Bug 237840 - pm-suspend can't write to log file.
Summary: pm-suspend can't write to log file.
Alias: None
Product: Fedora
Classification: Fedora
Component: pm-utils
Version: 7
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Till Maas
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2007-04-25 16:40 UTC by Dave Jones
Modified: 2015-01-04 22:29 UTC (History)
3 users (show)

Fixed In Version: 0.99.4-3.fc7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2007-09-25 22:47:07 UTC
Type: ---

Attachments (Terms of Use)

Description Dave Jones 2007-04-25 16:40:14 UTC
    SELinux is preventing pm-suspend (hald_t) "write" to pm-suspend.log

Detailed Description
    SELinux is preventing pm-suspend (hald_t) "write" to pm-suspend.log
    (var_log_t). The SELinux type %TARGET_TYPE, is a generic type for all files
    in the directory and very few processes (SELinux Domains) are allowed to
    write to this SELinux type.  This type of denial usual indicates a
    mislabeled file.  By default a file created in a directory has the gets the
    context of the parent directory, but SELinux policy has rules about the
    creation of directories, that say if a process running in one SELinux Domain
    (D1) creates a file in a directory with a particular SELinux File Context
    (F1) the file gets a different File Context (F2).  The policy usually allows
    the SELinux Domain (D1) the ability to write or append on (F2).  But if for
    some reason a file (pm-suspend.log) was created with the wrong context, this
    domain will be denied.  The usual solution to this problem is to reset the
    file context on the target file, restorecon -v pm-suspend.log.  If the file
    context does not change from var_log_t, then this is probably a bug in
    policy.  Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
    against the selinux-policy package. If it does change, you can try your
    application again to see if it works.  The file context could have been
    mislabeled by editing the file or moving the file from a different
    directory, if the file keeps getting mislabeled, check the init scripts to
    see if they are doing something to mislabel the file.

Allowing Access
    You can attempt to fix file context by executing restorecon -v pm-

    The following command will allow this access:
    restorecon pm-suspend.log

Additional Information        

Source Context                user_u:system_r:hald_t
Target Context                system_u:object_r:var_log_t
Target Objects                pm-suspend.log [ file ]
Affected RPM Packages         
Policy RPM                    selinux-policy-2.6.1-1.fc7
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.mislabeled_file
Host Name                     dhcp83-65.boston.redhat.com
Platform                      Linux dhcp83-65.boston.redhat.com 2.6.21-rc7 #24
                              SMP Wed Apr 25 12:05:56 EDT 2007 i686 i686
Alert Count                   2
First Seen                    Wed Apr 25 12:38:39 2007
Last Seen                     Wed Apr 25 12:38:39 2007
Local ID                      4358edd1-22ec-41f8-9b66-760f0cf3f1b0
Line Numbers                  

Raw Audit Messages            

avc: denied { write } for comm="pm-suspend" dev=dm-0 egid=0 euid=0
exe="/bin/bash" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="pm-suspend.log"
pid=3772 scontext=user_u:system_r:hald_t:s0 sgid=0
subj=user_u:system_r:hald_t:s0 suid=0 tclass=file
tcontext=system_u:object_r:var_log_t:s0 tty=(none) uid=0

Comment 1 Daniel Walsh 2007-04-25 17:16:12 UTC
Labeleding problem.

restorecon -R -v /var/log/pm-suspend.log

This was fixed in an earlier yum update.  Not sure why it is mislabled.

And setroubleshoot told you what to do...

Comment 2 Zack Cerza 2007-07-17 18:00:34 UTC
I saw this again today in F7. I have run 'restorecon -R -v
/var/log/pm-suspend.log' in the past.


Is it maybe pm-utils' fault?

Comment 3 Daniel Walsh 2007-07-17 20:11:59 UTC
Yes pm-utils must be creating deleting and recreating this file.  I though we
had fixed this in a release, but maybe it is only in rawhide.
The file should never be removed,  If you want to zero it out then cat /dev/null
> /var/log/pm-suspend.log not 
rm /var/log/pm-suspend.log
touch /var/log/pm-suspend.log

This will maintain the file context.

Comment 4 Fedora Update System 2007-09-24 17:59:02 UTC
pm-utils-0.99.4-3.fc7 has been pushed to the Fedora 7 testing repository.  If problems still persist, please make note of it in this bug report.

Comment 5 Fedora Update System 2007-09-25 22:46:54 UTC
pm-utils-0.99.4-3.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.