Bug 249993 - selinux denials apcupsd-3.14.1-2.fc7
selinux denials apcupsd-3.14.1-2.fc7
Status: CLOSED DUPLICATE of bug 247162
Product: Fedora
Classification: Fedora
Component: apcupsd (Show other bugs)
7
i386 Linux
low Severity low
: ---
: ---
Assigned To: Orion Poplawski
Fedora Extras Quality Assurance
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-07-29 00:16 EDT by vikram goyal
Modified: 2007-11-30 17:12 EST (History)
2 users (show)

See Also:
Fixed In Version: 3.14.2-1.fc7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-10-19 10:19:10 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
selinux denied message log for apcupsd (9.34 KB, text/plain)
2007-07-29 00:16 EDT, vikram goyal
no flags Details
selinux messages ( apcupsd )on mains power failure (20.54 KB, text/plain)
2007-09-18 23:02 EDT, vikram goyal
no flags Details
selinux messages ( apcupsd ) on mains power failure (20.54 KB, text/plain)
2007-09-18 23:02 EDT, vikram goyal
no flags Details

  None (edit)
Description vikram goyal 2007-07-29 00:16:24 EDT
Description of problem:


Version-Release number of selected component (if applicable):
apcupsd-3.14.1-2.fc7
selinux-policy-2.6.4-28.fc7
selinux-policy-targeted-2.6.4-28.fc7


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 vikram goyal 2007-07-29 00:16:25 EDT
Created attachment 160182 [details]
selinux denied message log for apcupsd
Comment 2 Orion Poplawski 2007-07-30 11:28:14 EDT
Looks like you've got an incorrectly labeled /var/log/apcupsd.status file.  Try
"restorecon -v /var/log/apcupsd.status" and see if that changes the label to
apcupsd_log_t.

Dan -

  apcupsd will try to write /etc/nologin when power has failed to prevent
further logins.  It gets removed by /etc/apcupsd/apccontrol.  Can this get added
to policy?
Comment 3 Daniel Walsh 2007-07-30 11:43:49 EDT
apcuspd.status does not have the right context. 

Fixing in selinux-policy-2.6.4-30

Also adding the ability to create nologin.
Comment 4 vikram goyal 2007-09-18 22:59:52 EDT
apcupsd-3.14.1-2.fc7
selinux-policy-2.6.4-42.fc7
selinux-policy-targeted-2.6.4-42.fc7

Fresh selinux denials. Occur only on mail power failure. Attaching audit.log
Comment 5 vikram goyal 2007-09-18 23:02:29 EDT
Created attachment 199101 [details]
selinux messages ( apcupsd )on mains power failure
Comment 6 vikram goyal 2007-09-18 23:02:29 EDT
Created attachment 199111 [details]
selinux messages ( apcupsd ) on mains power failure
Comment 7 vikram goyal 2007-09-18 23:04:04 EDT
audit2allow

#============= system_mail_t ==============
allow system_mail_t apcupsd_log_t:file { read write append };
allow system_mail_t apcupsd_t:tcp_socket { read write };
allow system_mail_t apcupsd_tmp_t:file { read getattr ioctl };
allow system_mail_t usb_device_t:chr_file { read write };
Comment 8 vikram goyal 2007-09-18 23:05:29 EDT
Comment on attachment 199101 [details]
selinux messages ( apcupsd )on mains power failure

filed two times
Comment 9 Daniel Walsh 2007-09-22 07:59:58 EDT
These are leaked file descriptors from apcupsd,  apcupsd should call 
fcntl(fd, F_SETFD, FD_CLOEXEC)

On all its file descriptors before execing sendmail.
Comment 10 Adam Kropelin 2007-09-22 08:24:38 EDT
(In reply to comment #9)
> These are leaked file descriptors from apcupsd,  apcupsd should call 
> fcntl(fd, F_SETFD, FD_CLOEXEC)
> 
> On all its file descriptors before execing sendmail.

Should be fixed in apcupsd-3.14.2 which includes code to close all open fds
before exec'ing apccontrol.
Comment 11 Fedora Update System 2007-10-11 18:55:16 EDT
apcupsd-3.14.2-1.fc7 has been pushed to the Fedora 7 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update apcupsd'
Comment 12 Fedora Update System 2007-10-17 22:29:37 EDT
apcupsd-3.14.2-1.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 13 vikram goyal 2007-10-18 02:56:07 EDT
After updating apcupsd to version apcupsd-3.14.2-1.fc7 as suggested, I relabeled
the system on boot. Below are the avc messages generated after power failure.

#============================================================================
type=AVC msg=audit(1192689949.385:62): avc:  denied  { read } for  pid=5795
comm="sendmail" name="RsTSsaCP" dev=sdc8 ino=52
scontext=system_u:system_r:system_mail_t:s0
tcontext=system_u:object_r:apcupsd_tmp_t:s0 tclass=file
type=AVC msg=audit(1192689949.392:63): avc:  denied  { getattr } for  pid=5795
comm="sendmail" name="RsTSsaCP" dev=sdc8 ino=52
scontext=system_u:system_r:system_mail_t:s0
tcontext=system_u:object_r:apcupsd_tmp_t:s0 tclass=file
type=AVC msg=audit(1192689949.399:64): avc:  denied  { ioctl } for  pid=5795
comm="sendmail" name="RsTSsaCP" dev=sdc8 ino=52
scontext=system_u:system_r:system_mail_t:s0
tcontext=system_u:object_r:apcupsd_tmp_t:s0 tclass=file
#=============================================================================


running audit2allow, I get the this result.

#=============================================================================
#============= system_mail_t ==============
allow system_mail_t apcupsd_tmp_t:file { read getattr ioctl };
#=============================================================================

Thanks!
Comment 14 Orion Poplawski 2007-10-19 10:19:10 EDT

*** This bug has been marked as a duplicate of 247162 ***

Note You need to log in before you can comment on or make changes to this bug.