Bug 433194 - selinux prevents acpid from running ck-list-sessions
Summary: selinux prevents acpid from running ck-list-sessions
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 8
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-02-17 12:31 UTC by drago01
Modified: 2008-03-11 14:43 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-03-11 14:43:30 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description drago01 2008-02-17 12:31:21 UTC 
Description of problem:
acpid runs /etc/acpi/actions/power.sh when the powerbutton is pressed. This
script tries to find the current running sessions using ck-list-sessions to
decide if it should shutdown anyway or if it should leave the task to
gnome-power-manager. This does not work with selinux set to enforcing on my I
get this avc messages:

audit(1203250781.849:13): user pid=1795 uid=81 auid=4294967295
subj=system_u:system_r:system_dbusd_t:s0 msg='avc:  denied  { send_msg } for
msgtype=method_call interface=org.freedesktop.ConsoleKit.Manager member=GetSeats
dest=org.freedesktop.ConsoleKit spid=3237 tpid=1986
scontext=system_u:system_r:apmd_t:s0 tcontext=system_u:system_r:consolekit_t:s0
tclass=dbus
: exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'

So the script ignores gnome-power-manager and shuts down the system anyway.

Version-Release number of selected component (if applicable):
selinux-policy-3.0.8-84.fc8
selinux-policy-targeted-3.0.8-84.fc8

How reproducible:
Always 

Steps to Reproduce:
1. set gnome-power-manager to do anything but shutdown
2. press the powerbutton
3. system shutdowns right away (when selinux is in enforcing mode)
  
Actual results:
Selinux prevets acpid from doing its job.

Expected results:
Acpid should be allowed to talk to consolekit over dbus.

Additional info:
audit2allow -d

#============= apmd_t ==============
allow apmd_t consolekit_t:dbus send_msg;

I have tryed a full relabel but it did not help.
Comment 1 Daniel Walsh 2008-02-18 17:11:31 UTC 
You can allow this for now by executing 

# audit2allow -M mypol -i /var/log/audit/audit.log 
# semodule -i mypol.pp

Fixed in selinux-policy-3.0.8-85.fc8
Comment 2 drago01 2008-02-18 18:31:27 UTC 
(In reply to comment #1)
> You can allow this for now by executing 
> 
> # audit2allow -M mypol -i /var/log/audit/audit.log 
> # semodule -i mypol.pp

I know, but wanted to report it to get it fixed in the policy package.

> Fixed in selinux-policy-3.0.8-85.fc8

OK, thx for the quick reply and for fixing this.
Comment 3 Daniel Walsh 2008-02-18 20:05:53 UTC 
That is my cookie cutter response, and it is wrong.

Fixed in selinux-policy-3.0.8-87.fc8
Comment 4 drago01 2008-02-19 19:33:00 UTC 
OK, tested -86 from koji and it did not fix it but it broke NM badly:
#============= NetworkManager_t ==============
allow NetworkManager_t dbusd_etc_t:dir read;
allow NetworkManager_t rpm_var_lib_t:dir { write getattr search };
allow NetworkManager_t self:dbus send_msg;
allow NetworkManager_t system_dbusd_t:dbus { acquire_svc send_msg };
allow NetworkManager_t system_dbusd_t:unix_stream_socket connectto;
allow NetworkManager_t system_dbusd_var_run_t:dir search;
allow NetworkManager_t system_dbusd_var_run_t:sock_file write;

#============= system_dbusd_t ==============
allow system_dbusd_t NetworkManager_t:dbus send_msg;
allow system_dbusd_t inotifyfs_t:dir getattr;
allow system_dbusd_t unconfined_t:dbus send_msg;
Comment 5 Daniel Walsh 2008-02-19 21:09:26 UTC 

selinux-policy-3_0_8-87_fc8 should be in koji now.
Comment 6 drago01 2008-02-19 21:20:09 UTC 
(In reply to comment #5)
> 
> selinux-policy-3_0_8-87_fc8 should be in koji now.

This one fixes it; thx.
Note You need to log in before you can comment on or make changes to this bug.