Bug 826412 - SELinux is preventing acpid from read access on the lnk_file /var/lock.
SELinux is preventing acpid from read access on the lnk_file /var/lock.
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
17
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-05-30 03:05 EDT by Germano Massullo
Modified: 2012-05-30 09:08 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-05-30 09:08:02 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Germano Massullo 2012-05-30 03:05:55 EDT
Description of problem:
After I upgraded to Fedora 17, I started having the following warning


SELinux is preventing acpid from read access on the lnk_file /var/lock.

*****  Plugin restorecon (94.8 confidence) suggests  *************************

If si desidera sistemare l'etichetta. 
L'etichetta predefinita di /var/lock dovrebbe essere var_lock_t.
Then è possibile avviare restorecon.
Do
# /sbin/restorecon -v /var/lock

*****  Plugin catchall_labels (5.21 confidence) suggests  ********************

If you want to allow acpid to have read access on the lock lnk_file
Then e' necessario modificare l'etichetta su /var/lock
Do
# semanage fcontext -a -t TIPO_FILE '/var/lock'
dove TIPO_FILE è uno dei seguenti: var_run_t, mta_exec_type, device_t, etc_runtime_t, domain, abrt_t, ld_so_t, lib_t, proc_t, root_t, udev_var_run_t, exec_type, modules_conf_t, var_run_t, var_run_t, textrel_shlib_t, rpm_script_tmp_t, cgroup_t, device_t, devlog_t, hwdata_t, locale_t, var_lock_t, apmd_t, bin_t, etc_t, init_t, ld_so_t, lib_t, proc_t, sysfs_t, udev_t, var_run_t, cert_t, etc_t, device_t, var_run_t, var_run_t, var_run_t, cgroup_t, init_t, init_t. 
Quindi eseguire: 
restorecon -v '/var/lock'


*****  Plugin catchall (1.44 confidence) suggests  ***************************

If si crede che acpid dovrebbe avere possibilità di accesso read sui lock lnk_file in modo predefinito.
Then si dovrebbe riportare il problema come bug.
E' possibile generare un modulo di politica locale per consentire questo accesso.
Do
consentire questo accesso per il momento eseguendo:
# grep acpid /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:apmd_t:s0
Target Context                system_u:object_r:var_t:s0
Target Objects                /var/lock [ lnk_file ]
Source                        acpid
Source Path                   acpid
Port                          <Sconosciuto>
Host                          Portatile
Source RPM Packages           
Target RPM Packages           filesystem-3-2.fc17.i686
Policy RPM                    selinux-policy-3.10.0-125.fc17.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     Portatile
Platform                      Linux Portatile 3.3.7-1.fc17.i686 #1 SMP Mon May
                              21 22:50:24 UTC 2012 i686 i686
Alert Count                   2
First Seen                    mer 30 mag 2012 08:58:14 CEST
Last Seen                     mer 30 mag 2012 08:58:14 CEST

Raw Audit Messages
type=AVC msg=audit(1338361094.518:69): avc:  denied  { read } for  pid=670 comm="acpid" name="lock" dev="dm-0" ino=8575 scontext=system_u:system_r:apmd_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=lnk_file


Hash: acpid,apmd_t,var_t,lnk_file,read

audit2allowunable to open /sys/fs/selinux/policy:  Permission denied


audit2allow -Runable to open /sys/fs/selinux/policy:  Permission denied
Comment 1 Daniel Walsh 2012-05-30 09:08:02 EDT
The tool told you what to do.

restorecon -v /var/lock

Note You need to log in before you can comment on or make changes to this bug.