Description of problem: SELinux is preventing send killpower command to the apc ups when apcupsd initate system shutdown (halt). To be more specific SElinux denied access (getattr) /lib/systemd/system-shutdown/apcupsd_shutdown to file /etc/apcupsd/powerfail I create type enforcement file like this: ---cut-here--- module myapcupsd 1.0; require { type apcupsd_power_t; type init_t; class file { getattr }; } allow init_t apcupsd_power_t:file { getattr }; ---cut-here--- After install this module problem has been solved. Version-Release number of selected component (if applicable): apcupsd-3.14.14-5 selinux-policy-targeted-3.13.1-260.13 Similar bug https://bugzilla.redhat.com/show_bug.cgi?id=1472062
Fedora 27 user here. Please include the proposed fix. One of the main features of apcupsd is how it behaves during a prolonged power failure: it should shutdown your computer properly & and send the proper signal to your UPS. This last part is not working due to SELinux. There are many people using this package - thinking it's just working as it should- but unaware that , when the time comes, it won't work as it should due to the current SELinux policy.
Could you please attach raw AVC? reproduce the scenario and attach output of: # ausearch -m AVC -ts recent
Created attachment 1471210 [details] avc screenshot
(In reply to Lukas Vrabec from comment #2) > Could you please attach raw AVC? Unfortunately not. Because the message is displayed when the system is completely halted. But I can take a screenshot. (see attachment, sorry for low quality) Message from screenshot: audit: type=1400 audit(numbers here): avc: denied {getattr } for pid=5563 comm="apcupsd_shutdow" path="/etc/apcupsd/powerfail" dev="dm-0" ino=inode_number_here scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:apcupsd_power_t:s0 tc;ass=file permissive=0
Pawel, Do you know where on system is "apcupsd_shutdow" stored? Thanks, Lukas.
(In reply to Lukas Vrabec from comment #5) > Pawel, > > Do you know where on system is "apcupsd_shutdow" stored? /lib/systemd/system-shutdown/apcupsd_shutdown it is a simple shell file. #!/bin/sh # See if this is a powerfail situation. if [ -f /etc/apcupsd/powerfail ]; then echo echo "APCUPSD will now power off the UPS" echo /etc/apcupsd/apccontrol killpower fi
Okay, Could you please run: # semanage fcontext -a -t apcupsd_exec_t /etc/apcupsd/apccontrol # restorecon -Rv /etc/apcupsd/ Could you try it with this change? Thanks, Lukas.
(In reply to Lukas Vrabec from comment #7) > Okay, > > Could you please run: > # semanage fcontext -a -t apcupsd_exec_t /etc/apcupsd/apccontrol > # restorecon -Rv /etc/apcupsd/ It is even worse. Apcupsd does not shutdown system at all, but after a while do killpower to the ups (ups cut off power). Previously, apcupsd does shutdown system, but does not killpower. Now, apcupsd does not shutdown system, but does killpower. Message from log type=AVC msg=audit(1532883738.374:1261): avc: denied { execute_no_trans } for pid=2267 comm="apcupsd" path="/etc/apcupsd/apccontrol" dev="dm-0" ino=3018309 scontext=system_u:system_r:apcupsd_t:s0 tcontext=system_u:object_r:apcupsd_exec_t:s0 tclass=file permissive=0 Hash: apcupsd,apcupsd_t,apcupsd_exec_t,file,execute_no_trans I do not know if you noticed, but my solution from first post just works, maybe it helps you. FYI, I revert changes with semanage fcontext -d "/etc/apcupsd/apccontrol"
I all; I try: # semanage permissive -a apcupsd_t and, # semanage permissive -a apcupsd_exec_t It doesn't work ! I revert changes with: # semanage permissive -d apcupsd_t and, # semanage permissive -d apcupsd_exec_t Maybe you can fix it updating with the Pawel solution ? Regards.
selinux-policy-3.14.1-42.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-2d1b09d217
Created attachment 1481515 [details] not successful shutdown, without kill power
Created attachment 1481516 [details] successful shutdown, with kill power
I update the selinux policy. [root@corsair log]# rpm -qa|grep -i ^selinux selinux-policy-targeted-3.14.1-42.fc28.noarch selinux-policy-devel-3.14.1-42.fc28.noarch selinux-policy-3.14.1-42.fc28.noarch remove my own policy semodule -r myapcupsd And nothing change. I have the same avc denial as previously. See attachment from comment #11 When I install my policy semodule -i myapcupsd I have a successful shutdown with kill power. See attachment from comment #12 For me the bug is still present.
selinux-policy-3.14.1-42.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-2d1b09d217
In the new policy the only change I see is the addition of this line can_exec(apcupsd_t,apcupsd_exec_t) However, I think we need to add this line allow init_t apcupsd_power_t:file getattr_file_perms
I update: $ rpm -qa|grep -i ^selinux selinux-policy-devel-3.14.1-42.fc28.noarch selinux-policy-3.14.1-42.fc28.noarch selinux-policy-targeted-3.14.1-42.fc28.noarch Nothing changes for me too.
selinux-policy-3.14.1-42.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.
selinux-policy-3.14.1-48.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-8004d37878
(In reply to Fedora Update System from comment #18) > selinux-policy-3.14.1-48.fc28 has been submitted as an update to Fedora 28. > https://bodhi.fedoraproject.org/updates/FEDORA-2018-8004d37878 Now everything works as it should. I also checked selinux-policy-3.14.2-42.fc29. It also works. So I think we can close this bug if no one reports problems.
I confirm: everything works fine !
selinux-policy-3.14.1-48.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-8004d37878
selinux-policy-3.14.1-48.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.
Works also with selinux-policy-3.14.1-48.fc28. Thanks...