Bug 248248 - (acpidsocketSELinux) SELinux is preventing /usr/libexec/hald-addon-acpi (hald_t) "write" to acpid.socket (var_run_t).
SELinux is preventing /usr/libexec/hald-addon-acpi (hald_t) "write" to acpid....
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
i386 Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
Depends On:
  Show dependency treegraph
Reported: 2007-07-14 01:50 EDT by Thomas
Modified: 2008-08-02 19:40 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-07-14 12:06:41 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Thomas 2007-07-14 01:50:46 EDT
Description of problem:
SELinux is preventing /usr/libexec/hald-addon-acpi (hald_t) "write" to
acpid.socket (var_run_t).

Version-Release number of selected component (if applicable):
Target Context:  system_u:object_r:var_run_t
Target Objects:  acpid.socket [ sock_file ]
Affected RPM Packages:  hal-0.5.9-8.fc7 [application]
Policy RPM:  selinux-policy-2.6.4-26.fc7
Selinux Enabled:  True
Policy Type:  targetedMLS Enabled:  True
Enforcing Mode:  Enforcing
Plugin Name:  plugins.mislabeled_file
Host Name:  localhost.localdomain
Platform:  Linux localhost.localdomain 2.6.21-1.3228.fc7 #1 SMP Tue Jun 12
15:37:31 EDT 2007 i686 i686
Alert Count:  180
First Seen:  Sat 14 Jul 2007 01:35:25 AM CST
Last Seen:  Sat 14 Jul 2007 01:23:16 PM CSTLocal
ID:  515a3715-29fa-4740-8abe-6070330cf6c4
Line Numbers:  Raw Audit Messages :avc: denied { write } for
comm="hald-addon-acpi" dev=dm-0 egid=68 euid=68
exe="/usr/libexec/hald-addon-acpi" exit=-13 fsgid=68 fsuid=68 gid=68 items=0
name="acpid.socket" pid=2245 scontext=system_u:system_r:hald_t:s0 sgid=68
subj=system_u:system_r:hald_t:s0 suid=68 tclass=sock_file
tcontext=system_u:object_r:var_run_t:s0 tty=(none) uid=68 

How reproducible:

Steps to Reproduce:
Actual results:

Expected results:

Additional info:
Comment 1 Daniel Walsh 2007-07-14 08:42:01 EDT
The problem here is that acpid.socket is labeled incorrectly
It should be labeled like the following:
ls -lZ /var/run/acpid.socket 
srw-rw-rw-  root root system_u:object_r:apmd_var_run_t /var/run/acpid.socket

This would indicate that acpid is running under the wrong context

ps -eZ | grep acpid
system_u:system_r:kernel_t         50 ?        00:00:00 kacpid
system_u:system_r:apmd_t        21500 ?        00:00:00 acpid

Did you do something to start these apps outside of the init scripts?

Comment 2 Thomas 2007-07-14 12:06:41 EDT
No, I did not, except for th regular uppdate with the Fedora update manager. I
fixed the issue by the rebooting and relabelling routine of SELinux. Frankly, I
have not idea if that is now secure or not, but the issue went away.

Note You need to log in before you can comment on or make changes to this bug.