Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 440130 - =sec-policy/selinux-*-9999 stops acpid from starting
Summary: =sec-policy/selinux-*-9999 stops acpid from starting
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: SELinux (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: SE Linux Bugs
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-10-29 14:18 UTC by Alex Brandt (RETIRED)
Modified: 2012-10-29 19:01 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alex Brandt (RETIRED) gentoo-dev 2012-10-29 14:18:13 UTC 
Looks like the current policies don't let acpid start due to the following AVCs:

type=AVC msg=audit(1351519964.719:14328): avc:  denied  { create } for  pid=27085 comm="acpid" ipaddr=50.56.228.64 scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=netlink_socket
type=SYSCALL msg=audit(1351519964.719:14328): arch=c000003e syscall=41 success=no exit=-13 a0=10 a1=80003 a2=10 a3=4000 items=0 ppid=27084 pid=27085 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1474 comm="acpid" exe="/usr/sbin/acpid" subj=system_u:system_r:initrc_t key=(null)
type=AVC msg=audit(1351519964.719:14329): avc:  denied  { create } for  pid=27085 comm="acpid" ipaddr=50.56.228.64 scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=netlink_socket
type=SYSCALL msg=audit(1351519964.719:14329): arch=c000003e syscall=41 success=no exit=-13 a0=10 a1=80003 a2=10 a3=a8ebddf2e2 items=0 ppid=27084 pid=27085 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1474 comm="acpid" exe="/usr/sbin/acpid" subj=system_u:system_r:initrc_t key=(null)
type=AVC msg=audit(1351519964.719:14330): avc:  denied  { create } for  pid=27085 comm="acpid" name="acpid.socket" ipaddr=50.56.228.64 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:var_run_t tclass=sock_file
type=SYSCALL msg=audit(1351519964.719:14330): arch=c000003e syscall=49 success=no exit=-13 a0=5 a1=73bb30fbfc40 a2=6e a3=ffffff00 items=1 ppid=27084 pid=27085 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1474 comm="acpid" exe="/usr/sbin/acpid" subj=system_u:system_r:initrc_t key=(null)

I'm curious as to why acpid runs in initrc_t when trying to create this socket as well.  I assume it's because there is no acpid policy yet?  Would it make sense to create a policy for acpid?  If so let me know and I'll whip one together; otherwise, I'll continue to help troubleshoot why this isn't starting (beyond the socket creation).

Reproducible: Always
Comment 1 Sven Vermeulen (RETIRED) gentoo-dev 2012-10-29 16:10:25 UTC 
The acpi daemon should be handled by the apm module
Comment 2 Alex Brandt (RETIRED) gentoo-dev 2012-10-29 18:26:33 UTC 
You are correct sir.  In that case it looks like acpid simply needs to depend on selinux-apm.  It works correctly with that module loaded.
Comment 3 Sven Vermeulen (RETIRED) gentoo-dev 2012-10-29 19:01:03 UTC 
Thanks; I added selinux-apm as a dependency to acpid.