acpid avcs

Daniel J Walsh dwalsh at redhat.com
Tue Dec 27 20:34:01 UTC 2005 

Tom London wrote:
> On 12/25/05, Tom London <selinux at gmail.com> wrote:
>   
>> On 12/24/05, Daniel J Walsh <dwalsh at redhat.com> wrote:
>>     
>>> Steve G wrote:
>>>       
>>>> Hi...from my logs:
>>>>
>>>> type=PATH msg=audit(12/23/2005 10:36:04.030:20507) : item=0 name=(null)
>>>> inode=14909846 dev=03:07 mode=socket,666 ouid=root ogid=root rdev=00:00
>>>> obj=system_u:object_r:var_run_t:s0
>>>> type=SOCKADDR msg=audit(12/23/2005 10:36:04.030:20507) : saddr=local
>>>> /var/run/acpid.socket
>>>> type=SYSCALL msg=audit(12/23/2005 10:36:04.030:20507) : arch=x86_64
>>>> syscall=connect success=no exit=-13(Permission denied) a0=4 a1=7fffffbf25c0
>>>> a2=6e a3=7fffffbf2428 items=1 pid=2242 auid=unknown(4294967295) uid=root
>>>> gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root
>>>> comm=hald-addon-acpi exe=/usr/libexec/hald-addon-acpi
>>>> subj=system_u:system_r:hald_t:s0
>>>> type=AVC msg=audit(12/23/2005 10:36:04.030:20507) : avc:  denied  { write }
>>>> for pid=2242 comm=hald-addon-acpi name=acpid.socket dev=hda7 ino=14909846
>>>> scontext=system_u:system_r:hald_t:s0 context=system_u:object_r:var_run_t:s0
>>>> tclass=sock_file
>>>>
>>>> This just scrolls for hours and hours...
>>>>
>>>>
>>>>         
>>> You have a mislabled socket file in /var/run.
>>>
>>> restorecon -v /var/run/acpid.socket
>>> ls -lZ /var/run/acpid.socket
>>> srw-rw-rw- root root system_u:object_r:apmd_var_run_t /var/run/acpid.socket
>>>
>>>       
>>>> -Steve
>>>>
>>>>         
>> Uhhh, a bit more here:  I get many 100s of these (while running latest
>> rawhide, targeted/enforcing):
>> ----
>> type=PATH msg=audit(12/25/2005 11:15:38.770:1619) : item=0
>> flags=follow inode=2142287 dev=fd:00 mode=socket,666 ouid=root
>> ogid=root rdev=00:00
>> type=SOCKETCALL msg=audit(12/25/2005 11:15:38.770:1619) : nargs=3 a0=4
>> a1=bffabfb6 a2=6e
>> type=SOCKADDR msg=audit(12/25/2005 11:15:38.770:1619) : saddr=local
>> /var/run/acpid.socket
>> type=AVC_PATH msg=audit(12/25/2005 11:15:38.770:1619) :
>> path=/var/run/acpid.socket
>> type=SYSCALL msg=audit(12/25/2005 11:15:38.770:1619) : arch=i386
>> syscall=socketcall(connect) success=no exit=-13(Permission denied)
>> a0=3 a1=bffabf80 a2=4 a3=989d030 items=1 pid=2719
>> auid=unknown(4294967295) uid=root gid=root euid=root suid=root
>> fsuid=root egid=root sgid=root fsgid=root comm=hald-addon-acpi
>> exe=/usr/libexec/hald-addon-acpi
>> type=AVC msg=audit(12/25/2005 11:15:38.770:1619) : avc:  denied  {
>> connectto } for  pid=2719 comm=hald-addon-acpi name=acpid.socket
>> scontext=system_u:system_r:hald_t:s0
>> tcontext=system_u:system_r:crond_t:s0 tclass=unix_stream_socket
>> ----
>> type=PATH msg=audit(12/25/2005 11:15:43.774:1620) : item=0
>> flags=follow inode=2142287 dev=fd:00 mode=socket,666 ouid=root
>> ogid=root rdev=00:00
>> type=SOCKETCALL msg=audit(12/25/2005 11:15:43.774:1620) : nargs=3 a0=4
>> a1=bffabfb6 a2=6e
>> type=SOCKADDR msg=audit(12/25/2005 11:15:43.774:1620) : saddr=local
>> /var/run/acpid.socket
>> type=AVC_PATH msg=audit(12/25/2005 11:15:43.774:1620) :
>> path=/var/run/acpid.socket
>> type=SYSCALL msg=audit(12/25/2005 11:15:43.774:1620) : arch=i386
>> syscall=socketcall(connect) success=no exit=-13(Permission denied)
>> a0=3 a1=bffabf80 a2=4 a3=989d030 items=1 pid=2719
>> auid=unknown(4294967295) uid=root gid=root euid=root suid=root
>> fsuid=root egid=root sgid=root fsgid=root comm=hald-addon-acpi
>> exe=/usr/libexec/hald-addon-acpi
>> type=AVC msg=audit(12/25/2005 11:15:43.774:1620) : avc:  denied  {
>> connectto } for  pid=2719 comm=hald-addon-acpi name=acpid.socket
>> scontext=system_u:system_r:hald_t:s0
>> tcontext=system_u:system_r:crond_t:s0 tclass=unix_stream_socket
>>
>> Strange thing is, /var/run/acpid.socket is NOT labeled crond_t, but
>> apmd_var_run_t:
>> [root at tlondon ~]# ls -lZ /var/run/acpi*
>> srw-rw-rw-  root     root     system_u:object_r:apmd_var_run_t
>> /var/run/acpid.socket
>> [root at tlondon ~]#
>>
>>     
> A bit more on this:
>
> [root at tlondon ~]# ps gaxZ | grep crond_t
> system_u:system_r:crond_t:SystemLow-SystemHigh 2639 ? Ss   0:00 crond
> system_u:system_r:crond_t:SystemLow-SystemHigh 2656 ? Ss   0:00 /usr/sbin/atd
> system_u:system_r:crond_t        4295 ?        SNs    0:00 /usr/sbin/acpid
> system_u:system_r:crond_t        4307 ?        SNs    0:00 cupsd
> [root at tlondon ~]#
>
> Should acpid and cupsd be running as crond_t?
>
> [root at tlondon ~]# ls -lZ /usr/sbin/acpid
> -rwxr-x---  root     root     system_u:object_r:apmd_exec_t    /usr/sbin/acpid
> [root at tlondon ~]# ls -lZ /usr/sbin/cupsd
> -rwxr-xr-x  root     root     system_u:object_r:cupsd_exec_t   /usr/sbin/cupsd
> [root at tlondon ~]#
>
> Is there a missing transition (or some such)?
> tom
> --
> Tom London
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>   
Fixed in selinux-policy-*-2.1.6-17.noarch.rpm

--

More information about the fedora-selinux-list mailing list