I am not sure if this should be filed under apcupsd or selinux, but apcupsd fails to properly power off the UPS on the powerfail condition because selinux is preventing it from creating and writing to the /etc/apcupsd/powerfial file. I have added the following policy based on the selinux troubleshooter help: module mypol 1.0; require { type etc_t; type apcupsd_t; type power_unit_file_t; class service status; class file { write create }; } #============= apcupsd_t ============== allow apcupsd_t etc_t:file { write create }; allow apcupsd_t power_unit_file_t:service status;
I should have made it more clear that adding that policy corrects the issue. Although I have a fix, I should not be required to do this. Installing apcupsd on a system with selunix, should result in this policy being enabled by default.
Oh, and I did mean /etc/apcupsd/powerfail
Could you attach the original avcs. We want to label /etc/apcupsd/powerfail with something other then etc_t and then allow access to it. apcupsd maintainers, why is apcupsd writing to /etc/apcupsd directory? /etc should be considered read only from the daemons point of view. 3ddf9bd44bc938651877ff1605bcd1122b5ff7ba and abef9364bdb70226d536eda105a1318fbff32721 in git allow the status of the power unit file.
This is where it writes the file that causes the power off of the UPS during shutdown. Not saying a better location might not be advisable.
Could it be written to /run? Or does it need to be on disk? If not could we put it in /var/lib/apcupsd/poweoff?
I have no idea. this is file that evidently the kernel looks at to determine that after system is down to tell the UPS to turn itself off. Not at all sure how this works.
Waiting for the package maintainer to respond. Thanks Bill,
(In reply to Daniel Walsh from comment #5) > Could it be written to /run? Or does it need to be on disk? If not could > we put it in /var/lib/apcupsd/poweoff? No, this is flag file and is basically part of the API
Michal what would happen if the /etc was read/only?
3593a02d6cbf68e4c2411ffd01ae5871b185aafa fixes this in git.
(In reply to Daniel Walsh from comment #9) > Michal what would happen if the /etc was read/only? The same problem as in this bug description. Computer would shut down, but UPS would not turn off.
I just bumped into this. Is the fix available on updates-testing?
Is this causing https://bugzilla.redhat.com/show_bug.cgi?id=1064099 ?
Michal: I rather disagree with "No, this is flag file and is basically part of the API". apcupsd's build process explicitly makes the location configurable and even puts it in different places on different platforms. Extracts from apcupsd configure: ----- # set the default PWRFAILDIR PWRFAILDIR=${sysconfdir} ... # Now we set appropriate distribution specific # variables and defaults case "$DISTNAME" in ... freebsd) ... PWRFAILDIR=/var/run ... sun) PWRFAILDIR=/etc ... # now allow user to specify PWRFAILDIR # Check whether --with-pwrfail-dir or --without-pwrfail-dir was given. if test "${with_pwrfail_dir+set}" = set; then withval="$with_pwrfail_dir" PWRFAILDIR="$withval"; fi; ----- The apcupsd build process really doesn't appear to support your assertion that the location of this file is extremely fixed.
*** Bug 1070961 has been marked as a duplicate of this bug. ***
(In reply to Adam Williamson from comment #14) > Michal: I rather disagree with "No, this is flag file and is basically part > of the API". > > apcupsd's build process explicitly makes the location configurable Configurable is also location of nologin flag file yet it has to be in /etc/nologin apcupsd can change file location and it will know about it, but others won't. Internal api changes are fine, external are not. I will not change the location of the file. apcupsd needs /etc/ writeable for nologin anyway, so this does not create any extra requirement.
sesearch -T -s apcupsd_t -t etc_t Found 2 named file transition filename_trans: type_transition apcupsd_t etc_t : file apcupsd_power_t "powerfail"; type_transition apcupsd_t etc_t : file etc_runtime_t "nologin"; Here are the two files that SELinux will allow apcuspd_t to write, which is fine. But I still think we need to start moving tools to use /run rather then /etc/ for runtime flags.
Using fedora 39, when the APC runs out of power, this /etc/nologin file is being created with the content POWER FAILURE. Nothing in the subsequent power on sequence removes this file, so users are unable to log in after power has been restored. On a machine with no root password, I've not found a way to login without resorting to a live ISO image.
That seems like a different (though bad!) bug. Could you file it as a new bug, please? BTW, to log in in situations like this, boot with systemd.debug-shell=1 . That should give you a root console on tty9, no password required.
https://bugzilla.redhat.com/show_bug.cgi?id=2263467