acpid

Matthew Saltzman mjs at ces.clemson.edu
Mon Sep 26 20:44:23 UTC 2005 

Should this have been fixed in selinux-policy-targeted-1.27.1-2.2, or is 
that still behind the Rawhide one?

This works from console but not from Fn-F3.

Thanks.

script:
#!/bin/sh

if [ "$(/usr/sbin/radeontool light)" = "The radeon backlight looks on" ]; 
then
   /usr/sbin/radeontool light off
else
   /usr/sbin/radeontool light on
fi


acpid.log:
---------
[Mon Sep 26 16:37:59 2005] received event "ibm/hotkey HKEY 00000080 
00001003"
[Mon Sep 26 16:37:59 2005] notifying client 3001[500:500]
[Mon Sep 26 16:37:59 2005] executing action "/etc/acpi/actions/Fn-F3.sh"
[Mon Sep 26 16:37:59 2005] BEGIN HANDLER MESSAGES
can't open /dev/mem
Are you root?
can't open /dev/mem
Are you root?
[Mon Sep 26 16:37:59 2005] END HANDLER MESSAGES
[Mon Sep 26 16:37:59 2005] action exited with status 255
[Mon Sep 26 16:37:59 2005] completed event "ibm/hotkey HKEY 00000080 
00001003"


audit.log:
---------
type=AVC msg=audit(1127767197.001:907558): avc:  denied  { read write } 
for  pid=6106 comm="radeontool" name="mem" dev=tmpfs ino=901 
scontext=system_u:system_r:apmd_t 
tcontext=system_u:object_r:memory_device_t tclass=chr_file
type=SYSCALL msg=audit(1127767197.001:907558): arch=40000003 syscall=5 
success=no exit=-13 a0=8049c06 a1=2 a2=bfca76e8 a3=bfca72f8 items=1 
pid=6106 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 
fsgid=0 comm="radeontool" exe="/usr/sbin/radeontool"
type=CWD msg=audit(1127767197.001:907558):  cwd="/"
type=PATH msg=audit(1127767197.001:907558): item=0 name="/dev/mem" 
flags=101  inode=901 dev=00:0d mode=020640 ouid=0 ogid=9 rdev=01:01
type=AVC msg=audit(1127767197.066:908249): avc:  denied  { read write } 
for  pid=6108 comm="radeontool" name="mem" dev=tmpfs ino=901 
scontext=system_u:system_r:apmd_t 
tcontext=system_u:object_r:memory_device_t tclass=chr_file
type=SYSCALL msg=audit(1127767197.066:908249): arch=40000003 syscall=5 
success=no exit=-13 a0=8049c06 a1=2 a2=bf952a78 a3=bf952688 items=1 
pid=6108 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 
fsgid=0 comm="radeontool" exe="/usr/sbin/radeontool"
type=CWD msg=audit(1127767197.066:908249):  cwd="/"
type=PATH msg=audit(1127767197.066:908249): item=0 name="/dev/mem" 
flags=101  inode=901 dev=00:0d mode=020640 ouid=0 ogid=9 rdev=01:01



On Mon, 26 Sep 2005, Daniel J Walsh wrote:

> Stephen Smalley wrote:
>
>> On Fri, 2005-09-23 at 16:09 -0400, Matthew Saltzman wrote:
>> 
>>> Can nobody here help with this (and if not, where could I go for 
>>> assistance)?  selinux-policy-targeted-1.27.1-2.1 does not solve the 
>>> problem.
>>> 
>> 
>>> From the audit messages you posted, I would have expected that:
>> - a new type would have been assigned to /usr/share/hwdata, and apmd_t
>> would have been allowed to read it.
>> 
> I am making this change.
>
>> - tmp_domain(apmd_t) would have been added to enable it to create its
>> own temporary files under /tmp without disturbing anyone else's
>> temporary files.
>> 
>> Looking at the latest rawhide targeted policy (1.27.1-5), it looks like
>> the tmp_domain() has been added, it has been directly allowed to read
>> usr_t (which I would have preferred not doing) and it has been made
>> unconfined in targeted policy (which seems overkill).  So I would expect
>> your scripts to work just fine with that policy, even though I'd still
>> favor adding a new type for /usr/share/hwdata and not making apmd_t
>> completely unconfined.
>> 
>> 
> The problem is there is no standard scripts for this yet.  Trying to lock 
> down acpid is a moving target at this time, until the distros settle on a 
> standard way of doing this.  So until then it is better to run unconfined. 
> If in FC5 timeframe a standard
> develops in Fedora, I will make the policy work and remove the 
> unconfined_domain.
>
>
>

-- 
 		Matthew Saltzman

Clemson University Math Sciences
mjs AT clemson DOT edu
http://www.math.clemson.edu/~mjs

More information about the fedora-selinux-list mailing list