Bug 244525 - SELinux apcupsd denial for execution of apccontrol
SELinux apcupsd denial for execution of apccontrol
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
Depends On:
  Show dependency treegraph
Reported: 2007-06-16 13:43 EDT by Anthony Messina
Modified: 2007-11-30 17:12 EST (History)
0 users

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-08-14 07:57:06 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Anthony Messina 2007-06-16 13:43:15 EDT
Description of problem:
SELinux prevents apcupsd from executing apccontrol in enforcing mode

Version-Release number of selected component (if applicable):

How reproducible:
Every time

Steps to Reproduce:
1. Hold the battery test button on your APC ups while running apcupsd and
SELinux in enforcing mode.
2. Watch the apcupsd logs and sealert
Actual results:
    SELinux is preventing /usr/sbin/apcupsd (apcupsd_t) "execute" to apccontrol

Source Context                system_u:system_r:apcupsd_t
Target Context                system_u:object_r:bin_t
Target Objects                apccontrol [ file ]
Affected RPM Packages         apcupsd-3.14.1-1.fc7 [application]
Policy RPM                    selinux-policy-2.6.4-14.fc7
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.catchall_file
Platform                      Linux 2.6.21-1.3228.fc7 #1 SMP Tue Jun 12 14:56:37 EDT
                              2007 x86_64 x86_64
Alert Count                   2
First Seen                    Sat 16 Jun 2007 12:27:04 PM CDT
Last Seen                     Sat 16 Jun 2007 12:27:10 PM CDT
Local ID                      f4619676-d470-40a1-ac84-97fabbc96456
Line Numbers                  

Raw Audit Messages            

avc: denied { execute } for comm="apcupsd" dev=sda2 egid=0 euid=0
exe="/usr/sbin/apcupsd" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="apccontrol"
pid=7387 scontext=system_u:system_r:apcupsd_t:s0 sgid=0
subj=system_u:system_r:apcupsd_t:s0 suid=0 tclass=file
tcontext=system_u:object_r:bin_t:s0 tty=(none) uid=0

Expected results:
I know this has been a difficult area and that the maintainer of apcupsd is to
be working on moving those executables out of /etc/apcupsd.

Anyway, this occurred during a test of the battery.  No tty messages were sent
and I get a permission denied error for apccontrol, which means that if the
power failed and the battery ran out, it wouldn't shut down the machine.

I'm hoping we can get this to work as my power is a bit unreliable in the summer.
Comment 1 Daniel Walsh 2007-08-14 07:57:06 EDT
Fixed in current release.

Note You need to log in before you can comment on or make changes to this bug.