Description of problem: acpid runs /etc/acpi/actions/power.sh when the powerbutton is pressed. This script tries to find the current running sessions using ck-list-sessions to decide if it should shutdown anyway or if it should leave the task to gnome-power-manager. This does not work with selinux set to enforcing on my I get this avc messages: audit(1203250781.849:13): user pid=1795 uid=81 auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.ConsoleKit.Manager member=GetSeats dest=org.freedesktop.ConsoleKit spid=3237 tpid=1986 scontext=system_u:system_r:apmd_t:s0 tcontext=system_u:system_r:consolekit_t:s0 tclass=dbus : exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)' So the script ignores gnome-power-manager and shuts down the system anyway. Version-Release number of selected component (if applicable): selinux-policy-3.0.8-84.fc8 selinux-policy-targeted-3.0.8-84.fc8 How reproducible: Always Steps to Reproduce: 1. set gnome-power-manager to do anything but shutdown 2. press the powerbutton 3. system shutdowns right away (when selinux is in enforcing mode) Actual results: Selinux prevets acpid from doing its job. Expected results: Acpid should be allowed to talk to consolekit over dbus. Additional info: audit2allow -d #============= apmd_t ============== allow apmd_t consolekit_t:dbus send_msg; I have tryed a full relabel but it did not help.
You can allow this for now by executing # audit2allow -M mypol -i /var/log/audit/audit.log # semodule -i mypol.pp Fixed in selinux-policy-3.0.8-85.fc8
(In reply to comment #1) > You can allow this for now by executing > > # audit2allow -M mypol -i /var/log/audit/audit.log > # semodule -i mypol.pp I know, but wanted to report it to get it fixed in the policy package. > Fixed in selinux-policy-3.0.8-85.fc8 OK, thx for the quick reply and for fixing this.
That is my cookie cutter response, and it is wrong. Fixed in selinux-policy-3.0.8-87.fc8
OK, tested -86 from koji and it did not fix it but it broke NM badly: #============= NetworkManager_t ============== allow NetworkManager_t dbusd_etc_t:dir read; allow NetworkManager_t rpm_var_lib_t:dir { write getattr search }; allow NetworkManager_t self:dbus send_msg; allow NetworkManager_t system_dbusd_t:dbus { acquire_svc send_msg }; allow NetworkManager_t system_dbusd_t:unix_stream_socket connectto; allow NetworkManager_t system_dbusd_var_run_t:dir search; allow NetworkManager_t system_dbusd_var_run_t:sock_file write; #============= system_dbusd_t ============== allow system_dbusd_t NetworkManager_t:dbus send_msg; allow system_dbusd_t inotifyfs_t:dir getattr; allow system_dbusd_t unconfined_t:dbus send_msg;
selinux-policy-3_0_8-87_fc8 should be in koji now.
(In reply to comment #5) > > selinux-policy-3_0_8-87_fc8 should be in koji now. This one fixes it; thx.