Bug 158002 - actions scripts do not have proper selinux premissions
actions scripts do not have proper selinux premissions
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Depends On:
  Show dependency treegraph
Reported: 2005-05-17 14:52 EDT by Brian G. Anderson
Modified: 2007-11-30 17:11 EST (History)
2 users (show)

See Also:
Fixed In Version: 1.23.15-5
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-09-04 19:44:06 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Brian G. Anderson 2005-05-17 14:52:18 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050513 Fedora/1.0.4-1.3.1 StumbleUpon/1.9993 Firefox/1.0.4

Description of problem:
I have FC4T3 synced up to the latest dev changes (5/15/05).  I'm having trouble with getting acpi actions to work with SElinux enabled.  I made a lid event in /etc/acpi/events that invokes a sleep script in /etc/acpi/actions/sleep.sh.  The sleep script does a touch /tmp/suspend and then 'echo mem> /sys/power/state'. I set the context to system_u:object_r:etc_t, same as the /etc/acpi/events/sample.conf.
When I close the lid the system doesn't suspend.  The /var/logs/acpid says that 'touch: cannot touch '/tmp/suspended': Permission denied' and /etc/acpi/actions/sleep.sh: line 5: /sys/power/state: Permission denied'.  The /var/logs/audit/audit.log say 'type=(null) msg=(null)' about 20 times, but no other info.

If I setenforce 0 and close the lid then all works fine. 

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.install sleep.sh action script into /etc/acpi/actions
2.set up lid event to invoke sleep.sh
3.close lid

Actual Results:  Computer doesn't suspend because permission is denied

Expected Results:  echo to /sys/power/state should succeed and the sustem should suspend

Additional info:
Comment 1 Bill Nottingham 2005-05-17 15:28:26 EDT
Uli - weren't you seeing this as well?

Dan - I'm assuming this needs fixed in policy, not in acpid itself.
Comment 2 Daniel Walsh 2005-05-18 07:48:53 EDT
acpi is now allowed to write to /sys/power

Fixed in latest policy selinux-policy-targeted-1.23.15-5

Note You need to log in before you can comment on or make changes to this bug.