Bug 751613

Summary: acpid fails to run pm-suspend in enforcing mode
Product: [Fedora] Fedora Reporter: cblaauw <carstenblaauw>
Component: selinux-policy-targetedAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Ben Levenson <benl>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 16CC: dwalsh
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.10.0-56.fc16 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-11-20 23:59:45 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
output of 'ausearch -m avc'
none
ausearch -m avc -ts recent none

Description cblaauw 2011-11-06 11:04:05 UTC 
Description of problem:

When selinux is in enforcing mode the script "/etc/acpi/actions/power.sh" the machine does not suspend if power button is pressed.

The default command in power.sh is "shutdown -h now" - that does work also in enforcing mode 


Version-Release number of selected component (if applicable):
acpid 2.0.11-1.fc16.x86_64
pm-utils 1.4.1-12.fc16.x86_64
selinux-policy 3.10.0-51.fc16.x86_64
selinux-policy-targeted 3.10.0-51.fc16.x86_64



How reproducible:
Every time power button is pressed.



Steps to Reproduce:
1.install acpid

2.change 'shutdown -h now' to '/usr/sbin/pm-suspend' in '/etc/acpi/actions/power.sh'

3.reboot (or start acpid service)
4. press power button
  
Actual results:

nothing happens

Expected results:

machine goes into suspend mode

Additional info:

if you call 'setenforce 0' as root the machine does suspend when powerr button is pressed
Comment 1 Miroslav Grepl 2011-11-07 10:58:16 UTC 
What AVC are you getting?

# ausearch -m avc
Comment 2 cblaauw 2011-11-07 20:06:32 UTC 
Created attachment 532133 [details]
output of 'ausearch -m avc'
Comment 3 cblaauw 2011-11-07 20:08:46 UTC 
did not find any avc's of today, but it consistently fails to suspend with "setenforce 1"

I'm running in permissive mode right now, so it doesn't hurt too much.

Thanks,


Carsten
Comment 4 Daniel Walsh 2011-11-07 21:32:40 UTC 
allow lldpad_t initrc_state_t:file { read write };
allow lldpad_t initrc_t:shm { unix_read read write unix_write associate };


Could it be associated with this?  What process is running as initrc_t?

ps -eZ | grep initrc_t

If you execute pm-suspend as root does the machine suspend?
Comment 5 cblaauw 2011-11-07 21:40:22 UTC 
Yes pm-suspend called by root does suspend the machine even if setenforce=1
Comment 6 cblaauw 2011-11-07 21:41:35 UTC 
ps -eZ | grep initrc_t yields nothing
Comment 7 Daniel Walsh 2011-11-07 21:51:59 UTC 
Is your machine setup to suspend on closin of the laptop lid?

If yes could you execute 

# semodule -DB
# setenforce 1
Close lid,

Open the lid and run
# ausearch -m avc -ts recent

And see if there is anything that looks like it blocked suspend.

# semodule -B

Will turn off dontaudit rules.
Comment 8 cblaauw 2011-11-08 06:29:09 UTC 
It's a plain desktop actually, so no lid, are other steps I should try?


Carsten
Comment 9 Daniel Walsh 2011-11-08 17:13:15 UTC 
Well when it attempts to go to sleep see if there are any AVC's  I am not sure if there is a way to force an F16 machine to go to sleep from the desktop.
Comment 10 cblaauw 2011-11-09 09:08:59 UTC 
I'll try tonight, but as far as I remember choosing 'Suspend' from the user menu did work in any case, only the power button does not work in enforced mode.
Comment 11 cblaauw 2011-11-10 21:33:32 UTC 
calling 'pm-suspend' as non-root is not possible. But choosing 'suspend' from users menu works.
Comment 12 Daniel Walsh 2011-11-11 15:45:19 UTC 
If you hit the power button and you have dontaudit rules turned off, are you getting any AVC messages?
Comment 13 cblaauw 2011-11-11 21:33:15 UTC 
Hi,

with semodule -DB and setenforce 1 there are no avcs.
Comment 14 cblaauw 2011-11-11 21:38:24 UTC 
Maybe my avc auditing does not work, because I have not a single entry with a timestamp after my updating to F-16. I used a simple 'yum update' to do the update.

So we should get the selinux auditing working first, or verify if it working or not.
Comment 15 Daniel Walsh 2011-11-11 21:49:17 UTC 
systemctl enable auditd
systemctl start auditd
Comment 16 cblaauw 2011-11-11 21:58:06 UTC 
ok here we go...

had to be 'auditd.service' actually, but right after starting the daemon an avc popped up in sealert:

SELinux is preventing /bin/mkdir from search access on the directory pm-utils.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that mkdir should be allowed search access on the pm-utils directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep mkdir /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Quellkontext                  system_u:system_r:apmd_t:s0
Zielkontext                   system_u:object_r:devicekit_var_run_t:s0
Zielobjekte                   pm-utils [ dir ]
Quelle                        mkdir
Quellpfad                     /bin/mkdir
Port                          <Unbekannt>
Host                          m7
RPM-Pakete der Quelle         bash-4.2.10-4.fc16
RPM-Pakete des Ziels          
Richtlinien-RPM               selinux-policy-3.10.0-54.fc16
SELinux aktiviert             True
Richtlinientyp                targeted
Enforcing-Modus               Enforcing
Rechnername                   m7
Plattform                     Linux m7 3.1.0-7.fc16.x86_64 #1 SMP Tue Nov 1
                              21:10:48 UTC 2011 x86_64 x86_64
Anzahl der Alarme             3
Zuerst gesehen                Fr 11 Nov 2011 22:55:25 CET
Zuletzt gesehen               Fr 11 Nov 2011 22:55:25 CET
Lokale ID                     2ceaccc3-2e64-4c8e-99a7-d4cab48d617b

Raw-Audit-Meldungen
type=AVC msg=audit(1321048525.73:8): avc:  denied  { search } for  pid=2153 comm="pm-suspend" name="pm-utils" dev=tmpfs ino=20021 scontext=system_u:system_r:apmd_t:s0 tcontext=system_u:object_r:devicekit_var_run_t:s0 tclass=dir


type=SYSCALL msg=audit(1321048525.73:8): arch=x86_64 syscall=open success=no exit=EACCES a0=e18600 a1=0 a2=1b6 a3=73012d016d017001 items=0 ppid=2146 pid=2153 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=pm-suspend exe=/bin/bash subj=system_u:system_r:apmd_t:s0 key=(null)

Hash: mkdir,apmd_t,devicekit_var_run_t,dir,search

audit2allow

#============= apmd_t ==============
allow apmd_t devicekit_var_run_t:dir search;

audit2allow -R

#============= apmd_t ==============
allow apmd_t devicekit_var_run_t:dir search;
Comment 17 cblaauw 2011-11-11 22:05:23 UTC 
Created attachment 533179 [details]
ausearch -m avc -ts recent

Got some more avcs
Comment 18 Daniel Walsh 2011-11-11 22:26:18 UTC 
Miroslav this patch should fix the problem

30a07bfe2083575b5ee4863f1aa624109510f99d
Comment 19 Miroslav Grepl 2011-11-14 12:54:49 UTC 
Fixed in selinux-policy-3.10.0-56.fc16
Comment 20 Fedora Update System 2011-11-16 15:22:09 UTC 
selinux-policy-3.10.0-56.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-56.fc16
Comment 21 Fedora Update System 2011-11-17 23:29:48 UTC 
Package selinux-policy-3.10.0-56.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-56.fc16'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2011-16003/selinux-policy-3.10.0-56.fc16
then log in and leave karma (feedback).
Comment 22 Fedora Update System 2011-11-20 23:59:45 UTC 
selinux-policy-3.10.0-56.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.