SELinux and Thinkpad ACPI (part 2: suspend to RAM)

Matthew Saltzman mjs at ces.clemson.edu
Sun Jul 3 20:47:32 UTC 2005 

The ACPI script that I use to suspend to RAM stopped functioning when
I upgraded to FC4 (worked fine in FC3).  This time
(selinux-policy-targeted-1.23.18-17--forgot to mention that in my
previous message on screen blanking), the script does actually supend
and resume, but it appears not to update the hardware clock.

The suspend script is invoked on Fn-F4 and contains:

     #!/bin/sh
     # test script for measuring power drain during suspend-to-ram with ACPI
     # from http://www.thinkwiki.org
     # Changelog:
     #   added sync before S3
     #   changed sign of difference (positive drain)


     # remove USB for external mouse before sleeping
     if lsmod | grep '^usbhid' >/dev/null ; then
        /sbin/modprobe -r -s usbhid
     fi
     if lsmod | grep '^uhci_hcd' >/dev/null ; then
        /sbin/modprobe -r -s uhci_hcd
     fi
     if lsmod | grep '^ehci_hcd' >/dev/null ; then
        /sbin/modprobe -r -s ehci_hcd
     fi

     hwclock --systohc

     LOG=/var/log/battery.log
     date >> $LOG
     DATE_BEFORE=`date +%s`
     BAT_BEFORE=`grep 'remaining capacity' /proc/acpi/battery/BAT0/state | awk '{print $3}'`
     echo "before: $BAT_BEFORE mWh" >> $LOG

     sync
     echo 3 > /proc/acpi/sleep

     DATE_AFTER=`date +%s`
     BAT_AFTER=`grep 'remaining capacity' /proc/acpi/battery/BAT0/state | awk '{print $3}'`
     echo "after: $BAT_AFTER mWh" >> $LOG

     DIFF=`echo "$BAT_AFTER - $BAT_BEFORE" | bc`
     SECONDS=`echo "$DATE_AFTER - $DATE_BEFORE" | bc`
     echo "diff: $DIFF mWh" >> $LOG
     echo "seconds: $SECONDS sec" >> $LOG
     USAGE=`echo "(-1 * $DIFF * 60 * 60) / ($SECONDS)" | bc`
     echo "result: $USAGE mW" >> $LOG
     if [ $USAGE -lt 1000 ]
     then
         echo "Congratulations, your model seems NOT to be affected." >> $LOG
     else
         echo "Your model seems to be affected." >> $LOG
     fi
     if [ $SECONDS -lt 1200 ]
     then
         echo "!!! The notebook was suspended less than 20 minutes." >> $LOG
         echo "!!! To get representative values please let the notebook sleep" >> $LOG
         echo "!!! for at least 20 minutes." >> $LOG
     fi
     echo "" >> $LOG

     if !(lsmod | grep '^ehci_hcd') >/dev/null ; then
        /sbin/modprobe -s ehci_hcd
     fi
     if !(lsmod | grep '^uhci_hcd') >/dev/null ; then
        /sbin/modprobe -s uhci_hcd
     fi
     if !(lsmod | grep '^usbhid')   >/dev/null ; then
        /sbin/modprobe -s usbhid
     fi

     hwclock --hctosys

When the script is invoked, the following messages are generated in 
/var/log/acpid:

     [Sun Jul  3 16:33:39 2005] received event "ibm/hotkey HKEY 00000080 00001004"
     [Sun Jul  3 16:33:39 2005] notifying client 2531[0:0]
     [Sun Jul  3 16:33:39 2005] notifying client 3068[500:500]
     [Sun Jul  3 16:33:39 2005] executing action "/etc/acpi/actions/thinkpad-T4x-suspend"
     [Sun Jul  3 16:33:39 2005] BEGIN HANDLER MESSAGES
     [Sun Jul  3 16:34:15 2005] END HANDLER MESSAGES
     [Sun Jul  3 16:34:15 2005] action exited with status 0
     [Sun Jul  3 16:34:15 2005] completed event "ibm/hotkey HKEY 00000080 00001004"
     [Sun Jul  3 16:34:15 2005] received event "processor CPU 00000081 00000000"
     [Sun Jul  3 16:34:15 2005] notifying client 2531[0:0]
     [Sun Jul  3 16:34:15 2005] notifying client 3068[500:500]
     [Sun Jul  3 16:34:15 2005] completed event "processor CPU 00000081 00000000"

And the following are generated in /var/log/audit/audit.log:

     type=PATH msg=audit(1120422820.446:4072964): item=1 flags=101  inode=357483 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00
     type=PATH msg=audit(1120422820.446:4072964): item=0 name="/sbin/hwclock" flags=101  inode=194377 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00
     type=Unknown msg=audit(1120422820.446:4072964):  cwd="/"
     type=AVC_PATH msg=audit(1120422820.446:4072964):  path="/var/log/acpid"
     type=AVC_PATH msg=audit(1120422820.446:4072964):  path="/var/log/acpid"
     type=AVC_PATH msg=audit(1120422820.446:4072964):  path="socket:[7894]"
     type=AVC_PATH msg=audit(1120422820.446:4072964):  path="socket:[10575]"
     type=SYSCALL msg=audit(1120422820.446:4072964): arch=40000003 syscall=11 success=yes exit=0 a0=9533338 a1=9533dd8 a2=9533738 a3=0 items=2 pid=28046 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="hwclock" exe="/sbin/hwclock"
     type=AVC msg=audit(1120422820.446:4072964): avc:  denied  { read write } for  pid=28046 comm="hwclock" name="[10575]" dev=sockfs ino=10575 scontext=system_u:system_r:hwclock_t tcontext=system_u:system_r:apmd_t tclass=unix_stream_socket
     type=AVC msg=audit(1120422820.446:4072964): avc:  denied  { read write } for  pid=28046 comm="hwclock" name="[7894]" dev=sockfs ino=7894 scontext=system_u:system_r:hwclock_t tcontext=system_u:system_r:apmd_t tclass=unix_stream_socket
     type=AVC msg=audit(1120422820.446:4072964): avc:  denied  { append } for  pid=28046 comm="hwclock" name="acpid" dev=dm-0 ino=909761 scontext=system_u:system_r:hwclock_t tcontext=system_u:object_r:apmd_log_t tclass=file
     type=AVC msg=audit(1120422820.446:4072964): avc:  denied  { append } for  pid=28046 comm="hwclock" name="acpid" dev=dm-0 ino=909761 scontext=system_u:system_r:hwclock_t tcontext=system_u:object_r:apmd_log_t tclass=file
     type=PATH msg=audit(1120422852.678:4306524): item=1 flags=101  inode=357483 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00
     type=PATH msg=audit(1120422852.678:4306524): item=0 name="/sbin/hwclock" flags=101  inode=194377 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00
     type=Unknown msg=audit(1120422852.678:4306524):  cwd="/"
     type=AVC_PATH msg=audit(1120422852.678:4306524):  path="/var/log/acpid"
     type=AVC_PATH msg=audit(1120422852.678:4306524):  path="/var/log/acpid"
     type=AVC_PATH msg=audit(1120422852.678:4306524):  path="socket:[7894]"
     type=AVC_PATH msg=audit(1120422852.678:4306524):  path="socket:[10575]"
     type=SYSCALL msg=audit(1120422852.678:4306524): arch=40000003 syscall=11 success=yes exit=0 a0=9534440 a1=95344d8 a2=9533738 a3=0 items=2 pid=28207 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="hwclock" exe="/sbin/hwclock"
     type=AVC msg=audit(1120422852.678:4306524): avc:  denied  { read write } for  pid=28207 comm="hwclock" name="[10575]" dev=sockfs ino=10575 scontext=system_u:system_r:hwclock_t tcontext=system_u:system_r:apmd_t tclass=unix_stream_socket
     type=AVC msg=audit(1120422852.678:4306524): avc:  denied  { read write } for  pid=28207 comm="hwclock" name="[7894]" dev=sockfs ino=7894 scontext=system_u:system_r:hwclock_t tcontext=system_u:system_r:apmd_t tclass=unix_stream_socket
     type=AVC msg=audit(1120422852.678:4306524): avc:  denied  { append } for  pid=28207 comm="hwclock" name="acpid" dev=dm-0 ino=909761 scontext=system_u:system_r:hwclock_t tcontext=system_u:object_r:apmd_log_t tclass=file
     type=AVC msg=audit(1120422852.678:4306524): avc:  denied  { append } for  pid=28207 comm="hwclock" name="acpid" dev=dm-0 ino=909761 scontext=system_u:system_r:hwclock_t tcontext=system_u:object_r:apmd_log_t tclass=file

Thanks.
-- 
 		Matthew Saltzman

Clemson University Math Sciences
mjs AT clemson DOT edu
http://www.math.clemson.edu/~mjs

More information about the fedora-selinux-list mailing list