Hide Forgot
Description of problem: SELinux is preventing restorecon (restorecon_t) "write" to /var/log/pm/suspend.log (hald_log_t). Version-Release number of selected component (if applicable): selinux-policy-2.4.6-302.el5 pm-utils-0.99.3-10.el5 How reproducible: 100% Steps to Reproduce: 1. In terminal run "pm-suspend" and wait until box suspends 2. Wake the box 3. Wait a few moments Actual results: SELinux denial appears Expected results: No SELinux denials Additional info: Happens on i386 and x86_64 anrchitectures, I did not try other. This denial completly breaks system after second try of "pm-suspend" Raw Audit Messages: host=dhcp-29-235.brq.redhat.com type=AVC msg=audit(1305794628.39:17): avc: denied { write } for pid=5540 comm="restorecon" path="/var/log/pm/suspend.log" dev=dm-0 ino=98324 scontext=system_u:system_r:restorecon_t:s0 tcontext=system_u:object_r:hald_log_t:s0 tclass=file host=dhcp-29-235.brq.redhat.com type=AVC msg=audit(1305794628.39:17): avc: denied { write } for pid=5540 comm="restorecon" path="/var/log/pm/suspend.log" dev=dm-0 ino=98324 scontext=system_u:system_r:restorecon_t:s0 tcontext=system_u:object_r:hald_log_t:s0 tclass=file host=dhcp-29-235.brq.redhat.com type=SYSCALL msg=audit(1305794628.39:17): arch=c000003e syscall=59 success=yes exit=0 a0=3b597b0 a1=3b21220 a2=3b5a6e0 a3=8 items=0 ppid=5531 pid=5540 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="restorecon" exe="/sbin/restorecon" subj=system_u:system_r:restorecon_t:s0 key=(null)
Did you modify /usr/lib/pm-utils/bin/pm-action script? Also # rpm -q pm-utils
This happens on clean install with default packages selected to be installed so no, I did not change anything. I tried it on freshly installed RHEL 5.6 and it does not happen there. The version of pm-utils package is in comment 0, but again: pm-utils-0.99.3-10.el5
Does it work for you in permissive mode? # setenforce 0 # pm-suspend I don't think this is a SELinux issue.
The log file should be opened for append not write.
Created attachment 501984 [details] messages log (In reply to comment #3) > Does it work for you in permissive mode? > > # setenforce 0 > # pm-suspend > > I don't think this is a SELinux issue. No, it does not work. I am not sure if this is a SELinux issue either, but the SELinux denial message is the only thing that appears, before the system completely breaks up. I am adding as an attachment related part of /var/log/messages log, hope it helps identify the problem.
Created attachment 502000 [details] Backported patch Please try the attached patch, it should append to log instead of write. Scratch build with this patch applied: https://brewweb.devel.redhat.com/taskinfo?taskID=3359199
This request was evaluated by Red Hat Product Management for inclusion in Red Hat Enterprise Linux 5.7 and Red Hat does not plan to fix this issue the currently developed update. Contact your manager or support representative in case you need to escalate this bug.
I am unable to reproduce with recent version of packages: selinux-policy-2.4.6-316.el5 pm-utils-0.99.3-10.el5 SELinux enforcing mode, five successful suspends in a row, no AVC.