Bug 1175934 - SELinux is preventing /usr/sbin/acpid from 'unlink' accesses on the sock_file acpid.socket.
Summary: SELinux is preventing /usr/sbin/acpid from 'unlink' accesses on the sock_file...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 21
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:53a8e19518b0ee53d926f74434e...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-12-18 22:39 UTC by Thomas Meyer
Modified: 2015-06-29 12:20 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-12-19 02:32:55 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Thomas Meyer 2014-12-18 22:39:53 UTC 
Description of problem:
SELinux is preventing /usr/sbin/acpid from 'unlink' accesses on the sock_file acpid.socket.

*****  Plugin catchall (100. confidence) suggests   **************************

If sie denken, dass es acpid standardmässig erlaubt sein sollte, unlink Zugriff auf acpid.socket sock_file zu erhalten.
Then sie sollten dies als Fehler melden.
Um diesen Zugriff zu erlauben, können Sie ein lokales Richtlinien-Modul erstellen.
Do
zugriff jetzt erlauben, indem Sie die nachfolgenden Befehle ausführen:
# grep acpid /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:apmd_t:s0
Target Context                system_u:object_r:var_run_t:s0
Target Objects                acpid.socket [ sock_file ]
Source                        acpid
Source Path                   /usr/sbin/acpid
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           acpid-2.0.23-1.fc21.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-103.fc21.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.17.4-301.fc21.x86_64 #1 SMP Thu
                              Nov 27 19:09:10 UTC 2014 x86_64 x86_64
Alert Count                   10
First Seen                    2014-11-14 22:11:52 CET
Last Seen                     2014-12-18 23:37:03 CET
Local ID                      f54969ef-bd9a-454d-aa0b-358f406ef1e8

Raw Audit Messages
type=AVC msg=audit(1418942223.880:4617): avc:  denied  { unlink } for  pid=24444 comm="acpid" name="acpid.socket" dev="tmpfs" ino=2550865 scontext=system_u:system_r:apmd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file permissive=0


type=SYSCALL msg=audit(1418942223.880:4617): arch=x86_64 syscall=unlink success=no exit=EACCES a0=7f0c1c85d010 a1=6c a2=8000000000e00000 a3=7f0c1c85d040 items=0 ppid=1 pid=24444 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=acpid exe=/usr/sbin/acpid subj=system_u:system_r:apmd_t:s0 key=(null)

Hash: acpid,apmd_t,var_run_t,sock_file,unlink

Version-Release number of selected component:
selinux-policy-3.13.1-103.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.4-301.fc21.x86_64
type:           libreport

Potential duplicate: bug 1109516
Comment 1 Simon Sekidde 2014-12-19 02:32:55 UTC 
The path /var/run/acpid.socket is mislabeled. It is showin up as var_run_t instead of apmd_var_run_t

To fix 

 restorecon -Rv /var/run/acpid.socket
Comment 2 Frank Büttner 2015-05-30 20:31:53 UTC 
Description of problem:
update to the last acpid package via yum update

Version-Release number of selected component:
selinux-policy-3.13.1-105.13.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         4.0.4-201.fc21.x86_64
type:           libreport
Comment 3 Laurent Rineau 2015-06-28 12:12:45 UTC 
I got the same bug, on Fedora 21.

What could have relabelled /var/run/acpid.socket to the wrong label?!
Comment 4 Daniel Walsh 2015-06-29 10:38:50 UTC 
did you run the service directly by hand?

I posted a quick blog, on what I think happened here.

http://danwalsh.livejournal.com/71880.html
Comment 5 Laurent Rineau 2015-06-29 12:20:13 UTC 
I cannot retrieve the context of the AVC I am talking about. Maybe I go confused by sealert and an old AVC.

Anyway, thanks for the blog entry. I think it will be linked a lot! :-)
Note You need to log in before you can comment on or make changes to this bug.