Bug 751613 - acpid fails to run pm-suspend in enforcing mode
Summary: acpid fails to run pm-suspend in enforcing mode
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 16
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-11-06 11:04 UTC by cblaauw
Modified: 2011-11-20 23:59 UTC (History)
1 user (show)

Fixed In Version: selinux-policy-3.10.0-56.fc16
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-11-20 23:59:45 UTC
Type: ---


Attachments (Terms of Use)
output of 'ausearch -m avc' (593.77 KB, text/x-log)
2011-11-07 20:06 UTC, cblaauw
no flags Details
ausearch -m avc -ts recent (12.71 KB, text/x-log)
2011-11-11 22:05 UTC, cblaauw
no flags Details

Description cblaauw 2011-11-06 11:04:05 UTC
Description of problem:

When selinux is in enforcing mode the script "/etc/acpi/actions/power.sh" the machine does not suspend if power button is pressed.

The default command in power.sh is "shutdown -h now" - that does work also in enforcing mode 


Version-Release number of selected component (if applicable):
acpid 2.0.11-1.fc16.x86_64
pm-utils 1.4.1-12.fc16.x86_64
selinux-policy 3.10.0-51.fc16.x86_64
selinux-policy-targeted 3.10.0-51.fc16.x86_64



How reproducible:
Every time power button is pressed.



Steps to Reproduce:
1.install acpid

2.change 'shutdown -h now' to '/usr/sbin/pm-suspend' in '/etc/acpi/actions/power.sh'

3.reboot (or start acpid service)
4. press power button
  
Actual results:

nothing happens

Expected results:

machine goes into suspend mode

Additional info:

if you call 'setenforce 0' as root the machine does suspend when powerr button is pressed

Comment 1 Miroslav Grepl 2011-11-07 10:58:16 UTC
What AVC are you getting?

# ausearch -m avc

Comment 2 cblaauw 2011-11-07 20:06:32 UTC
Created attachment 532133 [details]
output of 'ausearch -m avc'

Comment 3 cblaauw 2011-11-07 20:08:46 UTC
did not find any avc's of today, but it consistently fails to suspend with "setenforce 1"

I'm running in permissive mode right now, so it doesn't hurt too much.

Thanks,


Carsten

Comment 4 Daniel Walsh 2011-11-07 21:32:40 UTC
allow lldpad_t initrc_state_t:file { read write };
allow lldpad_t initrc_t:shm { unix_read read write unix_write associate };


Could it be associated with this?  What process is running as initrc_t?

ps -eZ | grep initrc_t

If you execute pm-suspend as root does the machine suspend?

Comment 5 cblaauw 2011-11-07 21:40:22 UTC
Yes pm-suspend called by root does suspend the machine even if setenforce=1

Comment 6 cblaauw 2011-11-07 21:41:35 UTC
ps -eZ | grep initrc_t yields nothing

Comment 7 Daniel Walsh 2011-11-07 21:51:59 UTC
Is your machine setup to suspend on closin of the laptop lid?

If yes could you execute 

# semodule -DB
# setenforce 1
Close lid,

Open the lid and run
# ausearch -m avc -ts recent

And see if there is anything that looks like it blocked suspend.

# semodule -B

Will turn off dontaudit rules.

Comment 8 cblaauw 2011-11-08 06:29:09 UTC
It's a plain desktop actually, so no lid, are other steps I should try?


Carsten

Comment 9 Daniel Walsh 2011-11-08 17:13:15 UTC
Well when it attempts to go to sleep see if there are any AVC's  I am not sure if there is a way to force an F16 machine to go to sleep from the desktop.

Comment 10 cblaauw 2011-11-09 09:08:59 UTC
I'll try tonight, but as far as I remember choosing 'Suspend' from the user menu did work in any case, only the power button does not work in enforced mode.

Comment 11 cblaauw 2011-11-10 21:33:32 UTC
calling 'pm-suspend' as non-root is not possible. But choosing 'suspend' from users menu works.

Comment 12 Daniel Walsh 2011-11-11 15:45:19 UTC
If you hit the power button and you have dontaudit rules turned off, are you getting any AVC messages?

Comment 13 cblaauw 2011-11-11 21:33:15 UTC
Hi,

with semodule -DB and setenforce 1 there are no avcs.

Comment 14 cblaauw 2011-11-11 21:38:24 UTC
Maybe my avc auditing does not work, because I have not a single entry with a timestamp after my updating to F-16. I used a simple 'yum update' to do the update.

So we should get the selinux auditing working first, or verify if it working or not.

Comment 15 Daniel Walsh 2011-11-11 21:49:17 UTC
systemctl enable auditd
systemctl start auditd

Comment 16 cblaauw 2011-11-11 21:58:06 UTC
ok here we go...

had to be 'auditd.service' actually, but right after starting the daemon an avc popped up in sealert:

SELinux is preventing /bin/mkdir from search access on the directory pm-utils.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that mkdir should be allowed search access on the pm-utils directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep mkdir /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Quellkontext                  system_u:system_r:apmd_t:s0
Zielkontext                   system_u:object_r:devicekit_var_run_t:s0
Zielobjekte                   pm-utils [ dir ]
Quelle                        mkdir
Quellpfad                     /bin/mkdir
Port                          <Unbekannt>
Host                          m7
RPM-Pakete der Quelle         bash-4.2.10-4.fc16
RPM-Pakete des Ziels          
Richtlinien-RPM               selinux-policy-3.10.0-54.fc16
SELinux aktiviert             True
Richtlinientyp                targeted
Enforcing-Modus               Enforcing
Rechnername                   m7
Plattform                     Linux m7 3.1.0-7.fc16.x86_64 #1 SMP Tue Nov 1
                              21:10:48 UTC 2011 x86_64 x86_64
Anzahl der Alarme             3
Zuerst gesehen                Fr 11 Nov 2011 22:55:25 CET
Zuletzt gesehen               Fr 11 Nov 2011 22:55:25 CET
Lokale ID                     2ceaccc3-2e64-4c8e-99a7-d4cab48d617b

Raw-Audit-Meldungen
type=AVC msg=audit(1321048525.73:8): avc:  denied  { search } for  pid=2153 comm="pm-suspend" name="pm-utils" dev=tmpfs ino=20021 scontext=system_u:system_r:apmd_t:s0 tcontext=system_u:object_r:devicekit_var_run_t:s0 tclass=dir


type=SYSCALL msg=audit(1321048525.73:8): arch=x86_64 syscall=open success=no exit=EACCES a0=e18600 a1=0 a2=1b6 a3=73012d016d017001 items=0 ppid=2146 pid=2153 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=pm-suspend exe=/bin/bash subj=system_u:system_r:apmd_t:s0 key=(null)

Hash: mkdir,apmd_t,devicekit_var_run_t,dir,search

audit2allow

#============= apmd_t ==============
allow apmd_t devicekit_var_run_t:dir search;

audit2allow -R

#============= apmd_t ==============
allow apmd_t devicekit_var_run_t:dir search;

Comment 17 cblaauw 2011-11-11 22:05:23 UTC
Created attachment 533179 [details]
ausearch -m avc -ts recent

Got some more avcs

Comment 18 Daniel Walsh 2011-11-11 22:26:18 UTC
Miroslav this patch should fix the problem

30a07bfe2083575b5ee4863f1aa624109510f99d

Comment 19 Miroslav Grepl 2011-11-14 12:54:49 UTC
Fixed in selinux-policy-3.10.0-56.fc16

Comment 20 Fedora Update System 2011-11-16 15:22:09 UTC
selinux-policy-3.10.0-56.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-56.fc16

Comment 21 Fedora Update System 2011-11-17 23:29:48 UTC
Package selinux-policy-3.10.0-56.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-56.fc16'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2011-16003/selinux-policy-3.10.0-56.fc16
then log in and leave karma (feedback).

Comment 22 Fedora Update System 2011-11-20 23:59:45 UTC
selinux-policy-3.10.0-56.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.