Bug 158002 - actions scripts do not have proper selinux premissions
Summary: actions scripts do not have proper selinux premissions
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: rawhide
Hardware: i386
OS: Linux
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 2005-05-17 18:52 UTC by Brian G. Anderson
Modified: 2007-11-30 22:11 UTC (History)
2 users (show)

Fixed In Version: 1.23.15-5
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2005-09-04 23:44:06 UTC
Type: ---

Attachments (Terms of Use)

Description Brian G. Anderson 2005-05-17 18:52:18 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050513 Fedora/1.0.4-1.3.1 StumbleUpon/1.9993 Firefox/1.0.4

Description of problem:
I have FC4T3 synced up to the latest dev changes (5/15/05).  I'm having trouble with getting acpi actions to work with SElinux enabled.  I made a lid event in /etc/acpi/events that invokes a sleep script in /etc/acpi/actions/sleep.sh.  The sleep script does a touch /tmp/suspend and then 'echo mem> /sys/power/state'. I set the context to system_u:object_r:etc_t, same as the /etc/acpi/events/sample.conf.
When I close the lid the system doesn't suspend.  The /var/logs/acpid says that 'touch: cannot touch '/tmp/suspended': Permission denied' and /etc/acpi/actions/sleep.sh: line 5: /sys/power/state: Permission denied'.  The /var/logs/audit/audit.log say 'type=(null) msg=(null)' about 20 times, but no other info.

If I setenforce 0 and close the lid then all works fine. 

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.install sleep.sh action script into /etc/acpi/actions
2.set up lid event to invoke sleep.sh
3.close lid

Actual Results:  Computer doesn't suspend because permission is denied

Expected Results:  echo to /sys/power/state should succeed and the sustem should suspend

Additional info:

Comment 1 Bill Nottingham 2005-05-17 19:28:26 UTC
Uli - weren't you seeing this as well?

Dan - I'm assuming this needs fixed in policy, not in acpid itself.

Comment 2 Daniel Walsh 2005-05-18 11:48:53 UTC
acpi is now allowed to write to /sys/power

Fixed in latest policy selinux-policy-targeted-1.23.15-5

Note You need to log in before you can comment on or make changes to this bug.