Bug 826412
| Summary: | SELinux is preventing acpid from read access on the lnk_file /var/lock. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Germano Massullo <germano.massullo> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 17 | CC: | dominick.grift, dwalsh, mgrepl |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-05-30 13:08:02 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
The tool told you what to do. restorecon -v /var/lock |
Description of problem: After I upgraded to Fedora 17, I started having the following warning SELinux is preventing acpid from read access on the lnk_file /var/lock. ***** Plugin restorecon (94.8 confidence) suggests ************************* If si desidera sistemare l'etichetta. L'etichetta predefinita di /var/lock dovrebbe essere var_lock_t. Then è possibile avviare restorecon. Do # /sbin/restorecon -v /var/lock ***** Plugin catchall_labels (5.21 confidence) suggests ******************** If you want to allow acpid to have read access on the lock lnk_file Then e' necessario modificare l'etichetta su /var/lock Do # semanage fcontext -a -t TIPO_FILE '/var/lock' dove TIPO_FILE è uno dei seguenti: var_run_t, mta_exec_type, device_t, etc_runtime_t, domain, abrt_t, ld_so_t, lib_t, proc_t, root_t, udev_var_run_t, exec_type, modules_conf_t, var_run_t, var_run_t, textrel_shlib_t, rpm_script_tmp_t, cgroup_t, device_t, devlog_t, hwdata_t, locale_t, var_lock_t, apmd_t, bin_t, etc_t, init_t, ld_so_t, lib_t, proc_t, sysfs_t, udev_t, var_run_t, cert_t, etc_t, device_t, var_run_t, var_run_t, var_run_t, cgroup_t, init_t, init_t. Quindi eseguire: restorecon -v '/var/lock' ***** Plugin catchall (1.44 confidence) suggests *************************** If si crede che acpid dovrebbe avere possibilità di accesso read sui lock lnk_file in modo predefinito. Then si dovrebbe riportare il problema come bug. E' possibile generare un modulo di politica locale per consentire questo accesso. Do consentire questo accesso per il momento eseguendo: # grep acpid /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:apmd_t:s0 Target Context system_u:object_r:var_t:s0 Target Objects /var/lock [ lnk_file ] Source acpid Source Path acpid Port <Sconosciuto> Host Portatile Source RPM Packages Target RPM Packages filesystem-3-2.fc17.i686 Policy RPM selinux-policy-3.10.0-125.fc17.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name Portatile Platform Linux Portatile 3.3.7-1.fc17.i686 #1 SMP Mon May 21 22:50:24 UTC 2012 i686 i686 Alert Count 2 First Seen mer 30 mag 2012 08:58:14 CEST Last Seen mer 30 mag 2012 08:58:14 CEST Raw Audit Messages type=AVC msg=audit(1338361094.518:69): avc: denied { read } for pid=670 comm="acpid" name="lock" dev="dm-0" ino=8575 scontext=system_u:system_r:apmd_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=lnk_file Hash: acpid,apmd_t,var_t,lnk_file,read audit2allowunable to open /sys/fs/selinux/policy: Permission denied audit2allow -Runable to open /sys/fs/selinux/policy: Permission denied