Getting SELinux avc's when apcupsd tries to trigger apccontrol events

Solution In Progress - Updated -

Issue

  • Getting SELinux avc's when apcupsd tries to trigger apccontrol events
  • The complete sealert message is:
SELinux is preventing /bin/bash from getattr access on the filesystem /.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that bash should be allowed getattr access on the  filesystem by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep apccontrol /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:apcupsd_t:s0
Target Context                system_u:object_r:fs_t:s0
Target Objects                / [ filesystem ]
Source                        apccontrol
Source Path                   /bin/bash
Port                          <Unknown>
Host                          ***
Source RPM Packages           bash-4.1.2-15.el6_4.x86_64
Target RPM Packages           filesystem-2.4.30-3.el6.x86_64
Policy RPM                    selinux-policy-3.7.19-231.el6_5.3.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     ***
Platform                      Linux ***
                              2.6.32-431.29.2.el6.x86_64 #1 SMP Sun Jul 27
                              15:55:46 EDT 2014 x86_64 x86_64
Alert Count                   1
First Seen                    Tue Sep 16 18:17:49 2014
Last Seen                     Tue Sep 16 18:17:49 2014
Local ID                      67028753-d231-4d6a-b1dc-d7e746d5996c

Raw Audit Messages
type=AVC msg=audit(1410884269.275:4101): avc:  denied  { getattr } for  pid=10543 comm="apccontrol" name="/" dev=sda1 ino=2 scontext=system_u:system_r:apcupsd_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem


type=SYSCALL msg=audit(1410884269.275:4101): arch=x86_64 syscall=statfs success=no exit=EACCES a0=4b96ff a1=7fffc6342b90 a2=fffffffffff5c010 a3=1001 items=0 ppid=10542 pid=10543 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=apccontrol exe=/bin/bash subj=system_u:system_r:apcupsd_t:s0 key=(null)

Hash: apccontrol,apcupsd_t,fs_t,filesystem,getattr

audit2allow

#============= apcupsd_t ==============
allow apcupsd_t fs_t:filesystem getattr;

audit2allow -R

#============= apcupsd_t ==============
allow apcupsd_t fs_t:filesystem getattr;

Environment

  • Red Hat Enterprise Linux 6.5
  • selinux-policy-3.7.19-231.el6_5.3.noarch

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content