Bug 1505050 - SELinux is preventing send killpower command to the apc ups
Summary: SELinux is preventing send killpower command to the apc ups
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 28
Hardware: All
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-10-21 14:35 UTC by Paweł
Modified: 2018-11-11 17:31 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-11-09 05:25:37 UTC
Type: Bug


Attachments (Terms of Use)
avc screenshot (100.65 KB, image/jpeg)
2018-07-28 08:40 UTC, Paweł
no flags Details
not successful shutdown, without kill power (2.47 MB, image/jpeg)
2018-09-07 08:16 UTC, Paweł
no flags Details
successful shutdown, with kill power (2.60 MB, image/jpeg)
2018-09-07 08:18 UTC, Paweł
no flags Details

Description Paweł 2017-10-21 14:35:39 UTC
Description of problem:
SELinux is preventing  send killpower command to the apc ups when apcupsd initate system shutdown (halt). To be more specific SElinux denied access (getattr) /lib/systemd/system-shutdown/apcupsd_shutdown to file /etc/apcupsd/powerfail

I create type enforcement file like this:

---cut-here---
module myapcupsd 1.0;

require {
	type apcupsd_power_t;
	type init_t;
	class file { getattr };
}

allow init_t apcupsd_power_t:file { getattr };
---cut-here---

After install this module problem has been solved.

Version-Release number of selected component (if applicable):
apcupsd-3.14.14-5
selinux-policy-targeted-3.13.1-260.13

Similar bug https://bugzilla.redhat.com/show_bug.cgi?id=1472062

Comment 1 Jorge Fábregas 2018-05-18 10:43:15 UTC
Fedora 27 user here.  Please include the proposed fix.  One of the main features of apcupsd is how it behaves during a prolonged power failure: it should shutdown your computer properly & and send the proper signal to your UPS. This last part is not working due to SELinux.

There are many people using this package - thinking it's just working as it should- but unaware that , when the time comes, it won't work as it should due to the current SELinux policy.

Comment 2 Lukas Vrabec 2018-07-27 22:04:18 UTC
Could you please attach raw AVC? 

reproduce the scenario and attach output of:
# ausearch -m AVC -ts recent

Comment 3 Paweł 2018-07-28 08:40:21 UTC
Created attachment 1471210 [details]
avc screenshot

Comment 4 Paweł 2018-07-28 08:44:58 UTC
(In reply to Lukas Vrabec from comment #2)
> Could you please attach raw AVC? 

Unfortunately not. Because the message is displayed when the system is completely halted. But I can take a screenshot. (see attachment, sorry for low quality)

Message from screenshot:
audit: type=1400 audit(numbers here): avc: denied {getattr } for pid=5563 comm="apcupsd_shutdow" path="/etc/apcupsd/powerfail" dev="dm-0" ino=inode_number_here scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:apcupsd_power_t:s0 tc;ass=file permissive=0

Comment 5 Lukas Vrabec 2018-07-29 11:09:46 UTC
Pawel, 

Do you know where on system is "apcupsd_shutdow" stored? 

Thanks,
Lukas.

Comment 6 Paweł 2018-07-29 11:19:59 UTC
(In reply to Lukas Vrabec from comment #5)
> Pawel, 
> 
> Do you know where on system is "apcupsd_shutdow" stored? 

/lib/systemd/system-shutdown/apcupsd_shutdown

it is a simple shell file.

#!/bin/sh

# See if this is a powerfail situation.
if [ -f /etc/apcupsd/powerfail ]; then
  echo
  echo "APCUPSD will now power off the UPS"
  echo
  /etc/apcupsd/apccontrol killpower
fi

Comment 7 Lukas Vrabec 2018-07-29 13:01:12 UTC
Okay, 

Could you please run: 
# semanage fcontext -a -t apcupsd_exec_t /etc/apcupsd/apccontrol
# restorecon -Rv /etc/apcupsd/

Could you try it with this change? 

Thanks,
Lukas.

Comment 8 Paweł 2018-07-29 17:45:22 UTC
(In reply to Lukas Vrabec from comment #7)
> Okay, 
> 
> Could you please run: 
> # semanage fcontext -a -t apcupsd_exec_t /etc/apcupsd/apccontrol
> # restorecon -Rv /etc/apcupsd/

It is even worse. Apcupsd does not shutdown system at all, but after a while do killpower to the ups (ups cut off power).
Previously, apcupsd does shutdown system, but does not killpower.
Now, apcupsd does not shutdown system, but does killpower.

 Message from log

type=AVC msg=audit(1532883738.374:1261): avc:  denied  { execute_no_trans } for  pid=2267 comm="apcupsd" path="/etc/apcupsd/apccontrol" dev="dm-0" ino=3018309 scontext=system_u:system_r:apcupsd_t:s0 tcontext=system_u:object_r:apcupsd_exec_t:s0 tclass=file permissive=0

Hash: apcupsd,apcupsd_t,apcupsd_exec_t,file,execute_no_trans

I do not know if you noticed, but my solution from first post just works, maybe it helps you.

FYI, I revert changes with semanage fcontext -d "/etc/apcupsd/apccontrol"

Comment 9 Alexandre Ducastaing 2018-08-20 21:25:06 UTC
I all;
I try:

# semanage permissive -a apcupsd_t
and,
# semanage permissive -a apcupsd_exec_t

It doesn't work !

I revert changes with:

# semanage permissive -d apcupsd_t
and,
# semanage permissive -d apcupsd_exec_t

Maybe you can fix it updating with the Pawel solution ?
Regards.

Comment 10 Fedora Update System 2018-09-06 21:56:15 UTC
selinux-policy-3.14.1-42.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-2d1b09d217

Comment 11 Paweł 2018-09-07 08:16:44 UTC
Created attachment 1481515 [details]
not successful shutdown, without kill power

Comment 12 Paweł 2018-09-07 08:18:20 UTC
Created attachment 1481516 [details]
successful shutdown, with kill power

Comment 13 Paweł 2018-09-07 08:30:57 UTC
I update the selinux policy.

[root@corsair log]# rpm -qa|grep -i ^selinux
selinux-policy-targeted-3.14.1-42.fc28.noarch
selinux-policy-devel-3.14.1-42.fc28.noarch
selinux-policy-3.14.1-42.fc28.noarch

remove my own policy
semodule -r myapcupsd

And nothing change. I have the same avc denial as previously. See attachment from comment #11

When I install my policy
semodule -i myapcupsd

I have a successful shutdown with kill power. See attachment from comment #12

For me the bug is still present.

Comment 14 Fedora Update System 2018-09-07 17:11:42 UTC
selinux-policy-3.14.1-42.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-2d1b09d217

Comment 15 Paweł 2018-09-08 06:39:59 UTC
In the new policy the only change I see is the addition of this line

can_exec(apcupsd_t,apcupsd_exec_t)

However, I think we need to add this line

allow init_t apcupsd_power_t:file getattr_file_perms

Comment 16 Alexandre Ducastaing 2018-09-08 16:59:47 UTC
I update:

$ rpm -qa|grep -i ^selinux
selinux-policy-devel-3.14.1-42.fc28.noarch
selinux-policy-3.14.1-42.fc28.noarch
selinux-policy-targeted-3.14.1-42.fc28.noarch

Nothing changes for me too.

Comment 17 Fedora Update System 2018-09-11 16:54:55 UTC
selinux-policy-3.14.1-42.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.

Comment 18 Fedora Update System 2018-11-05 08:21:20 UTC
selinux-policy-3.14.1-48.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-8004d37878

Comment 19 Paweł 2018-11-05 18:15:22 UTC
(In reply to Fedora Update System from comment #18)
> selinux-policy-3.14.1-48.fc28 has been submitted as an update to Fedora 28.
> https://bodhi.fedoraproject.org/updates/FEDORA-2018-8004d37878

Now everything works as it should.
I also checked selinux-policy-3.14.2-42.fc29. It also works.
So I think we can close this bug if no one reports problems.

Comment 20 Alexandre Ducastaing 2018-11-06 13:28:44 UTC
I confirm: everything works fine !

Comment 21 Fedora Update System 2018-11-06 23:27:28 UTC
selinux-policy-3.14.1-48.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-8004d37878

Comment 22 Fedora Update System 2018-11-09 05:25:37 UTC
selinux-policy-3.14.1-48.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.

Comment 23 Alexandre Ducastaing 2018-11-11 17:31:10 UTC
Works also with selinux-policy-3.14.1-48.fc28. Thanks...


Note You need to log in before you can comment on or make changes to this bug.