Description of problem: SELinux is preventing /usr/sbin/apcaccess from 'read' accesses on the file unix. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that apcaccess should be allowed read access on the unix file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep apcaccess /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:apcupsd_t:s0 Target Context system_u:object_r:proc_net_t:s0 Target Objects unix [ file ] Source apcaccess Source Path /usr/sbin/apcaccess Port <Unknown> Host (removed) Source RPM Packages apcupsd-3.14.13-3.fc23.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-154.fc23.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.2.6-300.fc23.x86_64 #1 SMP Tue Nov 10 19:32:21 UTC 2015 x86_64 x86_64 Alert Count 1 First Seen 2015-11-13 22:58:54 CST Last Seen 2015-11-13 22:58:54 CST Local ID 6f8bcf89-6044-4c77-b999-4ceecfa70070 Raw Audit Messages type=AVC msg=audit(1447477134.719:519): avc: denied { read } for pid=2931 comm="apcaccess" name="unix" dev="proc" ino=4026532047 scontext=system_u:system_r:apcupsd_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=0 type=SYSCALL msg=audit(1447477134.719:519): arch=x86_64 syscall=access success=no exit=EACCES a0=7ffdc21166f0 a1=4 a2=7ffdc21166fe a3=3500 items=0 ppid=2929 pid=2931 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=apcaccess exe=/usr/sbin/apcaccess subj=system_u:system_r:apcupsd_t:s0 key=(null) Hash: apcaccess,apcupsd_t,proc_net_t,file,read Version-Release number of selected component: selinux-policy-3.13.1-154.fc23.noarch Additional info: reporter: libreport-2.6.3 hashmarkername: setroubleshoot kernel: 4.2.6-300.fc23.x86_64 type: libreport
Could you please try if you get any other AVC? (I was unable to reproduce the issue - the reported AVC doesn't show up without ups connected)? Reproducing the issue with SELinux in permissive mode will show us all the permission apcaccess needs. Plese try the following> #setenforce 0 <reproduce the issue> #ausearch -m avc -ts recent #setenforce 1
The problem doesn't seem reproducible on command, I think this only happened once. Not sure why - maybe some kind of timing-related issue?
This will only happen when the service is started via the init system, running it directly would result in the program running as unconfined_t, so it would be allowed. This access should be just allowed.
Yes, it makes sense to allow it.
commit b54d2c98b12a9ac90c0970e4ed98ce258fbee434 Author: Lukas Vrabec <lvrabec> Date: Mon Jan 25 16:16:32 2016 +0100 Allow apcupsd to read kernel network state. BZ(1282003)
selinux-policy-3.13.1-158.4.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-2aa7777f21
selinux-policy-3.13.1-158.4.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-2aa7777f21
selinux-policy-3.13.1-158.4.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.