Description of problem: On Fedora 7, in enforcing mode, SELinux prevents the apcupsd daemon from sending wall broadcasts or email alerts as follows: Version-Release number of selected component (if applicable): selinux-policy-targeted-2.6.4-23.fc7 apcupsd-3.14.1-2.fc7 How reproducible: Every time. Steps to Reproduce: 1. Execute a self test on the UPS 2. (In my case, it's telling me my batteries need changing) 3. See no wall broadcasts and email messages are blank Actual results: SELinux is preventing /bin/mail (apcupsd_t) "setgid" to (apcupsd_t). SELinux is preventing /usr/sbin/sendmail.postfix (system_mail_t) "read write" to /tmp/RsnlVB7N (deleted) (apcupsd_t). SELinux is preventing /usr/bin/wall (apcupsd_t) "dac_override" to (apcupsd_t). Expected results: SELinux should allow this type of access so admins can find out whether or not their batteries need replacing :) or get any other notifications. Additional info: avc: denied { setgid } for comm="mail" egid=0 euid=0 exe="/bin/mail" exit=0 fsgid=0 fsuid=0 gid=0 items=0 pid=14493 scontext=user_u:system_r:apcupsd_t:s0 sgid=0 subj=user_u:system_r:apcupsd_t:s0 suid=0 tclass=capability tcontext=user_u:system_r:apcupsd_t:s0 tty=(none) uid=0 avc: denied { read, write } for comm="sendmail" dev=sockfs egid=0 euid=0 exe="/usr/sbin/sendmail.postfix" exit=0 fsgid=0 fsuid=0 gid=0 items=0 name="[309946]" path=2F746D702F52736E6C5642374E202864656C6574656429 pid=14495 scontext=user_u:system_r:system_mail_t:s0 sgid=0 subj=user_u:system_r:system_mail_t:s0 suid=0 tclass=tcp_socket tcontext=user_u:system_r:apcupsd_t:s0 tty=(none) uid=0 avc: denied { dac_override } for comm="wall" egid=5 euid=0 exe="/usr/bin/wall" exit=-13 fsgid=5 fsuid=0 gid=0 items=0 pid=14498 scontext=user_u:system_r:apcupsd_t:s0 sgid=5 subj=user_u:system_r:apcupsd_t:s0 suid=0 tclass=capability tcontext=user_u:system_r:apcupsd_t:s0 tty=(none) uid=0
Fixed in selinux-policy-2.6.4-27 Added dac_override and setgid to policy. avc: denied { read, write } for comm="sendmail" dev=sockfs egid=0 euid=0 exe="/usr/sbin/sendmail.postfix" exit=0 fsgid=0 fsuid=0 gid=0 items=0 name="[309946]" path=2F746D702F52736E6C5642374E202864656C6574656429 pid=14495 scontext=user_u:system_r:system_mail_t:s0 sgid=0 subj=user_u:system_r:system_mail_t:s0 suid=0 tclass=tcp_socket tcontext=user_u:system_r:apcupsd_t:s0 tty=(none) uid=0 is caused by a leaked file descriptor. All open file descriptors should be closed on exec of applications. fcntl(fd, F_SETFD, F_CLOEXEC)
With selinux-policy-2.6.4-30.fc7 I get broadcast messages but mails with empty bodies. Here's what I see: type=AVC msg=audit(1186003168.817:2876): avc: denied { read } for pid=4004 comm="apcaccess" name="resolv.conf" dev=dm-0 ino=120846 scontext=root:system_r:apcupsd_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file type=AVC msg=audit(1186003168.827:2877): avc: denied { create } for pid=4004 comm="apcaccess" scontext=root:system_r:apcupsd_t:s0 tcontext=root:system_r:apcupsd_t:s0 tclass=udp_socket ^ resolver library? type=AVC msg=audit(1186003177.143:3170): avc: denied { read } for pid=4006 comm="sendmail" name="RsNzuY70" dev=tmpfs ino=17180 scontext=root:system_r:system_mail_t:s0 tcontext=root:object_r:apcupsd_tmp_t:s0 tclass=file ^ Maybe sendmail trying to read the message to be sent? type=AVC msg=audit(1186003177.143:3170): avc: denied { read append } for pid=4006 comm="sendmail" name="apcupsd.events" dev=dm-3 ino=124974 scontext=root:system_r:system_mail_t:s0 tcontext=root:object_r:apcupsd_log_t:s0 tclass=file type=AVC msg=audit(1186003177.143:3170): avc: denied { read write } for pid=4006 comm="sendmail" name="hiddev0" dev=tmpfs ino=3798 scontext=root:system_r:system_mail_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file type=AVC msg=audit(1186003177.143:3170): avc: denied { read write } for pid=4006 comm="sendmail" name="" dev=sockfs ino=17042 scontext=root:system_r:system_mail_t:s0 tcontext=root:system_r:apcupsd_t:s0 tclass=tcp_socket ^ These look like open descriptors. Should be fixed in apcupsd-3.14.1-3.
apcupsd-3.14.1-3.fc7 has been pushed to the Fedora 7 testing repository. If problems still persist, please make note of it in this bug report.
I still get blank emails because sendmail cannot read the tmp message file that apcupsd writes out: Oct 5 11:25:39 saga kernel: audit(1191605139.416:10): avc: denied { read } for pid=28312 comm="sendmail" name="RsejgQId" dev=tmpfs ino=1409259 scontext=system_u:system_r:system_mail_t:s0 tcontext=system_u:object_r:apcupsd_tmp_t:s0 tclass=file
Fixed in selinux-policy-2.6.4-49
*** Bug 249993 has been marked as a duplicate of this bug. ***
*** Bug 357871 has been marked as a duplicate of this bug. ***
Bulk closing all bugs in Fedora updates in the modified state. If you bug is not fixed, please reopen.