Hide Forgot
Description of problem: When selinux is in enforcing mode the script "/etc/acpi/actions/power.sh" the machine does not suspend if power button is pressed. The default command in power.sh is "shutdown -h now" - that does work also in enforcing mode Version-Release number of selected component (if applicable): acpid 2.0.11-1.fc16.x86_64 pm-utils 1.4.1-12.fc16.x86_64 selinux-policy 3.10.0-51.fc16.x86_64 selinux-policy-targeted 3.10.0-51.fc16.x86_64 How reproducible: Every time power button is pressed. Steps to Reproduce: 1.install acpid 2.change 'shutdown -h now' to '/usr/sbin/pm-suspend' in '/etc/acpi/actions/power.sh' 3.reboot (or start acpid service) 4. press power button Actual results: nothing happens Expected results: machine goes into suspend mode Additional info: if you call 'setenforce 0' as root the machine does suspend when powerr button is pressed
What AVC are you getting? # ausearch -m avc
Created attachment 532133 [details] output of 'ausearch -m avc'
did not find any avc's of today, but it consistently fails to suspend with "setenforce 1" I'm running in permissive mode right now, so it doesn't hurt too much. Thanks, Carsten
allow lldpad_t initrc_state_t:file { read write }; allow lldpad_t initrc_t:shm { unix_read read write unix_write associate }; Could it be associated with this? What process is running as initrc_t? ps -eZ | grep initrc_t If you execute pm-suspend as root does the machine suspend?
Yes pm-suspend called by root does suspend the machine even if setenforce=1
ps -eZ | grep initrc_t yields nothing
Is your machine setup to suspend on closin of the laptop lid? If yes could you execute # semodule -DB # setenforce 1 Close lid, Open the lid and run # ausearch -m avc -ts recent And see if there is anything that looks like it blocked suspend. # semodule -B Will turn off dontaudit rules.
It's a plain desktop actually, so no lid, are other steps I should try? Carsten
Well when it attempts to go to sleep see if there are any AVC's I am not sure if there is a way to force an F16 machine to go to sleep from the desktop.
I'll try tonight, but as far as I remember choosing 'Suspend' from the user menu did work in any case, only the power button does not work in enforced mode.
calling 'pm-suspend' as non-root is not possible. But choosing 'suspend' from users menu works.
If you hit the power button and you have dontaudit rules turned off, are you getting any AVC messages?
Hi, with semodule -DB and setenforce 1 there are no avcs.
Maybe my avc auditing does not work, because I have not a single entry with a timestamp after my updating to F-16. I used a simple 'yum update' to do the update. So we should get the selinux auditing working first, or verify if it working or not.
systemctl enable auditd systemctl start auditd
ok here we go... had to be 'auditd.service' actually, but right after starting the daemon an avc popped up in sealert: SELinux is preventing /bin/mkdir from search access on the directory pm-utils. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that mkdir should be allowed search access on the pm-utils directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep mkdir /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Quellkontext system_u:system_r:apmd_t:s0 Zielkontext system_u:object_r:devicekit_var_run_t:s0 Zielobjekte pm-utils [ dir ] Quelle mkdir Quellpfad /bin/mkdir Port <Unbekannt> Host m7 RPM-Pakete der Quelle bash-4.2.10-4.fc16 RPM-Pakete des Ziels Richtlinien-RPM selinux-policy-3.10.0-54.fc16 SELinux aktiviert True Richtlinientyp targeted Enforcing-Modus Enforcing Rechnername m7 Plattform Linux m7 3.1.0-7.fc16.x86_64 #1 SMP Tue Nov 1 21:10:48 UTC 2011 x86_64 x86_64 Anzahl der Alarme 3 Zuerst gesehen Fr 11 Nov 2011 22:55:25 CET Zuletzt gesehen Fr 11 Nov 2011 22:55:25 CET Lokale ID 2ceaccc3-2e64-4c8e-99a7-d4cab48d617b Raw-Audit-Meldungen type=AVC msg=audit(1321048525.73:8): avc: denied { search } for pid=2153 comm="pm-suspend" name="pm-utils" dev=tmpfs ino=20021 scontext=system_u:system_r:apmd_t:s0 tcontext=system_u:object_r:devicekit_var_run_t:s0 tclass=dir type=SYSCALL msg=audit(1321048525.73:8): arch=x86_64 syscall=open success=no exit=EACCES a0=e18600 a1=0 a2=1b6 a3=73012d016d017001 items=0 ppid=2146 pid=2153 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=pm-suspend exe=/bin/bash subj=system_u:system_r:apmd_t:s0 key=(null) Hash: mkdir,apmd_t,devicekit_var_run_t,dir,search audit2allow #============= apmd_t ============== allow apmd_t devicekit_var_run_t:dir search; audit2allow -R #============= apmd_t ============== allow apmd_t devicekit_var_run_t:dir search;
Created attachment 533179 [details] ausearch -m avc -ts recent Got some more avcs
Miroslav this patch should fix the problem 30a07bfe2083575b5ee4863f1aa624109510f99d
Fixed in selinux-policy-3.10.0-56.fc16
selinux-policy-3.10.0-56.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-56.fc16
Package selinux-policy-3.10.0-56.fc16: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-56.fc16' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2011-16003/selinux-policy-3.10.0-56.fc16 then log in and leave karma (feedback).
selinux-policy-3.10.0-56.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.