2163015 – SELinux is preventing /usr/sbin/upsd from using the kill capability

Bug 2163015 - SELinux is preventing /usr/sbin/upsd from using the kill capability

Summary: SELinux is preventing /usr/sbin/upsd from using the kill capability

Keywords:
Status:	NEW
Alias:	None
Product:	Fedora EPEL
Classification:	Fedora
Component:	nut
Sub Component:
Version:	epel9
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Michal Hlavinka
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-01-22 22:54 UTC by Graham Leggett
Modified:	2023-01-23 02:01 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Type:	Bug
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	fedora-selinux selinux-policy pull 1552	0	None	Merged	Allow upsd to send signal to itself	2023-01-23 02:01:00 UTC

Description Graham Leggett 2023-01-22 22:54:12 UTC

Description of problem:

SELinux failure while using upsd.

Version-Release number of selected component (if applicable):

2.8.0-3.el9

How reproducible:

Always

Steps to Reproduce:
1. Configure upsd with a USB UPS on RHEL9
2. Change /etc/ups/ups.conf configuration
3.

Actual results:

SELinux starts complaining.

Expected results:

No complaints from SELinux.

Additional info:

Jan 23 00:48:40 blackadder setroubleshoot[51526]: SELinux is preventing /usr/sbin/upsd from using the kill capability. For complete SELinux messages run: sealert -l 3a932861-930c-4ea9-9c9f-0d048c565c42
Jan 23 00:48:40 blackadder setroubleshoot[51526]: SELinux is preventing /usr/sbin/upsd from using the kill capability.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that upsd should have the kill capability by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'upsd' --raw | audit2allow -M my-upsd#012# semodule -X 300 -i my-upsd.pp#012
Jan 23 00:48:49 blackadder systemd[1]: dbus-:1.5-org.fedoraproject.SetroubleshootPrivileged: Main process exited, code=killed, status=14/ALRM
Jan 23 00:48:49 blackadder systemd[1]: dbus-:1.5-org.fedoraproject.SetroubleshootPrivileged: Failed with result 'signal'.
Jan 23 00:48:49 blackadder systemd[1]: dbus-:1.5-org.fedoraproject.SetroubleshootPrivileged: Consumed 1.550s CPU time.
Jan 23 00:48:50 blackadder systemd[1]: dbus-:1.5-org.fedoraproject.Setroubleshootd: Main process exited, code=killed, status=14/ALRM
Jan 23 00:48:50 blackadder systemd[1]: dbus-:1.5-org.fedoraproject.Setroubleshootd: Failed with result 'signal'.
Jan 23 00:48:50 blackadder systemd[1]: dbus-:1.5-org.fedoraproject.Setroubleshootd: Consumed 1.889s CPU time.

Comment 1 Orion Poplawski 2023-01-23 02:01:01 UTC

So, I submitted a fix for this to fedora-selinux - https://github.com/fedora-selinux/selinux-policy/pull/1552  but it's going to take a long time to trickle down.  I think the thing to do is to start shipping the selinux policy as part of the nut package.

Note You need to log in before you can comment on or make changes to this bug.