Description of problem: SELinux is preventing /usr/libexec/hald-addon-acpi (hald_t) "write" to acpid.socket (var_run_t). Version-Release number of selected component (if applicable): Target Context: system_u:object_r:var_run_t Target Objects: acpid.socket [ sock_file ] Affected RPM Packages: hal-0.5.9-8.fc7 [application] Policy RPM: selinux-policy-2.6.4-26.fc7 Selinux Enabled: True Policy Type: targetedMLS Enabled: True Enforcing Mode: Enforcing Plugin Name: plugins.mislabeled_file Host Name: localhost.localdomain Platform: Linux localhost.localdomain 2.6.21-1.3228.fc7 #1 SMP Tue Jun 12 15:37:31 EDT 2007 i686 i686 Alert Count: 180 First Seen: Sat 14 Jul 2007 01:35:25 AM CST Last Seen: Sat 14 Jul 2007 01:23:16 PM CSTLocal ID: 515a3715-29fa-4740-8abe-6070330cf6c4 Line Numbers: Raw Audit Messages :avc: denied { write } for comm="hald-addon-acpi" dev=dm-0 egid=68 euid=68 exe="/usr/libexec/hald-addon-acpi" exit=-13 fsgid=68 fsuid=68 gid=68 items=0 name="acpid.socket" pid=2245 scontext=system_u:system_r:hald_t:s0 sgid=68 subj=system_u:system_r:hald_t:s0 suid=68 tclass=sock_file tcontext=system_u:object_r:var_run_t:s0 tty=(none) uid=68 How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
The problem here is that acpid.socket is labeled incorrectly It should be labeled like the following: ls -lZ /var/run/acpid.socket srw-rw-rw- root root system_u:object_r:apmd_var_run_t /var/run/acpid.socket This would indicate that acpid is running under the wrong context ps -eZ | grep acpid system_u:system_r:kernel_t 50 ? 00:00:00 kacpid system_u:system_r:apmd_t 21500 ? 00:00:00 acpid Did you do something to start these apps outside of the init scripts?
No, I did not, except for th regular uppdate with the Fedora update manager. I fixed the issue by the rebooting and relabelling routine of SELinux. Frankly, I have not idea if that is now secure or not, but the issue went away.