Bug 826412 - SELinux is preventing acpid from read access on the lnk_file /var/lock.
Summary: SELinux is preventing acpid from read access on the lnk_file /var/lock.
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 17
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-05-30 07:05 UTC by Germano Massullo
Modified: 2012-05-30 13:08 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-05-30 13:08:02 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Germano Massullo 2012-05-30 07:05:55 UTC 
Description of problem:
After I upgraded to Fedora 17, I started having the following warning


SELinux is preventing acpid from read access on the lnk_file /var/lock.

*****  Plugin restorecon (94.8 confidence) suggests  *************************

If si desidera sistemare l'etichetta. 
L'etichetta predefinita di /var/lock dovrebbe essere var_lock_t.
Then è possibile avviare restorecon.
Do
# /sbin/restorecon -v /var/lock

*****  Plugin catchall_labels (5.21 confidence) suggests  ********************

If you want to allow acpid to have read access on the lock lnk_file
Then e' necessario modificare l'etichetta su /var/lock
Do
# semanage fcontext -a -t TIPO_FILE '/var/lock'
dove TIPO_FILE è uno dei seguenti: var_run_t, mta_exec_type, device_t, etc_runtime_t, domain, abrt_t, ld_so_t, lib_t, proc_t, root_t, udev_var_run_t, exec_type, modules_conf_t, var_run_t, var_run_t, textrel_shlib_t, rpm_script_tmp_t, cgroup_t, device_t, devlog_t, hwdata_t, locale_t, var_lock_t, apmd_t, bin_t, etc_t, init_t, ld_so_t, lib_t, proc_t, sysfs_t, udev_t, var_run_t, cert_t, etc_t, device_t, var_run_t, var_run_t, var_run_t, cgroup_t, init_t, init_t. 
Quindi eseguire: 
restorecon -v '/var/lock'


*****  Plugin catchall (1.44 confidence) suggests  ***************************

If si crede che acpid dovrebbe avere possibilità di accesso read sui lock lnk_file in modo predefinito.
Then si dovrebbe riportare il problema come bug.
E' possibile generare un modulo di politica locale per consentire questo accesso.
Do
consentire questo accesso per il momento eseguendo:
# grep acpid /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:apmd_t:s0
Target Context                system_u:object_r:var_t:s0
Target Objects                /var/lock [ lnk_file ]
Source                        acpid
Source Path                   acpid
Port                          <Sconosciuto>
Host                          Portatile
Source RPM Packages           
Target RPM Packages           filesystem-3-2.fc17.i686
Policy RPM                    selinux-policy-3.10.0-125.fc17.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     Portatile
Platform                      Linux Portatile 3.3.7-1.fc17.i686 #1 SMP Mon May
                              21 22:50:24 UTC 2012 i686 i686
Alert Count                   2
First Seen                    mer 30 mag 2012 08:58:14 CEST
Last Seen                     mer 30 mag 2012 08:58:14 CEST

Raw Audit Messages
type=AVC msg=audit(1338361094.518:69): avc:  denied  { read } for  pid=670 comm="acpid" name="lock" dev="dm-0" ino=8575 scontext=system_u:system_r:apmd_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=lnk_file


Hash: acpid,apmd_t,var_t,lnk_file,read

audit2allowunable to open /sys/fs/selinux/policy:  Permission denied


audit2allow -Runable to open /sys/fs/selinux/policy:  Permission denied
Comment 1 Daniel Walsh 2012-05-30 13:08:02 UTC 
The tool told you what to do.

restorecon -v /var/lock
Note You need to log in before you can comment on or make changes to this bug.