Description of problem: SELinux is preventing /usr/sbin/acpid from 'unlink' accesses on the sock_file acpid.socket. ***** Plugin catchall (100. confidence) suggests ************************** If sie denken, dass es acpid standardmässig erlaubt sein sollte, unlink Zugriff auf acpid.socket sock_file zu erhalten. Then sie sollten dies als Fehler melden. Um diesen Zugriff zu erlauben, können Sie ein lokales Richtlinien-Modul erstellen. Do zugriff jetzt erlauben, indem Sie die nachfolgenden Befehle ausführen: # grep acpid /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:apmd_t:s0 Target Context system_u:object_r:var_run_t:s0 Target Objects acpid.socket [ sock_file ] Source acpid Source Path /usr/sbin/acpid Port <Unknown> Host (removed) Source RPM Packages acpid-2.0.23-1.fc21.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-103.fc21.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.17.4-301.fc21.x86_64 #1 SMP Thu Nov 27 19:09:10 UTC 2014 x86_64 x86_64 Alert Count 10 First Seen 2014-11-14 22:11:52 CET Last Seen 2014-12-18 23:37:03 CET Local ID f54969ef-bd9a-454d-aa0b-358f406ef1e8 Raw Audit Messages type=AVC msg=audit(1418942223.880:4617): avc: denied { unlink } for pid=24444 comm="acpid" name="acpid.socket" dev="tmpfs" ino=2550865 scontext=system_u:system_r:apmd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file permissive=0 type=SYSCALL msg=audit(1418942223.880:4617): arch=x86_64 syscall=unlink success=no exit=EACCES a0=7f0c1c85d010 a1=6c a2=8000000000e00000 a3=7f0c1c85d040 items=0 ppid=1 pid=24444 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=acpid exe=/usr/sbin/acpid subj=system_u:system_r:apmd_t:s0 key=(null) Hash: acpid,apmd_t,var_run_t,sock_file,unlink Version-Release number of selected component: selinux-policy-3.13.1-103.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.4-301.fc21.x86_64 type: libreport Potential duplicate: bug 1109516
The path /var/run/acpid.socket is mislabeled. It is showin up as var_run_t instead of apmd_var_run_t To fix restorecon -Rv /var/run/acpid.socket
Description of problem: update to the last acpid package via yum update Version-Release number of selected component: selinux-policy-3.13.1-105.13.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 4.0.4-201.fc21.x86_64 type: libreport
I got the same bug, on Fedora 21. What could have relabelled /var/run/acpid.socket to the wrong label?!
did you run the service directly by hand? I posted a quick blog, on what I think happened here. http://danwalsh.livejournal.com/71880.html
I cannot retrieve the context of the AVC I am talking about. Maybe I go confused by sealert and an old AVC. Anyway, thanks for the blog entry. I think it will be linked a lot! :-)