acpid avcs
Tom London
selinux at gmail.com
Sun Dec 25 19:19:14 UTC 2005
On 12/24/05, Daniel J Walsh <dwalsh at redhat.com> wrote:
> Steve G wrote:
> > Hi...from my logs:
> >
> > type=PATH msg=audit(12/23/2005 10:36:04.030:20507) : item=0 name=(null)
> > inode=14909846 dev=03:07 mode=socket,666 ouid=root ogid=root rdev=00:00
> > obj=system_u:object_r:var_run_t:s0
> > type=SOCKADDR msg=audit(12/23/2005 10:36:04.030:20507) : saddr=local
> > /var/run/acpid.socket
> > type=SYSCALL msg=audit(12/23/2005 10:36:04.030:20507) : arch=x86_64
> > syscall=connect success=no exit=-13(Permission denied) a0=4 a1=7fffffbf25c0
> > a2=6e a3=7fffffbf2428 items=1 pid=2242 auid=unknown(4294967295) uid=root
> > gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root
> > comm=hald-addon-acpi exe=/usr/libexec/hald-addon-acpi
> > subj=system_u:system_r:hald_t:s0
> > type=AVC msg=audit(12/23/2005 10:36:04.030:20507) : avc: denied { write }
> > for pid=2242 comm=hald-addon-acpi name=acpid.socket dev=hda7 ino=14909846
> > scontext=system_u:system_r:hald_t:s0 context=system_u:object_r:var_run_t:s0
> > tclass=sock_file
> >
> > This just scrolls for hours and hours...
> >
> >
> You have a mislabled socket file in /var/run.
>
> restorecon -v /var/run/acpid.socket
> ls -lZ /var/run/acpid.socket
> srw-rw-rw- root root system_u:object_r:apmd_var_run_t /var/run/acpid.socket
>
> > -Steve
> >
Uhhh, a bit more here: I get many 100s of these (while running latest
rawhide, targeted/enforcing):
----
type=PATH msg=audit(12/25/2005 11:15:38.770:1619) : item=0
flags=follow inode=2142287 dev=fd:00 mode=socket,666 ouid=root
ogid=root rdev=00:00
type=SOCKETCALL msg=audit(12/25/2005 11:15:38.770:1619) : nargs=3 a0=4
a1=bffabfb6 a2=6e
type=SOCKADDR msg=audit(12/25/2005 11:15:38.770:1619) : saddr=local
/var/run/acpid.socket
type=AVC_PATH msg=audit(12/25/2005 11:15:38.770:1619) :
path=/var/run/acpid.socket
type=SYSCALL msg=audit(12/25/2005 11:15:38.770:1619) : arch=i386
syscall=socketcall(connect) success=no exit=-13(Permission denied)
a0=3 a1=bffabf80 a2=4 a3=989d030 items=1 pid=2719
auid=unknown(4294967295) uid=root gid=root euid=root suid=root
fsuid=root egid=root sgid=root fsgid=root comm=hald-addon-acpi
exe=/usr/libexec/hald-addon-acpi
type=AVC msg=audit(12/25/2005 11:15:38.770:1619) : avc: denied {
connectto } for pid=2719 comm=hald-addon-acpi name=acpid.socket
scontext=system_u:system_r:hald_t:s0
tcontext=system_u:system_r:crond_t:s0 tclass=unix_stream_socket
----
type=PATH msg=audit(12/25/2005 11:15:43.774:1620) : item=0
flags=follow inode=2142287 dev=fd:00 mode=socket,666 ouid=root
ogid=root rdev=00:00
type=SOCKETCALL msg=audit(12/25/2005 11:15:43.774:1620) : nargs=3 a0=4
a1=bffabfb6 a2=6e
type=SOCKADDR msg=audit(12/25/2005 11:15:43.774:1620) : saddr=local
/var/run/acpid.socket
type=AVC_PATH msg=audit(12/25/2005 11:15:43.774:1620) :
path=/var/run/acpid.socket
type=SYSCALL msg=audit(12/25/2005 11:15:43.774:1620) : arch=i386
syscall=socketcall(connect) success=no exit=-13(Permission denied)
a0=3 a1=bffabf80 a2=4 a3=989d030 items=1 pid=2719
auid=unknown(4294967295) uid=root gid=root euid=root suid=root
fsuid=root egid=root sgid=root fsgid=root comm=hald-addon-acpi
exe=/usr/libexec/hald-addon-acpi
type=AVC msg=audit(12/25/2005 11:15:43.774:1620) : avc: denied {
connectto } for pid=2719 comm=hald-addon-acpi name=acpid.socket
scontext=system_u:system_r:hald_t:s0
tcontext=system_u:system_r:crond_t:s0 tclass=unix_stream_socket
Strange thing is, /var/run/acpid.socket is NOT labeled crond_t, but
apmd_var_run_t:
[root at tlondon ~]# ls -lZ /var/run/acpi*
srw-rw-rw- root root system_u:object_r:apmd_var_run_t
/var/run/acpid.socket
[root at tlondon ~]#
tom
--
Tom London
More information about the fedora-selinux-list
mailing list