Bug 624440 - SELinux is preventing /usr/sbin/upsd "connectto" access on /var/run/nut/usbhid-ups-myups.
Summary: SELinux is preventing /usr/sbin/upsd "connectto" access on /var/run/nut/...
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy   
(Show other bugs)
Version: 13
Hardware: x86_64
OS: Linux
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
Whiteboard: setroubleshoot_trace_hash:214877ea5d6...
Depends On:
TreeView+ depends on / blocked
Reported: 2010-08-16 13:31 UTC by Laurent Rineau
Modified: 2010-08-16 16:10 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2010-08-16 16:10:55 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Laurent Rineau 2010-08-16 13:31:13 UTC

SELinux is preventing /usr/sbin/upsd "connectto" access on

Detailed Description:

[upsd has a permissive type (nut_upsd_t). This access was not denied.]

SELinux denied access requested by upsd. It is not expected that this access is
required by upsd and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug

Additional Information:

Source Context                unconfined_u:system_r:nut_upsd_t:s0
Target Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
Target Objects                /var/run/nut/usbhid-ups-myups [ unix_stream_socket
Source                        upsd
Source Path                   /usr/sbin/upsd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           nut-2.4.3-5.fc13
Target RPM Packages           
Policy RPM                    selinux-policy-3.7.19-44.fc13
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux (removed)
                     #1 SMP Fri Jul 23
                              17:14:44 UTC 2010 x86_64 x86_64
Alert Count                   87
First Seen                    Mon 16 Aug 2010 02:26:58 PM CEST
Last Seen                     Mon 16 Aug 2010 02:29:12 PM CEST
Local ID                      11ddda37-5cee-413d-af96-5a1781bd3d11
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1281961752.659:12859): avc:  denied  { connectto } for  pid=29717 comm="upsd" path="/var/run/nut/usbhid-ups-myups" scontext=unconfined_u:system_r:nut_upsd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket

node=(removed) type=SYSCALL msg=audit(1281961752.659:12859): arch=c000003e syscall=42 success=yes exit=0 a0=7 a1=7fff2990b200 a2=6e a3=fffffff0 items=0 ppid=1 pid=29717 auid=500 uid=57 gid=57 euid=57 suid=57 fsuid=57 egid=57 sgid=57 fsgid=57 tty=(none) ses=29 comm="upsd" exe="/usr/sbin/upsd" subj=unconfined_u:system_r:nut_upsd_t:s0 key=(null)

Hash String generated from  catchall,upsd,nut_upsd_t,unconfined_t,unix_stream_socket,connectto
audit2allow suggests:

#============= nut_upsd_t ==============
allow nut_upsd_t unconfined_t:unix_stream_socket connectto;

Comment 1 Laurent Rineau 2010-08-16 13:38:34 UTC
My config is upsd, connected to an UPS "Ellipse ASR 1500", via USB. The ups driver is usbhid-ups. My config is rather simple, a strait-forward configuration: copy-paste the comments in the config files, and remove the '#'. The name of the UPS, in /etc/ups/upsd.conf is "myups". That explains why the upsd daemon connects to the socket "/var/run/nut/usbhid-ups-myups". This socket has probably been created by the "driver", ie "/sbin/usbhid-ups".

Comment 2 Laurent Rineau 2010-08-16 13:39:34 UTC
Oh, also, I ran the following:
  sudo semanage permissive -a nut_upsd_t     
  sudo semanage permissive -a nut_upsdrvctl_t
to debug this issue.

Comment 3 Miroslav Grepl 2010-08-16 14:11:26 UTC
Are you running any nut services as a user rather then through the start up scripts?

ps -eZ | grep nut

Comment 4 Laurent Rineau 2010-08-16 16:10:55 UTC
Yes, that maybe an explanation. I have rebooted since I reported the bug, and "ausearch -m avc -ts recent" no longer report anything.

Note You need to log in before you can comment on or make changes to this bug.