Bug 1293744 - SELinux denies acpid ability to run 'amixer' command
SELinux denies acpid ability to run 'amixer' command
Status: CLOSED EOL
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
22
x86_64 Linux
medium Severity medium
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-12-22 17:56 EST by John W
Modified: 2016-07-19 16:45 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-07-19 16:45:21 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description John W 2015-12-22 17:56:41 EST
User-Agent:       Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0
Build Identifier: 

This issue was discussed on the selinux mailing list, subject line: "acpid cannot run 'amixer' due to SELinux issue?"  (not in archives as of this writing).

With the below local policy, it works as expected - I can, for instance, change the volume as a result of an acpi event (such as pressing a special key on my keyboard).

The AVC denials from the audit log (note: some were hidden by "dontaudit":

------------

type=AVC msg=audit(1450643943.351:1071): avc:  denied  { read } for
pid=17124 comm="amixer" name="controlC0" dev="devtmpfs" ino=13431
scontext=system_u:system_r:apmd_t:s0
tcontext=system_u:object_r:sound_device_t:s0 tclass=chr_file
permissive=0
type=AVC msg=audit(1450645877.188:1497): avc:  denied  { open } for
pid=24344 comm="amixer" path="/dev/snd/controlC0" dev="devtmpfs"
ino=13431 scontext=system_u:system_r:apmd_t:s0
tcontext=system_u:object_r:sound_device_t:s0 tclass=chr_file
permissive=0
type=AVC msg=audit(1450646449.252:1604): avc:  denied  { ioctl } for
pid=26283 comm="amixer" path="/dev/snd/controlC0" dev="devtmpfs"
ino=13431 scontext=system_u:system_r:apmd_t:s0
tcontext=system_u:object_r:sound_device_t:s0 tclass=chr_file
permissive=0
type=AVC msg=audit(1450649676.646:2155): avc:  denied  { getattr } for
 pid=6407 comm="amixer" path="/usr/share/alsa/alsa.conf" dev="sda5"
ino=2231592 scontext=system_u:system_r:apmd_t:s0
tcontext=system_u:object_r:alsa_etc_rw_t:s0 tclass=file permissive=0
type=AVC msg=audit(1450650193.910:2306): avc:  denied  { read } for
pid=8370 comm="amixer" name="alsa.conf" dev="sda5" ino=2231592
scontext=system_u:system_r:apmd_t:s0
tcontext=system_u:object_r:alsa_etc_rw_t:s0 tclass=file permissive=0
type=AVC msg=audit(1450650622.897:2416): avc:  denied  { open } for
pid=9899 comm="amixer" path="/usr/share/alsa/alsa.conf" dev="sda5"
ino=2231592 scontext=system_u:system_r:apmd_t:s0
tcontext=system_u:object_r:alsa_etc_rw_t:s0 tclass=file permissive=0
type=AVC msg=audit(1450651145.995:2552): avc:  denied  { write } for
pid=11799 comm="amixer" name="controlC0" dev="devtmpfs" ino=13431
scontext=system_u:system_r:apmd_t:s0
tcontext=system_u:object_r:sound_device_t:s0 tclass=chr_file
permissive=0

------------

And here is the .te file that audit2allow created:

------------

module allow_acpid_access_sound 1.0;

require {
        type alsa_etc_rw_t;
        type sound_device_t;
        type apmd_t;
        class chr_file { write read ioctl open };
        class file { read getattr open };
}

#============= apmd_t ==============

allow apmd_t alsa_etc_rw_t:file { read getattr open };
allow apmd_t sound_device_t:chr_file write;
allow apmd_t sound_device_t:chr_file { read ioctl open };

------------

Reproducible: Always

Steps to Reproduce:
1. Set up an acpi handler and corresponding script
2. Have that script try to use 'amixer' to alter the volume, etc.
Actual Results:  
The script fails.

Expected Results:  
The script succeeds, just as it does when SELinux is disabled ("setenforce 0")
Comment 1 Fedora End Of Life 2016-07-19 16:45:21 EDT
Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.

Note You need to log in before you can comment on or make changes to this bug.