Bug 433194 - selinux prevents acpid from running ck-list-sessions
selinux prevents acpid from running ck-list-sessions
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
Depends On:
  Show dependency treegraph
Reported: 2008-02-17 07:31 EST by drago01
Modified: 2008-03-11 10:43 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-03-11 10:43:30 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description drago01 2008-02-17 07:31:21 EST
Description of problem:
acpid runs /etc/acpi/actions/power.sh when the powerbutton is pressed. This
script tries to find the current running sessions using ck-list-sessions to
decide if it should shutdown anyway or if it should leave the task to
gnome-power-manager. This does not work with selinux set to enforcing on my I
get this avc messages:

audit(1203250781.849:13): user pid=1795 uid=81 auid=4294967295
subj=system_u:system_r:system_dbusd_t:s0 msg='avc:  denied  { send_msg } for
msgtype=method_call interface=org.freedesktop.ConsoleKit.Manager member=GetSeats
dest=org.freedesktop.ConsoleKit spid=3237 tpid=1986
scontext=system_u:system_r:apmd_t:s0 tcontext=system_u:system_r:consolekit_t:s0
: exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'

So the script ignores gnome-power-manager and shuts down the system anyway.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. set gnome-power-manager to do anything but shutdown
2. press the powerbutton
3. system shutdowns right away (when selinux is in enforcing mode)
Actual results:
Selinux prevets acpid from doing its job.

Expected results:
Acpid should be allowed to talk to consolekit over dbus.

Additional info:
audit2allow -d

#============= apmd_t ==============
allow apmd_t consolekit_t:dbus send_msg;

I have tryed a full relabel but it did not help.
Comment 1 Daniel Walsh 2008-02-18 12:11:31 EST
You can allow this for now by executing 

# audit2allow -M mypol -i /var/log/audit/audit.log 
# semodule -i mypol.pp

Fixed in selinux-policy-3.0.8-85.fc8
Comment 2 drago01 2008-02-18 13:31:27 EST
(In reply to comment #1)
> You can allow this for now by executing 
> # audit2allow -M mypol -i /var/log/audit/audit.log 
> # semodule -i mypol.pp

I know, but wanted to report it to get it fixed in the policy package.

> Fixed in selinux-policy-3.0.8-85.fc8

OK, thx for the quick reply and for fixing this.
Comment 3 Daniel Walsh 2008-02-18 15:05:53 EST
That is my cookie cutter response, and it is wrong.

Fixed in selinux-policy-3.0.8-87.fc8

Comment 4 drago01 2008-02-19 14:33:00 EST
OK, tested -86 from koji and it did not fix it but it broke NM badly:
#============= NetworkManager_t ==============
allow NetworkManager_t dbusd_etc_t:dir read;
allow NetworkManager_t rpm_var_lib_t:dir { write getattr search };
allow NetworkManager_t self:dbus send_msg;
allow NetworkManager_t system_dbusd_t:dbus { acquire_svc send_msg };
allow NetworkManager_t system_dbusd_t:unix_stream_socket connectto;
allow NetworkManager_t system_dbusd_var_run_t:dir search;
allow NetworkManager_t system_dbusd_var_run_t:sock_file write;

#============= system_dbusd_t ==============
allow system_dbusd_t NetworkManager_t:dbus send_msg;
allow system_dbusd_t inotifyfs_t:dir getattr;
allow system_dbusd_t unconfined_t:dbus send_msg;

Comment 5 Daniel Walsh 2008-02-19 16:09:26 EST

selinux-policy-3_0_8-87_fc8 should be in koji now.
Comment 6 drago01 2008-02-19 16:20:09 EST
(In reply to comment #5)
> selinux-policy-3_0_8-87_fc8 should be in koji now.

This one fixes it; thx.

Note You need to log in before you can comment on or make changes to this bug.