1aee05fe2bd7ba2bc9de59f78ad377f | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-07-12 16:49:43 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
Had to keep adding to the policy to get apcupsd to run correctly using an UPS with a serial port for monitory.
Yes, I know serial ports are going the way of the dodo, but the UPS is working, not cheap, and until it fails, there is no reason to replace it.
The finale version of the policy is:
module localApcupsd 1.0;
require {
type var_lock_t;
type apcupsd_t;
class file { read unlink open };
}
#============= apcupsd_t ==============
allow apcupsd_t var_lock_t:file { read unlink open };
monitory -> monitoring As a note, this just stated happening with the update to selinux-policy-targeted-3.9.16-32.fc15.noarch. Prior to that apcupsd worked with the serial port just fine. John, could you turn on full auditing system # echo "-w /etc/shadow -p w" >> /etc/audit/audit.rules # service auditd restart and disable your local policy # semodule -d localApcupsd and retest it. That will have to wait a couple of hours but will do. OK. I give up. It is working just fine. Any explanation available?
I did:
# echo "-w /etc/shadow -p w" >> /etc/audit/audit.rules
# service auditd restart
# semodule -d localApcupsd
# systemctl restart apcupsd.service
# systemctl status apcupsd.service
apcupsd.service - LSB: apcupsd daemon
Loaded: loaded (/etc/rc.d/init.d/apcupsd)
Active: active (running) since Mon, 11 Jul 2011 19:37:28 -0400; 15s ago
Process: 9142 ExecStop=/etc/rc.d/init.d/apcupsd stop (code=exited, status=0/SUCCESS)
Process: 9154 ExecStart=/etc/rc.d/init.d/apcupsd start (code=exited, status=0/SUCCESS)
Main PID: 9161 (apcupsd)
CGroup: name=systemd:/system/apcupsd.service
└ 9161 /sbin/apcupsd -f /etc/apcupsd/apcupsd.conf
Which is exactly what I would expect.
I removed the "-w /etc/shadow -p w" from /etc/audit/audit.rules and restarted auditd and apcupsd and still fine. Then I removed the policy
# semodule -r localApcupsd
and restarted apcupsd and still all OK.
So I am stumped. I am not in the habit of filing bugs to have people chase phantoms, but the AVC was real and apcupsd really would not start correctly.
What is the current context of "LCK..ttyS0"? # ls -Z /run/lock/LCK* -rw-r--r--. root root system_u:object_r:apcupsd_lock_t:s0 /run/lock/LCK..ttyS0 I would guess one run of apcupsd ran without transition for some reason,causing the LCK file to be mislabelled. Perhaps you ran it directly? Then later the file got destroyed recreated with the correct context. Which you are seeing now. If you can recreate this please reopen the bug. Did not ever start apcupsd directly. When I do stop, start, or restart, I use systemctl or one of the init.d scripts. This occurred when I did an update using yum. apcupsd was running normally. Yum did the update and a new selinux policy came down. At the end of the update, I got an email from a apcupsd slave server that it had lost contact with the master. When I checked the status of apcupsd on the master, it had exited. When I tried to restart, it would not start and sealert gave me the original report of the denial to LCK..ttyS0. Oh well, glad it is working. Meaning something in the update might have modified the apcupsd process, was their an apcupsd package update? Yes there was.
# diff rpms.fc15.201107091148 rpms.test | grep apc
< apcupsd-cgi~Fedora Project~x86-09.phx2.fedoraproject.org~7.fc15~apcupsd-cgi-3.14.8-7.fc15
< apcupsd~Fedora Project~x86-09.phx2.fedoraproject.org~7.fc15~apcupsd-3.14.8-7.fc15
< apcupsd-gui~Fedora Project~x86-09.phx2.fedoraproject.org~7.fc15~apcupsd-gui-3.14.8-7.fc15
> apcupsd-cgi~Fedora Project~x86-07.phx2.fedoraproject.org~8.fc15~apcupsd-cgi-3.14.8-8.fc15
> apcupsd~Fedora Project~x86-07.phx2.fedoraproject.org~8.fc15~apcupsd-3.14.8-8.fc15
> apcupsd-gui~Fedora Project~x86-07.phx2.fedoraproject.org~8.fc15~apcupsd-gui-3.14.8-8.fc15
|
SELinux is preventing /sbin/apcupsd from 'read' accesses on the file LCK..ttyS0. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that apcupsd should be allowed read access on the LCK..ttyS0 file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep apcupsd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:apcupsd_t:s0 Target Context system_u:object_r:var_lock_t:s0 Target Objects LCK..ttyS0 [ file ] Source apcupsd Source Path /sbin/apcupsd Port <Unknown> Host (removed) Source RPM Packages apcupsd-3.14.8-8.fc15 Target RPM Packages Policy RPM selinux-policy-3.9.16-32.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 2.6.38.8-32.fc15.i686.PAE #1 SMP Mon Jun 13 19:55:27 UTC 2011 i686 i686 Alert Count 3 First Seen Sat 09 Jul 2011 02:39:49 PM EDT Last Seen Sat 09 Jul 2011 02:39:49 PM EDT Local ID e8f5919b-1643-4143-ac98-9d7c47cf906c Raw Audit Messages type=AVC msg=audit(1310236789.246:25726): avc: denied { read } for pid=1356 comm="apcupsd" name="LCK..ttyS0" dev=tmpfs ino=20493 scontext=system_u:system_r:apcupsd_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file type=SYSCALL msg=audit(1310236789.246:25726): arch=i386 syscall=open success=no exit=EACCES a0=8d74188 a1=0 a2=a4 a3=3 items=0 ppid=1 pid=1356 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=apcupsd exe=/sbin/apcupsd subj=system_u:system_r:apcupsd_t:s0 key=(null) Hash: apcupsd,apcupsd_t,var_lock_t,file,read audit2allow #============= apcupsd_t ============== allow apcupsd_t var_lock_t:file read; audit2allow -R #============= apcupsd_t ============== allow apcupsd_t var_lock_t:file read;