Description of problem: SELinux is preventing /usr/sbin/apcupsd from using the 'signull' accesses on a process. ***** Plugin catchall (100. confidence) suggests ************************** If vous pensez que apcupsd devrait être autorisé à accéder signull sur les processus étiquetés sshd_keygen_t par défaut. Then vous devriez rapporter ceci en tant qu'anomalie. Vous pouvez générer un module de stratégie local pour autoriser cet accès. Do autoriser cet accès pour le moment en exécutant : # grep apcupsd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:apcupsd_t:s0 Target Context system_u:system_r:sshd_keygen_t:s0 Target Objects [ process ] Source apcupsd Source Path /usr/sbin/apcupsd Port <Unknown> Host (removed) Source RPM Packages apcupsd-3.14.11-1.fc20.x86_64 Target RPM Packages Policy RPM selinux-policy-3.12.1-127.fc20.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 3.13.3-201.fc20.x86_64 #1 SMP Fri Feb 14 19:08:32 UTC 2014 x86_64 x86_64 Alert Count 1 First Seen 2014-02-27 20:47:17 CET Last Seen 2014-02-27 20:47:17 CET Local ID 3e5c7e37-e0c4-4549-a789-ebb40473c15a Raw Audit Messages type=AVC msg=audit(1393530437.742:356): avc: denied { signull } for pid=1284 comm="apcupsd" scontext=system_u:system_r:apcupsd_t:s0 tcontext=system_u:system_r:sshd_keygen_t:s0 tclass=process type=SYSCALL msg=audit(1393530437.742:356): arch=x86_64 syscall=kill success=yes exit=0 a0=4ff a1=0 a2=504 a3=4ff items=0 ppid=1 pid=1284 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=apcupsd exe=/usr/sbin/apcupsd subj=system_u:system_r:apcupsd_t:s0 key=(null) Hash: apcupsd,apcupsd_t,sshd_keygen_t,process,signull Additional info: reporter: libreport-2.1.12 hashmarkername: setroubleshoot kernel: 3.13.3-201.fc20.x86_64 type: libreport
Why would apcupsd want to check sshd_keygen_t process?
I think it sends signull to every process on the system.
(In reply to Miroslav Grepl from comment #1) > Why would apcupsd want to check sshd_keygen_t process? /* * Okay, now we have a stalepid to check. * kill(pid,0) checks to see if the process is still running. */ if (kill(stalepid, 0) == -1 .... It's a check for stale pid file. Similar to bug #843631
commit 2b37e8083b2b09c2fec7e892a6004005024f6b33 fixes this in git.
selinux-policy-3.12.1-161.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-161.fc20
Package selinux-policy-3.12.1-161.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-161.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-6084/selinux-policy-3.12.1-161.fc20 then log in and leave karma (feedback).
Package selinux-policy-3.12.1-163.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-163.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-6084/selinux-policy-3.12.1-163.fc20 then log in and leave karma (feedback).
selinux-policy-3.12.1-163.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.