Should this have been fixed in selinux-policy-targeted-1.27.1-2.2, or is
that still behind the Rawhide one?
This works from console but not from Fn-F3.
Thanks.
script:
#!/bin/sh
if [ "$(/usr/sbin/radeontool light)" = "The radeon backlight looks on" ];
then
/usr/sbin/radeontool light off
else
/usr/sbin/radeontool light on
fi
acpid.log:
---------
[Mon Sep 26 16:37:59 2005] received event "ibm/hotkey HKEY 00000080
00001003"
[Mon Sep 26 16:37:59 2005] notifying client 3001[500:500]
[Mon Sep 26 16:37:59 2005] executing action "/etc/acpi/actions/Fn-F3.sh"
[Mon Sep 26 16:37:59 2005] BEGIN HANDLER MESSAGES
can't open /dev/mem
Are you root?
can't open /dev/mem
Are you root?
[Mon Sep 26 16:37:59 2005] END HANDLER MESSAGES
[Mon Sep 26 16:37:59 2005] action exited with status 255
[Mon Sep 26 16:37:59 2005] completed event "ibm/hotkey HKEY 00000080
00001003"
audit.log:
---------
type=AVC msg=audit(1127767197.001:907558): avc: denied { read write }
for pid=6106 comm="radeontool" name="mem" dev=tmpfs ino=901
scontext=system_u:system_r:apmd_t
tcontext=system_u:object_r:memory_device_t tclass=chr_file
type=SYSCALL msg=audit(1127767197.001:907558): arch=40000003 syscall=5
success=no exit=-13 a0=8049c06 a1=2 a2=bfca76e8 a3=bfca72f8 items=1
pid=6106 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 comm="radeontool" exe="/usr/sbin/radeontool"
type=CWD msg=audit(1127767197.001:907558): cwd="/"
type=PATH msg=audit(1127767197.001:907558): item=0 name="/dev/mem"
flags=101 inode=901 dev=00:0d mode=020640 ouid=0 ogid=9 rdev=01:01
type=AVC msg=audit(1127767197.066:908249): avc: denied { read write }
for pid=6108 comm="radeontool" name="mem" dev=tmpfs ino=901
scontext=system_u:system_r:apmd_t
tcontext=system_u:object_r:memory_device_t tclass=chr_file
type=SYSCALL msg=audit(1127767197.066:908249): arch=40000003 syscall=5
success=no exit=-13 a0=8049c06 a1=2 a2=bf952a78 a3=bf952688 items=1
pid=6108 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 comm="radeontool" exe="/usr/sbin/radeontool"
type=CWD msg=audit(1127767197.066:908249): cwd="/"
type=PATH msg=audit(1127767197.066:908249): item=0 name="/dev/mem"
flags=101 inode=901 dev=00:0d mode=020640 ouid=0 ogid=9 rdev=01:01
On Mon, 26 Sep 2005, Daniel J Walsh wrote:
Stephen Smalley wrote:
On Fri, 2005-09-23 at 16:09 -0400, Matthew Saltzman wrote:
Can nobody here help with this (and if not, where could I go for
assistance)? selinux-policy-targeted-1.27.1-2.1 does not solve the
problem.
From the audit messages you posted, I would have expected that:
- a new type would have been assigned to /usr/share/hwdata, and apmd_t
would have been allowed to read it.
I am making this change.
- tmp_domain(apmd_t) would have been added to enable it to create its
own temporary files under /tmp without disturbing anyone else's
temporary files.
Looking at the latest rawhide targeted policy (1.27.1-5), it looks like
the tmp_domain() has been added, it has been directly allowed to read
usr_t (which I would have preferred not doing) and it has been made
unconfined in targeted policy (which seems overkill). So I would expect
your scripts to work just fine with that policy, even though I'd still
favor adding a new type for /usr/share/hwdata and not making apmd_t
completely unconfined.
The problem is there is no standard scripts for this yet. Trying to lock
down acpid is a moving target at this time, until the distros settle on a
standard way of doing this. So until then it is better to run unconfined.
If in FC5 timeframe a standard
develops in Fedora, I will make the policy work and remove the
unconfined_domain.
--
Matthew Saltzman
Clemson University Math Sciences
mjs AT clemson DOT edu
http://www.math.clemson.edu/~mjs
|
