Description of problem: Upgrading to Fedora 37 and selinux started blocking nut-monitor SELinux is preventing upsmon from 'create' accesses on the file upsmon.pid. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that upsmon should be allowed create access on the upsmon.pid file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'upsmon' --raw | audit2allow -M my-upsmon # semodule -X 300 -i my-upsmon.pp Additional Information: Source Context system_u:system_r:nut_upsmon_t:s0 Target Context system_u:object_r:var_run_t:s0 Target Objects upsmon.pid [ file ] Source upsmon Source Path upsmon Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-37.14-1.fc37.noarch Local Policy RPM selinux-policy-targeted-37.14-1.fc37.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 6.0.8-300.fc37.x86_64 #1 SMP PREEMPT_DYNAMIC Fri Nov 11 15:09:04 UTC 2022 x86_64 x86_64 Alert Count 1 First Seen 2022-11-19 11:59:02 MST Last Seen 2022-11-19 11:59:02 MST Local ID dba84e29-1472-4c82-bdf2-d5e072333b31 Raw Audit Messages type=AVC msg=audit(1668884342.141:388): avc: denied { create } for pid=9536 comm="upsmon" name="upsmon.pid" scontext=system_u:system_r:nut_upsmon_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=0 Hash: upsmon,nut_upsmon_t,var_run_t,file,create Version-Release number of selected component: selinux-policy-targeted-37.14-1.fc37.noarch Additional info: component: selinux-policy reporter: libreport-2.17.4 hashmarkername: setroubleshoot kernel: 6.0.8-300.fc37.x86_64 type: libreport
I got hit by this too. If you don't configure the USB ups to run as root, then the daemon can't write the pidfile to /var/run, but if you configure it to run as root, it trips over selinux. This is what autit2allow creates: module my-usbhidups 1.0; require { type nut_upsdrvctl_t; type var_run_t; class file { create getattr open read unlink write }; class sock_file { create getattr setattr unlink }; class capability { chown fsetid }; } #============= nut_upsdrvctl_t ============== #!!!! This avc is allowed in the current policy allow nut_upsdrvctl_t self:capability { chown fsetid }; #!!!! This avc is allowed in the current policy allow nut_upsdrvctl_t var_run_t:file { create getattr open read unlink write }; #!!!! This avc is allowed in the current policy allow nut_upsdrvctl_t var_run_t:sock_file { create getattr setattr unlink };
It seems nut started to use not only a directory in the /run filesystem, but also a file and a sock_file directly in /run, so I added appropriate rules. The following scratchbuild can be used: https://github.com/fedora-selinux/selinux-policy/pull/1539 Checks -> Artifacts -> rpms.zip For the other denials, please provide additional debugging info with full auditing enabled: 1) Open the /etc/audit/rules.d/audit.rules file in an editor. 2) Remove the following line if it exists: -a task,never 3) Add the following line to the end of the file: -w /etc/shadow -p w 4) Restart the audit daemon: # service auditd restart 5) Re-run your scenario. 6) Collect AVC denials: # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today
FEDORA-2023-e672cff7c6 has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2023-e672cff7c6
FEDORA-2023-e672cff7c6 has been pushed to the Fedora 37 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-e672cff7c6` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-e672cff7c6 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2023-e672cff7c6 has been pushed to the Fedora 37 stable repository. If problem still persists, please make note of it in this bug report.