Bug 1122203 - SELinux denies NUT upsmon to send wall messages
Summary: SELinux denies NUT upsmon to send wall messages
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 20
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-07-22 18:51 UTC by Felix Kaechele
Modified: 2014-09-09 22:24 UTC (History)
4 users (show)

Fixed In Version: selinux-policy-3.12.1-183.fc20
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-09-09 22:24:13 UTC


Attachments (Terms of Use)

Description Felix Kaechele 2014-07-22 18:51:41 UTC
Description of problem:
SELinux prevents NUT's upsmon from sending wall messages

Version-Release number of selected component (if applicable):
selinux-policy{,-targeted}-3.12.1-177.fc20.noarch

How reproducible:
In Permissive or Enforcing SELinux mode

Steps to Reproduce:
1. Disconnect UPS from mains
2. upsmon tries to send a wall message
3. SELinux appears largely unsupportive of upsmon's efforts

Actual results:
No wall broadcast is sent.

Expected results:
Wall broadcast should be sent.

Additional info:
type=AVC msg=audit(1406020318.939:104870): avc:  denied  { write open } for  pid=4481 comm="wall" path="/tmp/wall.KIStu7" dev="tmpfs" ino=3423646 scontext=system_u:system_r:nut_upsmon_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=AVC msg=audit(1406020318.939:104870): avc:  denied  { create } for  pid=4481 comm="wall" name="wall.KIStu7" scontext=system_u:system_r:nut_upsmon_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=AVC msg=audit(1406020318.939:104870): avc:  denied  { add_name } for  pid=4481 comm="wall" name="wall.KIStu7" scontext=system_u:system_r:nut_upsmon_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
type=AVC msg=audit(1406020318.939:104870): avc:  denied  { write } for  pid=4481 comm="wall" name="/" dev="tmpfs" ino=12736 scontext=system_u:system_r:nut_upsmon_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
type=AVC msg=audit(1406020318.939:104871): avc:  denied  { unlink } for  pid=4481 comm="wall" name="wall.KIStu7" dev="tmpfs" ino=3423646 scontext=system_u:system_r:nut_upsmon_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=AVC msg=audit(1406020318.939:104871): avc:  denied  { remove_name } for  pid=4481 comm="wall" name="wall.KIStu7" dev="tmpfs" ino=3423646 scontext=system_u:system_r:nut_upsmon_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir

Comment 1 Miroslav Grepl 2014-09-01 10:59:14 UTC
commit f2aa4b2a5a10445eeff4489d117c4f505893f4cc
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Mon Sep 1 12:57:02 2014 +0200

    Clean up nut policy. Allow nut domains to create temp files. Add nut_domain_template() template interface

Comment 2 Fedora Update System 2014-09-04 11:33:57 UTC
selinux-policy-3.12.1-183.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-183.fc20

Comment 3 Fedora Update System 2014-09-09 22:24:13 UTC
selinux-policy-3.12.1-183.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.