Created attachment 658745 [details] audit.log entries for suspend with enforcing disabled Description of problem: The Xfce Suspend button does not work in Fedora 18 Beta with SELinux running in enforcing mode. Version-Release number of selected component (if applicable): Fedora 18 Beta with: xfce4-session-engines-4.10.0-4.fc18.x86_64 xfce4-appfinder-4.10.0-3.fc18.x86_64 xfce4-panel-devel-4.10.0-2.fc18.x86_64 xfce4-icon-theme-4.4.3-7.fc18.noarch libxfce4util-devel-4.10.0-2.fc18.x86_64 libxfcegui4-4.10.0-3.fc18.x86_64 im-chooser-xfce-1.6.2-1.fc18.x86_64 xfce4-power-manager-1.2.0-2.fc18.x86_64 libxfce4util-4.10.0-2.fc18.x86_64 xfce4-mixer-4.10.0-1.fc18.x86_64 xfce4-session-4.10.0-4.fc18.x86_64 xfce4-settings-4.10.0-3.fc18.x86_64 libxfcegui4-devel-4.10.0-3.fc18.x86_64 imsettings-xfce-1.5.0-2.fc18.x86_64 libxfce4ui-devel-4.10.0-3.fc18.x86_64 xfce4-panel-4.10.0-2.fc18.x86_64 gtk-xfce-engine-3.0.1-1.fc18.x86_64 libxfce4ui-4.10.0-3.fc18.x86_64 selinux-policy-3.11.1-59.fc18.noarch selinux-policy-targeted-3.11.1-59.fc18.noarch How reproducible: Always Steps to Reproduce: 1. Install Fedora 18 with Xfce 2. Try to suspend using the Suspend button on the Logout menu. Actual results: The Suspend button seems to do some things, like shut down eth0, but the system stays up and starts acting unresponsive and 'weird'. If I ctrl-alt-f2 I can reboot and it works normally again. Expected results: Suspend works properly. Additional info: The relevant part of my audit.log is attached. The Xfxce Suspend button works if SELinux is in permissive. Running audit2allow against the log attached creates a module that allows suspend to work properly with SELinux in enforcing. module xfcesuspend 1.0; require { type ifconfig_t; type devicekit_power_t; type firewalld_t; type rpm_t; type devicekit_var_run_t; type dhcpc_t; type iptables_t; type system_dbusd_t; class process { siginh noatsecure rlimitinh }; class dbus send_msg; class file read; } #============= dhcpc_t ============== allow dhcpc_t devicekit_var_run_t:file read; #============= firewalld_t ============== allow firewalld_t devicekit_power_t:dbus send_msg; allow firewalld_t iptables_t:process { siginh rlimitinh noatsecure }; #============= ifconfig_t ============== allow ifconfig_t devicekit_var_run_t:file read; #============= system_dbusd_t ============== allow system_dbusd_t rpm_t:process { siginh rlimitinh noatsecure };
Does it work only with allow firewalld_t devicekit_power_t:dbus send_msg; rule?
Yes, I just remade the module with only this rule and it appears to work properly with it alone.
Fixed in selinux-policy-3.11.1-61.fc18.noarch
selinux-policy-3.11.1-62.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-62.fc18
Package selinux-policy-3.11.1-62.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-62.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-20203/selinux-policy-3.11.1-62.fc18 then log in and leave karma (feedback).
selinux-policy-3.11.1-66.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-66.fc18
selinux-policy-3.11.1-66.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.