Red Hat Bugzilla – Bug 624440
SELinux is preventing /usr/sbin/upsd "connectto" access on /var/run/nut/usbhid-ups-myups.
Last modified: 2010-08-16 12:10:55 EDT
Summary: SELinux is preventing /usr/sbin/upsd "connectto" access on /var/run/nut/usbhid-ups-myups. Detailed Description: [upsd has a permissive type (nut_upsd_t). This access was not denied.] SELinux denied access requested by upsd. It is not expected that this access is required by upsd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context unconfined_u:system_r:nut_upsd_t:s0 Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Objects /var/run/nut/usbhid-ups-myups [ unix_stream_socket ] Source upsd Source Path /usr/sbin/upsd Port <Unknown> Host (removed) Source RPM Packages nut-2.4.3-5.fc13 Target RPM Packages Policy RPM selinux-policy-3.7.19-44.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name (removed) Platform Linux (removed) 2.6.33.6-147.2.4.fc13.x86_64 #1 SMP Fri Jul 23 17:14:44 UTC 2010 x86_64 x86_64 Alert Count 87 First Seen Mon 16 Aug 2010 02:26:58 PM CEST Last Seen Mon 16 Aug 2010 02:29:12 PM CEST Local ID 11ddda37-5cee-413d-af96-5a1781bd3d11 Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1281961752.659:12859): avc: denied { connectto } for pid=29717 comm="upsd" path="/var/run/nut/usbhid-ups-myups" scontext=unconfined_u:system_r:nut_upsd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=(removed) type=SYSCALL msg=audit(1281961752.659:12859): arch=c000003e syscall=42 success=yes exit=0 a0=7 a1=7fff2990b200 a2=6e a3=fffffff0 items=0 ppid=1 pid=29717 auid=500 uid=57 gid=57 euid=57 suid=57 fsuid=57 egid=57 sgid=57 fsgid=57 tty=(none) ses=29 comm="upsd" exe="/usr/sbin/upsd" subj=unconfined_u:system_r:nut_upsd_t:s0 key=(null) Hash String generated from catchall,upsd,nut_upsd_t,unconfined_t,unix_stream_socket,connectto audit2allow suggests: #============= nut_upsd_t ============== allow nut_upsd_t unconfined_t:unix_stream_socket connectto;
My config is upsd, connected to an UPS "Ellipse ASR 1500", via USB. The ups driver is usbhid-ups. My config is rather simple, a strait-forward configuration: copy-paste the comments in the config files, and remove the '#'. The name of the UPS, in /etc/ups/upsd.conf is "myups". That explains why the upsd daemon connects to the socket "/var/run/nut/usbhid-ups-myups". This socket has probably been created by the "driver", ie "/sbin/usbhid-ups".
Oh, also, I ran the following: sudo semanage permissive -a nut_upsd_t sudo semanage permissive -a nut_upsdrvctl_t to debug this issue.
Are you running any nut services as a user rather then through the start up scripts? ps -eZ | grep nut
Yes, that maybe an explanation. I have rebooted since I reported the bug, and "ausearch -m avc -ts recent" no longer report anything.